Jump to content

- - - - -

Q: a query whose output isnt shown / useless injection?

  • Please log in to reply
1 reply to this topic

#1 m.rce


    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 09 May 2011 - 07:48 AM


I've found a query (in php) I can inject into, as it is in the form "select xyz where myparam=inject".
However, the query result is just compared in a yes/no fashion, so I have no real way to make it 'produce' a visible output.

Since php allows no query concatenation via ';' , is there a known way I could exploit this code weakness??


#2 tekio


    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,272 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 16 May 2011 - 01:33 PM

Your question is a little vague. Are we talking PHP code injection, or SQL Query injection? By the example given, "select where myparam=whatever", I'm guessing SQL injection.

If we're talking about PHP code injection, it's rather simple to do something:
system($pwned, cat /etc/shadow | grep "\root\|mysql\|admin\");
system($true, mv /etc/shadow /etc/shadow.bak);
if($true) {
system($access,"sed -i \'s/^root.*$/<line with predefined root hash for injecting into shadow file>/g' /etc/shadow");
if($access) {
echo "pwned!"
If it's an sqli you can still add and delete records, and switch databases. MySQL uses databases to store credentials for logging into MySQL. So if permissions are not well designed you could easily update the MySQL user authentication db.. Also you can use stored routines to possibly send commends to the o/s.

EDIT: I was thinking about the PHP injection, and the examples given wouldn't work, unless the web server was running with UID 0. Or PHP was running in cgi mode at uid0. Very seldom to find that. But you could still have carte-blanche access to the system as "nobody", or whatever the web server is running as. Well unless it's chrooted to /var/www.

Edited by tekio, 16 May 2011 - 04:06 PM.

BinRev is hosted by the great people at Lunarpages!