 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help with SQL Injection version 3 |
 |
 Posted: Wed Apr 01, 2009 1:31 pm |
 |
|
| Hanna313 |
| Active user |
 |
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
 |
|
 |
|
Hello,
I found a site which is vulnerable for SQL injection, with a @@version query I found out that it runs mysql v3.0 with:
www.site.com/......id=131 and substring(@@version,1,1)=3
What can I do now to inject SQL? since I read that union and subselect queries won't work with v3.0 |
|
Last edited by Hanna313 on Wed Apr 01, 2009 1:54 pm; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Wed Apr 01, 2009 1:54 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
In case of MySql 3.x it all depend of the table(s), which are accessed with affected sql query. As there is no UNION and subselects, then you are not able to access other tables. So - if you are lucky and sql injection occurs in query, which deals with users table (login, password restore, etc scripts), then you have access to user credentials. But if for example you have sql injection in news script, which deals with news table, then it is obviously not useful. Of course, you can fetch some data - DATABASE(), USER(),etc.
INTO OUTFILE, LOAD_FILE() may be extremely useful too, if you have FILE privilege (not common in real-world situations).
Conclusion: MySql 3.x sucks  |
|
|
|
|
|
|
|
|
| Posted: Wed Apr 01, 2009 2:10 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
Hello Waraxe,
Can you please explain what you mean by this:
| waraxe wrote: | Of course, you can fetch some data - DATABASE(), USER(),etc.
INTO OUTFILE, LOAD_FILE() may be extremely useful too, if you have FILE privilege (not common in real-world situations). |
Maybe with some example queries?
Thanks in advance! |
|
|
|
|
| Posted: Wed Apr 01, 2009 2:31 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Apr 01, 2009 3:03 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
The url on this website that requires login looks like this:
www.site.com/index.asp?lg=2
Is there any way to exploit this?
When I put magic quotes like this:
www.site.com/index.asp?lg='
It returns:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Oracle][ODBC][Ora]ORA-01756: quoted string not properly terminated
/index.asp, line 100 |
|
|
|
|
| Posted: Wed Apr 01, 2009 3:25 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| This is Oracle, not MySql. And you don't need single quotes here. |
|
|
|
|
| Posted: Wed Apr 01, 2009 6:24 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
| Okey and is it possible to exploit such an error? |
|
|
|
|
| Posted: Thu Apr 02, 2009 9:33 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 118
Members: 0
Total: 118
