 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SQL Injecting PHP Topsites Script |
 |
 Posted: Wed Apr 22, 2009 2:25 am |
 |
|
| Invader |
| Beginner |
 |
|
| Joined: Apr 22, 2009 |
| Posts: 4 |
|
|
|
 |
|
 |
|
Hi Guys,
If you don't understand my english, sorry for that 
i need some help from you.
I'm playing around with the PHP Topsites Script -> http://webscripts.softpedia.com/script/Top-Sites/PHP-TopSites-41994.html (I'm not sure if the Version I'm trying to inject into is the same)
The Codeline I'm trying to use is the following ($cid):
| Code: | | $squery = mysql_db_query ($dbname,"select *,if (rank/votes, rank/votes,0) as ranks,if (stars, stars,0) as star from top_user where status='Y' AND thin>=$min_hits and category=$cid order by thin DESC,ranks DESC,star DESC,thout DESC limit $from,$t_step",$db) or die (mysql_error()); |
Everytime I try to inject something I get the Error: The used SELECT statements have a different number of columns
So I tried the following to enumerate the number of columns (counting up to 50), but everytime I get the same error.
http://www.example.com/index.php?cid=1+union+select+1,2,3,4,5,6,7,.....--
After I found the PHP Toplist Script (the guy who use this script has removed the Copyright) I tried it counting from 1 to 19 but, you know what, i get the same error...
Anyone here who knows what I'm doing wrong?
Greeting,
Invader... |
|
|
|
|
|
|
Re: SQL Injecting PHP Topsites Script |
|
| Posted: Wed Apr 22, 2009 3:13 am |
|
|
| brisk |
| Advanced user |
|
|
| Joined: Mar 07, 2009 |
| Posts: 108 |
|
|
|
|
|
|
|
| Invader wrote: | Hi Guys,
If you don't understand my english, sorry for that
i need some help from you.
I'm playing around with the PHP Topsites Script -> http://webscripts.softpedia.com/script/Top-Sites/PHP-TopSites-41994.html (I'm not sure if the Version I'm trying to inject into is the same)
The Codeline I'm trying to use is the following ($cid):
| Code: | | $squery = mysql_db_query ($dbname,"select *,if (rank/votes, rank/votes,0) as ranks,if (stars, stars,0) as star from top_user where status='Y' AND thin>=$min_hits and category=$cid order by thin DESC,ranks DESC,star DESC,thout DESC limit $from,$t_step",$db) or die (mysql_error()); |
Everytime I try to inject something I get the Error: The used SELECT statements have a different number of columns
So I tried the following to enumerate the number of columns (counting up to 50), but everytime I get the same error.
http://www.example.com/index.php?cid=1+union+select+1,2,3,4,5,6,7,.....--
After I found the PHP Toplist Script (the guy who use this script has removed the Copyright) I tried it counting from 1 to 19 but, you know what, i get the same error...
Anyone here who knows what I'm doing wrong?
Greeting,
Invader... |
use blind sql injection : http://milw0rm.com/papers/202 |
|
|
|
|
|
|
|
|
| Posted: Fri Apr 24, 2009 5:49 pm |
|
|
| Invader |
| Beginner |
|
|
| Joined: Apr 22, 2009 |
| Posts: 4 |
|
|
|
|
|
|
|
Many thanks for the link brisk, it works now and i got some informations about the system (MySQL Version, PHP Version, Admin Login and Pass to Backend, Database Name, DB User Name, DB User Privileges (USAGE only)).
But now I'm stuck again. With the admin login data I'm able to write articles, view and manage registered members etc.
I'm not able to upload files or create/write files through sql injection (because of USAGE privileges only)...
And, of course, the echo()'d articles are not eval()'d.
How would you go further to get a shell installed? What other possibilities do I have?
Greetings Invader... |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 90
Members: 0
Total: 90
