EvilZone
Hacking and Security => Hacking and Security => : callahan February 19, 2013, 11:28:25 PM
-
I'm trying to make some series of SQLi challenges(specially I want to allow launching shells from the injection by calling the DB with a full privilege user) first allowing the injection to be made easily(e.g.: Try if app is injectable with single-quote . Get the numbers of columns with ORDER BY, etc.) but it's not possible to get the number of columns with ORDER BY. Any advice?
Here's the script:
<?php
$con = mysql_connect("localhost", "fp", "fp") or die("Couldn't connect");
mysql_select_db("practice", $con);
$param = $_GET["id"];
$result = mysql_query("SELECT * FROM users WHERE id='$param' or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['name'];
}
?>
-
You need a ) after id='$param' so it would be $result = mysql_query("SELECT * FROM user WHERE id='$param'")or die(mysql_error());
-
You need a ) after id='$param' so it would be $result = mysql_query("SELECT * FROM user WHERE id='$param'")or die(mysql_error());
You are right, I forgot it when I copied my code here :P
-
I suggest to use single quoting for the SQL query string so you can easily spot the quotes so for example:
$query = 'SELECT id FROM table WHERE id="' . $id . '";
Now you can see it is quoted with "". You can leave the quotes for easier injection. Right now you would want to inject:
' order by 1 or '1'='1 (or order by 1--)
So the end query would be if $id == 1:
SELECT id FROM table WHERE id='1' order by 1 or '1'='1'
-
I suggest to use single quoting for the SQL query string so you can easily spot the quotes so for example:
$query = 'SELECT id FROM table WHERE id="' . $id . '";
Now you can see it is quoted with "". You can leave the quotes for easier injection. Right now you would want to inject:
' order by 1 or '1'='1 (or order by 1--)
So the end query would be if $id == 1:
SELECT id FROM table WHERE id='1' order by 1 or '1'='1'
I appreciate your help but it's not working, I can't get columns number with ORDER BY.
-
I appreciate your help but it's not working, I can't get columns number with ORDER BY.
Echo the generated query including your parameters and post it here.
-
Echo the generated query including your parameters and post it here.
With $query = 'SELECT nombre from users where id="'.$id.'"';:
Query: SELECT nombre from users where id="2" Output: mark
Query: SELECT nombre from users where id="2 order by 5--" Output: mark
Query: SELECT nombre from users where id="2 order by 5--" Output: mark
Query: SELECT nombre from users where id="2"and "1"="0" Output: <no output>
Query: SELECT nombre from users where id="2" order by "6"="6" Output: mark
With query = "SELECT * FROM users WHERE id='$id'"; exactly the same as with double quotes, of course, replacing the " in the query for '.
-
I will ask: please. Don't reply anyone. And to the topic poster. Please read the tutorial twice or more and learn something about PHP and SQL.
-
I will ask: please. Don't reply anyone. And to the topic poster. Please read the tutorial twice or more and learn something about PHP and SQL.
I know that the used of "" is not correct to use, I wanted to try out what would happen.
-
Yo showed nog a single correct usage and i think You should learn tot create before you break:)
-
Yo showed nog a single correct usage and i think You should learn tot create before you break:)
What do you mean with the "correct usage"?
-
What do you mean with the "correct usage"?
Correct usage of SQL. You didn't even use my example. And you are wondering why "and 1=0" is not giving you any output. Do yourself a favor and learn SQL. It will be way more fun if you know what you are doing.
-
Well, I was making a silly mistake, one of those stupid ones. I was asking for and id that was an integer, and treating the GET value as string.
-
Well, I was making a silly mistake, one of those stupid ones. I was asking for and id that was an integer, and treating the GET value as string.
That's not the problem
-
Correct usage of SQL. You didn't even use my example. And you are wondering why "and 1=0" is not giving you any output. Do yourself a favor and learn SQL. It will be way more fun if you know what you are doing.
When did I wondered why AND 1=0 was not giving me output, man!? No, first, I know SQL and don't be rude.
That's not the problem
Yes, that was the problem. My code is running now as expected.
Regards.
-
Sure, expect some help next time. The problemen wad that you couldn't get out of the quotes. And I could have ignored you. But I gave you good directions:)
</thread>