House of Hackers

Creegan 11.9

SQL Injection - Weird Scenario

The other day I was trying to gain access on some friend's site, unfortunately the SELECT command was revoked on the user i was trying for the mysql.users table, but, lucky for me, the guy had his own users table called tb_usuarios, through some blind SQL injection I was able to get access to the site, and to get ALL the users' emails and passwords; which is worth to say, most of the time matched the email passwords.

After notifying my friend about the BIG security hole tried to do some of the work I'm been paid for with no luck... was boring, so I google a new site and tried again.

First try and this is what i got:


good good, the guy didn't sanitized the queries, excellent, so, i tried a union all select and started with 1 column
to my surprise after 20 columns the statement was the same

after some more tries, i went to my visual studio environment, created a simple application that will iterate from 1 number i choose to another, appending that to my url, thus appending it to my query...
And here is the weird thing, after 536 columns appended to the url, the result was always the same.

So, here I'm thinking, I know the guy/gal who developed the site wasn't smart, because is not sanitizing queries and allowing sql injection pretty easy, but, I don't know what s/he did to avoid the union command.

Don't know if this is some kind of "security" thing or just dumb luck...

Tags: injection, luck, security?, sql, weird

Share 

Comment

You need to be a member of House of Hackers to add comments!

Join this Ning Network

Matrix Comment by Matrix on May 11, 2009 at 9:51am
I didn't remarque your question "I don't know what s/he did to avoid the union command"
if the SELECT command is Executed successfully it mean that he didn't use mysql_real_escape_string() it mean that he use a simple test for some sql commands like 'UNION' but like i said you can try to encode your commands, like " UN/**/IO/**/ you can use char(),Hex... to escape those tests or maybe the version of mysql is <= 3 this my thought.
sorry for my Bad English guys.
Creegan 11.9 Comment by Creegan 11.9 on January 26, 2009 at 4:24pm
demo video about what K3vin?
that's just a simple SQL Injection video, not the case in question...
k3vin mitnick Comment by k3vin mitnick on January 24, 2009 at 11:58am
demo video : http://cid-0a8486833b6d01d9.skydrive.live.com/self.aspx/Public/k3vinSQL.rar
Creegan 11.9 Comment by Creegan 11.9 on January 23, 2009 at 3:05pm
Already did that D.

Indeed if you don't do that most of the time the query wont pass along the sql syntax.
spdr Comment by spdr on January 23, 2009 at 9:47am
Perhaps your input is going into 2 SQL queries ?
Try ending the statements with --, /* or even %23 (#)
Creegan 11.9 Comment by Creegan 11.9 on January 22, 2009 at 9:06pm
MySql I think, at least two I have found where MySql
Creegan 11.9 Comment by Creegan 11.9 on January 22, 2009 at 8:45pm
Jack, I couldn't find the reason the site was behaving like that, but I can tell you, I have found many sites that do the same, some kind of security measure or unnoticed "bug" that prevents the injection.
Not quite sure whats the case.
Creegan 11.9 Comment by Creegan 11.9 on December 18, 2008 at 3:40pm
no prob
Der Jäger Comment by Der Jäger on December 18, 2008 at 11:48am
Ohhhhh...! Sorry I misread. Apoligizies. I thought he was unaware @ 1st. Sorry, Plz. forgive...?
Creegan 11.9 Comment by Creegan 11.9 on December 17, 2008 at 9:01pm
no, you misunderstood it, I warned my friend, then, went to Google and searched until i found another site exploitable via sql injection, then i found this site that gives me this weird scenario.

About

pdp pdp created this Ning Network.
Create a Ning Network! »

© 2009   Created by pdp on Ning.   Create a Ning Network!

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!