|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Need assistance exploiting 'INSERT INTO' post sql injection |
|
Posted: Tue Jul 05, 2011 12:07 am |
|
|
BlueScreenOfDoom666 |
Regular user |
|
|
Joined: Jan 06, 2008 |
Posts: 5 |
Location: - |
|
|
|
|
|
|
INSERT INTO tablename ( field1, field2, field3, exploitable_field, field5 ) VALUES( 'val1', 'val2', 'val3', '??????', 'val5' )
I've been trying to inject a query into "exploitable_field" and grab the contents of tablename, however, whenever I post the query, the server just spits out a "Query failed: errno = 1064, error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "<my sql queries> --[rest of variable exploitable_field]" at line <line number>
query= < ... >
I patched the rest of the values in the original query with empty fields, "''" aka "0xbf5c0xbf5c", until the statement was finished, and then added my query followed by a double dash comment.
valid query:
Code: |
INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon', 'abcd@ef.gh', '-12', '1980', '127.0.0.1' )
|
my code to inject:
Code: |
SELECT * FROM site_infotable
|
my attempt that isn't working (inside the post data):
Code: |
&birthdate=0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --
|
resulting error:
Code: |
Query failed:
errno = 1064
error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND SELECT * FROM site_infotable --, '127.0.0.1' at line 2
query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', 0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --, '127.0.0.1' )
|
Note the 0xbf5c are supposed to be single quotes ( ' ), as they were being prefixed with a slash ( \ ) [ magic quotes? ].
I'm not sure what I'm doing wrong. If anyone could help me with this that would be great.
Note that I'm a beginner and this is my first attempt. I've been trying this for hours, and googled and googled and googled more, and failed. |
|
|
|
|
|
|
|
|
Posted: Tue Jul 05, 2011 11:41 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
More information is needed.
1. Attack goes through POST request? How do you manipulate POST parameters?
Do you use "Tamper Data", handcrafted html files or other method?
2. Attack vector is POST parameter "birthdate"? Is it suppose to be
integer or string? Do you need single quotes for sql injection or exploitation
is possible without single quotes?
If you can, then let me see the POST request you use.
Anyway, there is mainly two methods for INSERT INTO sql injection exploitation.
1. injection of useful data to the database and then reading it, if possible.
For this you need to use subselects.
2. alternative method is time delay based or error feedback based exploitation.
You can use BENCHMARK() or SLEEP() with subqueries and IF() |
|
|
|
|
|
|
|
|
Posted: Wed Jul 06, 2011 1:20 pm |
|
|
BlueScreenOfDoom666 |
Regular user |
|
|
Joined: Jan 06, 2008 |
Posts: 5 |
Location: - |
|
|
|
|
|
|
I'm using my own C# application to send a POST request.
The post data I'm sending looks like this:
Code: |
&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=
|
"&birthdate=" is the string field where the sql injection goes.
Everything I've tried has resulted in a bad syntax error. |
|
|
|
|
Posted: Wed Jul 06, 2011 1:39 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
BlueScreenOfDoom666 wrote: | I'm using my own C# application to send a POST request.
The post data I'm sending looks like this:
Code: |
&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=
|
"&birthdate=" is the string field where the sql injection goes.
Everything I've tried has resulted in a bad syntax error. |
I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ? |
|
|
|
|
|
|
|
|
Posted: Wed Jul 06, 2011 1:44 pm |
|
|
BlueScreenOfDoom666 |
Regular user |
|
|
Joined: Jan 06, 2008 |
Posts: 5 |
Location: - |
|
|
|
|
|
|
waraxe wrote: | BlueScreenOfDoom666 wrote: | I'm using my own C# application to send a POST request.
The post data I'm sending looks like this:
Code: |
&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=
|
"&birthdate=" is the string field where the sql injection goes.
Everything I've tried has resulted in a bad syntax error. |
I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ? |
Oh oops, didn't see that. I've been trying to use the single quotes ( ' ). The server inserts a slash ( \ ) infront of the quote so it becomes a ( \' ), and I tried to bypass that by using 0xbf5c, but it didn't work. |
|
|
|
|
|
|
|
|
Posted: Wed Jul 06, 2011 1:48 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If you try:
do you get sql error message?
And if you try:
do you see sql error message? |
|
|
|
|
Posted: Wed Jul 06, 2011 1:51 pm |
|
|
BlueScreenOfDoom666 |
Regular user |
|
|
Joined: Jan 06, 2008 |
Posts: 5 |
Location: - |
|
|
|
|
|
|
waraxe wrote: | If you try:
do you get sql error message?
And if you try:
do you see sql error message? |
Nope, abcd works just fine. The requests goes through without a problem. |
|
|
|
|
Posted: Wed Jul 06, 2011 1:59 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
OK, then show me the string, that will provoke sql error message.
And let me see that error message. |
|
|
|
|
Posted: Wed Jul 06, 2011 2:13 pm |
|
|
BlueScreenOfDoom666 |
Regular user |
|
|
Joined: Jan 06, 2008 |
Posts: 5 |
Location: - |
|
|
|
|
|
|
Code: |
&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=a', '127.0.0.1'); SELECT * from site_infotable --
|
Code: |
Query failed:
errorno=1064
error=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\', \'127.0.0.1\'); SELECT * from site_infotable --, '127.0.0.1' at line 2
query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', a\', '127.0.0.1'); SELECT * FROM site_infotable --, '127.0.0.1')
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jul 06, 2011 2:39 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This error message seems to be missing some single quotes ...
Anyway, do you have access to the information from that INSERT query?
I mean - if you INSERT birthdate=blah, then can you open web page, that will show birthdate you just inserted?
If you have such feedback possibility, then you can use it for fetching needed information from target database.
Of course, you must fist know, if birthdate field in database table is numeric or string and how much information can it store.
So let me know, if you can see inserted birthdate or ipaddress after POST query. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|