Completely Stumped

SQLi 2

Avengers.it
6 years ago | edited 6 years ago

0

So I’ve been at this for a few days now, and despite scouring the forums and doing some googling I really don’t get it. And I don’t just want the answer, I want to understand it, so here’s my question:
I first wanted to see if I could get the injection point to act normally, despite being injected. Just to prove that I understood the logic. Here’s what I tried:

www.testsite.com/q=r' and 1=1 –
I thought that commenting out the %‘ at the end would cause this to operate as it normally would, but the names don’t display. An error doesn’t display though, which tells me my syntax is OK.
[/spoiler]
Can someone explain to me what is happening here and how I can get started?

EDIT So I re-read one of the tutorials on this forum and found this:
[spoiler]
https://www.hackthis.co.uk/levels/sqli/2?browse&q=-r' UNION SELECT 1,2 –
This injection manages to get me a 1 on the screen, but whenever I try to replace the “1” in the injection with version() or table_name() or any other command, I get an error again.

Can someone give me a hint to point me in the right direction?

9replies
3voices
236views
Mugi [Mugiwara27]
6 years ago

0

It seems that you just don’t know how to exploit a SQL vulnerability manually
If you had known how to do so, you’ll know that there is a main thing to do after you found a SQLi possibility
Check some tutorial on google, they are so many!
Good luck ;)

Avengers.it
6 years ago

0

I’ve exploited manually before, using OWASP bricks project tutorials. This is a different beast though. I updated the OP with the progress I’ve made. Any ideas Mugiwara27?

dloser
6 years ago

0

Look at the whole query that you get when you use your first injection. The 1=1 evaluates to true, but you are still left with the LIKE ‘r’. That’s why you don’t get anything, there is no username that consist of only a single ‘r’.

As for the second injection, it doesn’t work because those functions are not available for this server. There are multiple types of server and all have different functions (and syntax). It’s a good start, though. Keep playing around.

Avengers.it
6 years ago

0

Ah, I see. So it’s no longer looking for usernames starting with r it’s now only look for r. I appreciate the affirmation that I’m going in the right direction, so if those functions aren’t available, is there any function that I could use to find out the server type so I know what type of server is running? Or do I just have to keep guessing?

dloser
6 years ago

0

Google can be a great help, but you don’t really need any special functions.

Avengers.it
6 years ago | edited 6 years ago

0

OK, I’ve been googling the crap out of it and nothing so far. I’ve tried .version, version, version() and the same variations for help. Guess I’ll keep plugging away unless you think there’s a different function I should try.

EDIT:

Just discovered the database version and got a version function to work! Now to find how to dump all the contents…

Reply has been removed
Avengers.it
6 years ago

0

So I’ve made it a bit further, but nothing on google has helped me. I can now get information from the table ‘members’ using this query:

UNION ALL SELECT sql,2 FROM sqlite_master WHERE name=‘members’ –
shows columns ‘username’ ‘password’ and ‘admin’

But I cannot for the life of me figure out what I need to add to list any of the columns. I don’t have any experience with sqlite databases, so if someone could give me even just an article that has the information I need I’d really appreciate it.

dloser
6 years ago

1

You seem to be overcomplicating it. There is no need to know anything about sqlite. All you need is (very) basic SQL.

Avengers.it
6 years ago | edited 6 years ago

0

Really? Well I know I need the >> UNION SELECT query, and that I need to specify where I’m getting the data from, how do I get the data from the columns then?

EDIT
OK I managed to dump the username and password columns. the admin table just dumps a bunch of zeroes though. Any hints for finding the admin account?

EDIT Never mind. I’m about to solve it :)

You must be logged in to reply to this discussion. Login
1 of 10

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss