 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 682
 Members: 0
 Total: 682
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Sql Injection Heko Needed |
|
 Posted: Sat Dec 29, 2007 5:53 am |
 |
|
| gtal3x |
| Active user |
 |
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
 |
|
 |
|
Hello I am trying to do sql injection to an open source software website for educational purposes... So if anyone wants the link i can give it.
The case is simple http://g******ite.dk/faq.php?cat=2' its vulnerable.
And I get 2 errors(this is important):
1st error:
| Code: | You have an error in your SQL syntax near ''' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /mnt/home2/ftp/projects/GUG/.includes/gugdb.php on line 35
You have an error in your SQL syntax near '' order by topic,question' at line 1You have an error in your SQL syntax near ''' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /mnt/home2/ftp/projects/GUG/.includes/gugdb.php on line 35 |
2nd error:
| Code: | Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /mnt/home2/ftp/projects/GUG/.includes/db.php on line 35
You have an error in your SQL syntax near '' order by topic,question' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /mnt/home2/ftp/projects/GUG/.includes/db.php on line 35 |
Okay i read some manuals for sql injection and they all say i have to find out how many "colums"(not sure bout this) is in the table so i am trying this thing:
/faq.php?cat=2+order+by+1/* No Errors At All!
/faq.php?cat=2+order+by+2/* 1 Error: Unknown column '2' in 'order clause'
/faq.php?cat=2+order+by+8/* 2 Errors on the page!
So if I understood right, the 1st query only selects 1 column, but the second selects 7...? From the manual that i am reading it says to use:
+UNION+SELECT+1,2,3,4,5/* <== Example
to determinate what columns are used on the page
So i used from +UNION+SELECT+1/* to +UNION+SELECT+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6/*
Still no results! Can someone explain to me how to understand what union select i need to use?
Thanks a lot for your time! PS i am not trying to hack that site, i am trying to understand what am doing wrong  |
|
|
|
|
|
|
|
|
| Posted: Sat Dec 29, 2007 9:23 am |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Send me link in PM pls.Thank you. |
|
|
|
|
| Posted: Sat Dec 29, 2007 6:06 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Well well.A'm not so good in sql inj,but on this site in any script have sql errors.I forgot.A'm good with other shitt's.First listing directory is ENABLED.Second for 5 min i find 10 shell's on this site.Server in SAFE MODE.Server sucksss.  |
|
|
|
|
| Posted: Sat Dec 29, 2007 7:52 pm |
|
|
| gtal3x |
| Active user |
|
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
| koko wrote: | | Well well.A'm not so good in sql inj,but on this site in any script have sql errors.I forgot.A'm good with other shitt's.First listing directory is ENABLED.Second for 5 min i find 10 shell's on this site.Server in SAFE MODE.Server sucksss. |
Hmmmm... Did you manage to upload your own shell to the server? How?
PS if anyone can still help me with sql i will appreciate it |
|
|
|
|
| Posted: Sat Dec 29, 2007 8:07 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Dec 29, 2007 8:40 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Украина.Если украина должен знать русский.Ну попробуем.Зачем мне заливать мои если я нашол там 10 турецких и есчо куча других шеллов.Толку от них нету так как там сервак в safe mode.cgi-bin etc отсуствует так что пока обход невозможен.Ну есть и другие способъй но обеснять нестану даже.
waraxe:Забавно.Не посморел что за версия,а стоило.Есть кое какие трикс для mysql 3.x.x. |
|
|
|
|
| Posted: Sun Dec 30, 2007 5:59 am |
|
|
| gtal3x |
| Active user |
|
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
| Okay i understood thanx for help waraxe, спасибо koko |
|
|
|
|
| Posted: Sun Dec 30, 2007 11:41 am |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
By the way - try anonymous ftp on target server, it's fun
And - jst for practice, i was able to get admin password hash from database, even with mysql 3.22.x. Hashing algo seems to be DES and little cracking test with JTR got no results. Still, these sql injections are exploitable, just look for right scripts (which ones will deal with users table) |
|
|
|
|
| Posted: Sun Dec 30, 2007 1:16 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Quote: | | By the way - try anonymous ftp on target server, it's fun |
Shitt |
|
|
|
|
| Posted: Sun Dec 30, 2007 1:22 pm |
|
|
| gtal3x |
| Active user |
|
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
Hmm, today i spended 6 hours looking in google for diffrent sites, i managed to do sql injection to at least 15 of them... however i got no results at all!  maybe is because i am doing something wrong... well the 1st thing i am trying to find colums by order+by+x i cant really find them right, after i am trying to find a version, in witch i never successed so then i just give up and go to doffrent site, but same story there... |
|
|
|
|
| Posted: Sun Dec 30, 2007 1:28 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sun Dec 30, 2007 2:22 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| gtal3x wrote: | | Hmm, today i spended 6 hours looking in google for diffrent sites, i managed to do sql injection to at least 15 of them... however i got no results at all! maybe is because i am doing something wrong... well the 1st thing i am trying to find colums by order+by+x i cant really find them right, after i am trying to find a version, in witch i never successed so then i just give up and go to doffrent site, but same story there... |
If target has mysql database, then traditional way to determine proper columns count in UNION is just trial/error "UNION SELECT 1","UNION SELECT 1,2" , etc ...
It's usable even with no visual error feedback. And remember - columns count can be huge! I have seen sql injection security holes, where needed "UNION SELECT 1,2,3...,48,49"
It's because of the JOIN's usually - if affected sql query JOIN's multiple tables with "*" columns, then summary colums count can be big.
And of course, manual trial/error can be boring, if column count is big, so i am sometimes using custom-written PHP script, which can iterate through all possible variations and alert, if server response will be different. |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
