Does Yaz Work As Plan B?

not just us ... [Part III]

Continuing with the bugs in other universities ... Now we'll see a couple of errors in the website ... Well, I'm not saying that college xD
The first error is a typical SQL Injection. The vulnerable URL is:

http://palestra.??????.edu.pe/index.php?id =

Where is

vulnerable variable "id"
. First I tried putting a single quote to see if error occurred. The result was this:

Figure 1 - The web filters quotes.

As noted, the application has been charged with escape quote a prepending "\\"
therefore does not change the SQL command and no error occurs. But not always necessary to alter a quotation mark syntax. The numerical values \u200b\u200bneed not be in quotes in an SQL statement and we are dealing with this case;)
Using a test by contradiction we can see that yes we interfere in the query.

Fig. 2 - When an error is false.

Fig. 3 - When true shows the item.

When injected

"and 1 = 0" the condition will always be false and did not select any items so the application displays an error message. But when injected "and 1 = 1" condition

does not change and shows us the article with id 423.

 Well, I discovered the vulnerability ... Now let's play a little.

After some time flirting with ORDER BY we can conclude that 17 columns are selected. The truth was somewhat confusing because the id variable is used in 2 queries with different number of columns. Thus, while an error does not in the other self. Fortunately, the error of the second query does not prevent the first show the result;)

already knowing the number of columns in the next step is to see which fields are displayed on the website. We will do a UNION SELECT

well:

/ index.php? Id = null + union + select +1,2,3,4,5,6,7,8,9,10,11,12 , 13,14,15,16,17% 23

 Fig. 4 - Distribution of the fields shown.

Pictured in the fields shown are 2, 3 and 5. We can use any of these to extract information from the database;) "information_schema" well: / index.php? Id = null + union + select +1,2,3,4, schema_name, 6, 7,8,9,10,11,12,13,14,15,16,17 + from + information_schema.schemata% 23

A test mode will we get the name of the databases that exist in the server. To do this we query the table "schemata" of

Fig. 5 - Only show the first result. But note that only displays the first result. To view the other results we have the following choices: request one by one all the names using the LIMIT clause

. Make a

"Serialized SQL Injection"
and display many of the names in a single query;)

Lo LIMIT

we have already explained before so it will be an excuse to learn something new. Serialized

SQL Injection is a technique that allows us to show many results of a query in one field visible. This is done using different methods according to the manager database (Oracle, SQL Server, MySQL, etc.) In the case of MySQL you use the "GROUP_CONCAT" that concatenates the results to the same group belong to one string .

The consultation would be serialized like this:

/ index.php? Id = null + union + select +1,2,3,4, GROUP_CONCAT (schema_name + +0 x20 separator), 6,7,8,9, 10,11,12,13,14,15,16,17 + from + information_schema.schemata% 23

GROUP_CONCAT function lets you specify a separator. In this case, use as a separator that is just a blank encoded in hexadecimal, not to use the quotes;)

Fig. 6 - Consultation serialized.

"0x20"

The second vulnerability found on this site is an LFI. Yes, the same vuln which are explained in the first half. And you know SQLi + LFI is a very dangerous combination. Fortunately, for the admin site, the user of the database does not have the permission
"FILE"

that is what allows use "INTO OUTFILE" to inject the code. I leave

an image showing the

file "/ etc / passwd" proof of concept
: Fig. 7 - PoC of LFI.