Search n00bz.net
« Ubertooth Setup Guides | Main | Antivirus Options for Macs »
Tuesday
May242011

%27 + sqlmap = a newspaper

By newspaper, I mean the entire newspaper, not just a free issue!

NOTE: I disclosed to the owner of the site.  Within 1 hour, he had a developer work with me to close the hole.  Even though I called them at the end of a long day, they worked into the night to have this closed within 12 hours of me reporting it.  There was none of the all to common vendor downplaying the issue or telling you that you are wrong and how dare you report this.  The Sun-Sentinel was very respectful and showed a real willing to understand the full issue and resolve it ASAP. 

 

So I was reading my local newspaper, http://www.sun-sentinel.com/ and I saw an article about the recent mugshots.

One of the mugshots looked like a girl I went to High School with.  It wasn't her but I did see something interesting.

A url that ends in .php?id=####. For those who received a hackmiami.org sticker, they will notice a large %27.  That is the url encode for a single quote(').

Placing one in front of the equal sign resulted in an error page that will make even the n00b of n00bs smile.

Wow... not only is there a SQL error message, it provides the full SQL syntax that you usually see on a demo of how to SQL inject.  Now with this information, even a novice attacker could create some interesting SQL statements to pass to the underlying database backend. 

I will never forget the day Alex showed me sqlmap.  I remember saying, "Wow sqlmap makes the biggest n00b into 1337."  Alex responded, "You are still a n00b but now you are a n00b with the database."

sqlmap is an awesome tool that will automate extracting information from a backend database.  Just point it to the injection point and it can dump table names, password hashes, or even full tables.

You can find it at http://sqlmap.sourceforge.net or your local security distro (BackTrack 5)

Firing up BackTrack 5, I launch sqlmap.

Looks like we are using Apache, PHP 5.2.8 running a MySQL 5.0 backend.

Pulling the banner gave us additional information.

The current user is root and that account is a DBA!

sqlmap has some great features including the ability to upload a payload such as Metasploit's meterpreter or a web shell.  sqlmap supports all the usual flavors including asp, aspx, php or jsp.

Yes I aborted.  I am NOT uploading a backdoor shell to this site.  I maybe crazy, but I am not INSANE! 

@d1sc0rd1an has an awesome GPU setup.  Like most hackers who love password cracking, it is not where the password came from, or even what it unlocks that matters to him.

He only loves to feed his beast delicious hashes.  I dumped the hashes from the db to provide his system with.

I sent him the list (knowing they were simple unsalted hashes) and he send back a screen shot and a note.  The note said, "I am not going to use my rainbow table for this.  I am going to brute force this for fun."


When I called the newspaper to report the findings, I provided the "proof of life" that I had the root password.  Jokingly he replied, at least it wasn't "password" or as weak as the guy from Gawker!

So lessons learned:

%27 everywhere

sqlmap is a tool that everyone should look at.  You may not be a sql injection master, but a n00b with unsalted hashes is just as dangerous.

Do the right thing when you find a vulnerability and let the business owner know.  You wouldn't like it if you site was hacked.  Karma... it is more then just a wifi tool! (but that is another post!)

 

 

 

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Hollister
    Hello, here to post points. Here's a good article written, rich in content. If you want more information, look at the situation here:Hollister
  • Response
    Response: Cheap Rams Jerseys
    NFL is seriously one of the greatest sports in America. It has a major following.
  • Response
    %27 + sqlmap = a newspaper - Blog - n00bz Network

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>