%27 + sqlmap = a newspaper
By newspaper, I mean the entire newspaper, not just a free issue!
NOTE: I disclosed to the owner of the site. Within 1 hour, he had a developer work with me to close the hole. Even though I called them at the end of a long day, they worked into the night to have this closed within 12 hours of me reporting it. There was none of the all to common vendor downplaying the issue or telling you that you are wrong and how dare you report this. The Sun-Sentinel was very respectful and showed a real willing to understand the full issue and resolve it ASAP.
So I was reading my local newspaper, http://www.sun-sentinel.com/ and I saw an article about the recent mugshots.
One of the mugshots looked like a girl I went to High School with. It wasn't her but I did see something interesting.
A url that ends in .php?id=####. For those who received a hackmiami.org sticker, they will notice a large %27. That is the url encode for a single quote(').
Placing one in front of the equal sign resulted in an error page that will make even the n00b of n00bs smile.
Wow... not only is there a SQL error message, it provides the full SQL syntax that you usually see on a demo of how to SQL inject. Now with this information, even a novice attacker could create some interesting SQL statements to pass to the underlying database backend.
I will never forget the day Alex showed me sqlmap. I remember saying, "Wow sqlmap makes the biggest n00b into 1337." Alex responded, "You are still a n00b but now you are a n00b with the database."
sqlmap is an awesome tool that will automate extracting information from a backend database. Just point it to the injection point and it can dump table names, password hashes, or even full tables.
You can find it at http://sqlmap.sourceforge.net or your local security distro (BackTrack 5)
Firing up BackTrack 5, I launch sqlmap.
Looks like we are using Apache, PHP 5.2.8 running a MySQL 5.0 backend.
Pulling the banner gave us additional information.
The current user is root and that account is a DBA!
sqlmap has some great features including the ability to upload a payload such as Metasploit's meterpreter or a web shell. sqlmap supports all the usual flavors including asp, aspx, php or jsp.
Yes I aborted. I am NOT uploading a backdoor shell to this site. I maybe crazy, but I am not INSANE!
@d1sc0rd1an has an awesome GPU setup. Like most hackers who love password cracking, it is not where the password came from, or even what it unlocks that matters to him.
He only loves to feed his beast delicious hashes. I dumped the hashes from the db to provide his system with.
I sent him the list (knowing they were simple unsalted hashes) and he send back a screen shot and a note. The note said, "I am not going to use my rainbow table for this. I am going to brute force this for fun."
When I called the newspaper to report the findings, I provided the "proof of life" that I had the root password. Jokingly he replied, at least it wasn't "password" or as weak as the guy from Gawker!
So lessons learned:
%27 everywhere
sqlmap is a tool that everyone should look at. You may not be a sql injection master, but a n00b with unsalted hashes is just as dangerous.
Do the right thing when you find a vulnerability and let the business owner know. You wouldn't like it if you site was hacked. Karma... it is more then just a wifi tool! (but that is another post!)
Reader Comments