|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 81
Members: 0
Total: 81
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
some problems with mysql injection |
|
Posted: Mon Sep 22, 2008 2:03 pm |
|
|
baby_1 |
Regular user |
|
|
Joined: Sep 19, 2008 |
Posts: 12 |
|
|
|
|
|
|
|
Hello dears
i have some problem with mysql injection so if there is no problem plz tell me solutions.
1) i found a site that i can inject mysql commands i can use INTo outfile and load_file and information_schema.user_privileges for file is good but with the load_file i only can read the "/etc/passwd" & content of that
but when i user this command load_file("/") the page show me agian the numbers (it means that load_file only shome me /etc/passwd)
now what should i do ? how can i found where im (directory)?
3)i can create a php file in the /tmp but i colud create that in /home/public because mysql show me "Can't create/write to file '/home/public/baby.php"
now agian what should i do? how can i run php file with url
4)when i use load_file to read my php file this function show me agian the numbers don't show me the content of php file.
could you give me a good arthicle about mysql injection(link for dw)
Tanx a lot |
|
|
|
|
|
|
|
|
Posted: Tue Sep 23, 2008 6:22 am |
|
|
baby_1 |
Regular user |
|
|
Joined: Sep 19, 2008 |
Posts: 12 |
|
|
|
|
|
|
|
Plz help me
help me
help me
help me |
|
|
|
|
|
Re: some problems with mysql injection |
|
Posted: Tue Sep 23, 2008 10:28 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
baby_1 wrote: | Hello dears
i have some problem with mysql injection so if there is no problem plz tell me solutions.
1) i found a site that i can inject mysql commands i can use INTo outfile and load_file and information_schema.user_privileges for file is good but with the load_file i only can read the "/etc/passwd" & content of that
but when i user this command load_file("/") the page show me agian the numbers (it means that load_file only shome me /etc/passwd)
now what should i do ? how can i found where im (directory)?
3)i can create a php file in the /tmp but i colud create that in /home/public because mysql show me "Can't create/write to file '/home/public/baby.php"
now agian what should i do? how can i run php file with url
4)when i use load_file to read my php file this function show me agian the numbers don't show me the content of php file.
could you give me a good arthicle about mysql injection(link for dw)
Tanx a lot |
1. you can't list files in directory with "load_file()"
2. there are security issues, called "full path disclosure". Basically you just provoke server side to issue error message, revealing full path to affected script. This is what you need.
3. not having write permissions to webroot directoy is very common problem actually. Defacers usually wanna write new index.html file to webroot, but fail to do so ...
What you need, is good php/apache/linux knowledge. Because privilege escalation is not easy task
4. you can read php script source with "load_file()", right? Have you looked at html source of returned webpage?? |
|
|
|
|
|
|
|
|
Posted: Tue Sep 23, 2008 12:56 pm |
|
|
baby_1 |
Regular user |
|
|
Joined: Sep 19, 2008 |
Posts: 12 |
|
|
|
|
|
|
|
Excuse me sir, is there is no problem i send the target to you that you can tell me better the solutions, becuase i see the source of the page but there is no result of my php file and other things...
if you accpet plz tell me
Tanks a lot about your usefull information |
|
|
|
|
Posted: Tue Sep 23, 2008 1:28 pm |
|
|
KOODOS |
Regular user |
|
|
Joined: Sep 23, 2008 |
Posts: 12 |
|
|
|
|
|
|
|
brilliant accent....its like watching a film where a foreigner tries to speak english |
|
|
|
|
Posted: Wed Sep 24, 2008 10:52 am |
|
|
baby_1 |
Regular user |
|
|
Joined: Sep 19, 2008 |
Posts: 12 |
|
|
|
|
|
|
|
yes , thats right , i cant speack english very well , so im sorry that i write very bad , |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|