Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
SQLi help
Posted by: the_storm
Date: July 28, 2012 12:18AM

Hello Gus I have some an application that is vulnerable to sql injecion ...

For example, if that was the link

http://www.test.com/audioalbumdetails/58+order+by+1/*

I get this error msg
SELECT id,name,content,time FROM nesote_music_comments WHERE status=1 and service_type='music' and service_id='58 order by 1' ORDER BY time desc LIMIT -5,5 ;
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-5,5' at line 1


you see that service_id='58 .. when I try close the single quote .. i.e., like this
58'+order+by+1/*
I get this problem service_id='58\' order by 1' so that I got escape character for the single quote ... and my order by statement between the quotes ... Any ideas how can I bypass this problem and make successful SQLi ?? I also have something strange when I use -- - instead of /* I get no error and the site is working normaly ??? why is that ??

Options: ReplyQuote
Re: SQLi help
Posted by: cr101
Date: July 30, 2012 09:24AM

What happens if you add your own backslash before the quote? Does it escape that, too?

Try making the request
http://www.test.com/audioalbumdetails/58\'+order+by+1;--
And see what happens. It's possible the site is using addslashes() to escape ', ", and \. If that's the case, it's possible that the site is still vulnerable. You can read more about it here:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Options: ReplyQuote


Sorry, only registered users may post in this forum.