Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

MySQL injection in mutillidae in user-info.php at level 5

Started by k3rn3l , Dec 16 2012 05:53 AM

sqlsql injection mysql mysql injection web application hacking

Please log in to reply

3 replies to this topic

#1 k3rn3l

Will I break 10 posts?

Members
2 posts

Country:
Gender:Male
Location:New Delhi

Posted 16 December 2012 - 05:53 AM

Hello there ,
i need some help in mysql injection in mutillidae.
In user-info.php at level 5 , iam not able to break the query.
Path to the injection page is
Owasp Top 10 > A1 sql injection > sqli extract data > user info then toggle security to level 5
Plz walk me through this injection.
Thanks

Back to top

#2 I8igmac

I broke 10 posts and all I got was this lousy title!

Members
14 posts

Gender:Male

Posted 16 December 2012 - 09:38 PM

Recently I have spent some time learning sqli, 2 tools you must try, 'mole' & 'darksqli'
They both have functions to find your injection point...

Try darksqli first with the --findcol option...

This is cheating but it may help u understand

Back to top

#3 tekio

5(R1P7 |<1DD13

Binrev Financier
1,033 posts

Gender:Male
Location:The Blue Nowhere

Posted 17 December 2012 - 12:38 AM

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:
1) MySQL will return a "Bad query error
2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.
1) mysql does not allow stacked queries. So use UNION SELECT
2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:

http://www.injectiable.org/index.php?name=something&id=something

You would need to do something like:

http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--

Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.

Edited by tekio, 17 December 2012 - 12:40 AM.

Back to top

#4 k3rn3l

Will I break 10 posts?

Members
2 posts

Country:
Gender:Male
Location:New Delhi

Posted 18 December 2012 - 06:58 AM

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:
1) MySQL will return a "Bad query error
2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.
1) mysql does not allow stacked queries. So use UNION SELECT
2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:
http://www.injectiable.org/index.php?name=something&id=something
You would need to do something like:
http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--
Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.

actually i think you got it wrong
go to this link in your installation

http://localhost/mutillidae/index.php?page=user-info.php

their you will see username and pass input fields , you need to inject in them , but first toogle security to 5 using toggle security button
Plz mail me at k3rn3l@live.in