Found this image in the Junkyard. Check it out. Has all sorts of MySQL and header data in the $_GET value, lol. You could set this to be anything. I'm wondering if blobheadervalue2 takes external URLs. Or what custom headers could be sent to do something worthwhile.
I tried changing blobtable to MungoBlobs; DROP TABLE MungoBlobs, but to no avail. You guys can prolly find something if you tried. It's freakishly late, so I don't have time to think, so good luck. Figured I'd share this, as I found it hilarious considering it's on a government website.
http://images.military.com/cs/Satell...&ssbinary=true
images.military.com/cs/Satellite
?blobcol=urldata
&blobheadername1=Content-Type
&blobheadername2=Content-Disposition
&blobheadervalue1=image/jpeg
&blobheadervalue2=inline;filename%3DSmartWeapon_11 1109.jpg
&blobkey=id
&blobnocache=false
&blobtable=MungoBlobs
&blobwhere=1209982875284
&ssbinary=true
Results 1 to 12 of 12
Thread: Military.com URL injection
- 22 Nov. 2009 08:43am #1
Military.com URL injection
- 22 Nov. 2009 03:33pm #2
Wait I don't get what your saying.
Did you take that picture or something.
- 22 Nov. 2009 08:19pm #3
No. It's from the military official website. But the URL to the picture allows you to modify a lot of the server-side variables, which is stupid and exploitable. If you aren't familiar with server-side variables, don't worry about it.
- 23 Nov. 2009 01:00am #4
- Age
- 30
- Join Date
- Nov. 2009
- Location
- Anaheim, California
- Posts
- 1,065
- Reputation
- 99
- LCash
- 200.00
- 23 Nov. 2009 01:02am #5
Seems a bit risky but I've been messing around with it. You can get it to give you a bit of info but none of it is to use.
Most likely the person above and below me is a weaboo.
Oh yeah and I program so if need anything just request it and I might get around to it.
- 23 Nov. 2009 03:05am #6
Last edited by GAMEchief; 23 Nov. 2009 at 04:51am.
- 23 Nov. 2009 03:44am #7
- 23 Nov. 2009 04:54am #8
If one could get the SQL injection trk, one could actually hack the military. But going as blindly as one must, it's pretty impossible to figure out where things are and what protection there is against it.
Like you're in a room - a huge room. And somewhere on the wall is a button that will give you access all military information in this specific database (which we don't know what all is in it). But you're blindfolded and the room is full of holes, pits, and non-vital traps. It could take forever, and is virtually impossible, but possible to find that button.
And it would be very possible, but it seems that have SQL injection protection against DROP TABLE (not surprising).
The question is merely how much protection do they have and how does one bypass it.
- 23 Nov. 2009 07:11am #9
- Age
- 30
- Join Date
- Nov. 2009
- Location
- Anaheim, California
- Posts
- 1,065
- Reputation
- 99
- LCash
- 200.00
- 23 Nov. 2009 02:05pm #10
Possibly, but if that were the case, I'd imagine they'd just use numerical IDs instead of text references.
- 23 Nov. 2009 07:26pm #11
- Age
- 30
- Join Date
- Nov. 2009
- Location
- Anaheim, California
- Posts
- 1,065
- Reputation
- 99
- LCash
- 200.00
- 05 Jan. 2010 04:09pm #12
wow thats pretty smart GameChief good find