|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 56
Members: 0
Total: 56
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Finding the number of columns... |
|
Posted: Wed Jul 21, 2010 3:17 am |
|
|
Pancakebuddy |
Beginner |
|
|
Joined: Jul 21, 2010 |
Posts: 1 |
|
|
|
|
|
|
|
The site I am testing for vulnerabilities has a URL structure like this:
http://www.site.com/stuff/thing.php?id= (exploit here)
I am able to get sql errors by putting code after the = sign but it behaves in a really weird way. For example if I put
http://www.site.com/stuff/thing.php?id=' or 1=1--
It returns:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'or 1=1-- LIMIT 1' at line 1
It seems to add LIMIT 1 to the end of my query..can someone make sense out of this?
I'm trying to do UNION SELECT injections in the URL however I can't seem to get the column numbers right..I manually tried brute forcing it up to 100..no luck.
I tried using :
1 ORDER BY 10--
Got an error, the only values that don't error are 1 and 2. However when I try this with the union injection it says that "The used select statements have a different number of columns".
I'm out of ideas here..if anyone could point me in the right direction that would be great.
It's also worth nothing that anytime I get an sql error back this is also on the page:
#0 error(Some fields left blank) called at [/home/site/public_html/thing/core/char/char_security.php:24]
Sometimes there are more similar errors like this. Does this mean my injection attempt was caught? |
|
|
|
|
|
|
|
|
Posted: Wed Jul 21, 2010 10:22 am |
|
|
vince213333 |
Advanced user |
|
|
Joined: Aug 03, 2009 |
Posts: 737 |
Location: Belgium |
|
|
|
|
|
|
Quote: | http://www.site.com/stuff/thing.php?id=' or 1=1--
It returns:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'or 1=1-- LIMIT 1' at line 1 |
It's likely to produce an error because of the quote after the = character. Usually people put that quote there simply to see if it gives an error and thereby know if the site is vulnerable to SQLi. Drop the quote and you should be able to perform SQL injection.
Quote: | It seems to add LIMIT 1 to the end of my query |
The PHP Code will probably contain a query like this:
SELECT a FROM b WHERE c = theParameterYouPutInTheUrl LIMIT 1
You can always PM me the site URL and I'll tell you if it's vulnerable and how many columns it might have |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|