Hi everyone, its my first post here and I would be grateful for any help and advice on how to proceed with my sql injection.

This website, http://ucp.l2blackbird.net/login/, has a vulnerable username field in the login box however it seems there is no way to display output (or im too dumb to see it)
I have managed to guess the table I need and some of its fields however im stuck at the part where I actually need to obtain the data from these fields.. I was trying to get something going with outfiles and load_file however I failed, any help or a possible direction of further exploring will be appretiated.

table name accounts fields id,password,email most specfically id - admin

' UNION ALL SELECT 1,2-- in the username box im guessing the actual php script query has id and password as 1,2 possibly strings (I am a beginner so be nice please :P)

How do you know those are the tables/columns?

x' AND 1=(SELECT COUNT(*) FROM accounts); -- for example does not produce an error in the outpute page, if you change the table accounts to something that's not in the database you will see the error.

I used similar approach to guess some of the columns and it didn't take long to find them, I guess I got lucky.

E.g.
x' AND accounts.email IS NULL; -- does not produce error so email is valid etc. Thats how I found the columns.

You can use the same approach to retrieve the data.



Edited 1 time(s). Last edit at 06/05/2011 08:20PM by lightos.

Do you recon I should try extracting character by character? Isn't there something else I could try, can you be a little more specific, maybe an example...thanks.

x' AND IF(MID(version(),1,1)=5,1,(SELECT 1 FROM accounts))-- -