Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Do more with SELECT query?
Posted by: Zacrifyer
Date: January 29, 2009 06:49PM

I have this problem. I have full access to a SELECT-query (which is partially blind, since true/false gives different pages but data-recovery is impossible) and read-access to the database is virtually useless. The server runs php, thus stacked queries is not an option and it lacks read- and write-access (no /etc/password for me, and INTO OUTFILE is no good either).

This is the reason i turn to you guys. Is there any way I could exploit this query to gain extra privilegies (like DELETE or UPDATE, or information)? The query works fairly normally:

SELECT x FROM y WHERE a = [vulnerable input];

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: backbone
Date: January 29, 2009 07:44PM

more specific... why is data recovery impossible?

---
blog [-] microblog

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: Zacrifyer
Date: January 30, 2009 09:24AM

backbone Wrote:
-------------------------------------------------------
> more specific... why is data recovery impossible?


As far as I know, there is no way of displaying the selected values. Thus it's a matter of doing querys like:

SELECT a FROM b WHERE page = 10 AND EXISTS (something)

And checking if you get page 10 or not.

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: backbone
Date: January 30, 2009 09:36AM

SELECT a FROM b WHERE page=10 AND substring((SELECT version()),1,1)=4

http://websec.wordpress.com/2007/11/17/mysql-table-and-column-names/

---
blog [-] microblog

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: Zacrifyer
Date: January 30, 2009 01:15PM

backbone Wrote:
-------------------------------------------------------
> SELECT a FROM b WHERE page=10 AND
> substring((SELECT version()),1,1)=4
>
> http://websec.wordpress.com/2007/11/17/mysql-table
> -and-column-names/


Yes, I know, I use LIKE-brute forcing myself to get password hashes char by char. I am sorry I wasn't specific enough.

As I said, read-access to the database is virtually useless (if you cannot get out large chunks at once), and this is because the hashing algorithm is unknown. Is there no known way of sneaking in a DELETE or an UPDATE somewhere? Or a way to get those large pieces of data out without having to brute force every character?

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: backbone
Date: January 30, 2009 03:45PM

Zacrifyer Wrote:
-------------------------------------------------------
> backbone Wrote:
> --------------------------------------------------
> -----
> > more specific... why is data recovery
> impossible?
>
>
> As far as I know, there is no way of displaying
> the selected values. Thus it's a matter of doing
> querys like:
>
> SELECT a FROM b WHERE page = 10 AND EXISTS
> (something)
>
> And checking if you get page 10 or not.

Doesn't it work with something like this ? ->

SELECT a FROM b WHERE page=10 and 0 union SELECT user FROM known_table

Options: ReplyQuote
Re: Do more with SELECT query?
Posted by: Zacrifyer
Date: January 30, 2009 05:21PM

backbone Wrote:
-------------------------------------------------------
> Doesn't it work with something like this ? ->
>
> SELECT a FROM b WHERE page=10 and 0 union SELECT
> user FROM known_table

Nope. The selected values are measured - never displayed. Like:

result = mysql_query("SELECT a FROM b WHERE page = 10")

if(result[bool] == true)
{
do something
}

Options: ReplyQuote


Sorry, only registered users may post in this forum.