Jump to content


Photo
- - - - -

MySQL injection in mutillidae in user-info.php at level 5

sqlsql injection mysql mysql injection web application hacking

  • Please log in to reply
3 replies to this topic

#1 k3rn3l

k3rn3l

    Will I break 10 posts?

  • Members
  • 2 posts
  • Country:
  • Gender:Male
  • Location:New Delhi

Posted 16 December 2012 - 05:53 AM

Hello there ,
i need some help in mysql injection in mutillidae.
In user-info.php at level 5 , iam not able to break the query.
Path to the injection page is
Owasp Top 10 > A1 sql injection > sqli extract data > user info then toggle security to level 5
Plz walk me through this injection.
Thanks

#2 I8igmac

I8igmac

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 14 posts
  • Gender:Male

Posted 16 December 2012 - 09:38 PM

Recently I have spent some time learning sqli, 2 tools you must try, 'mole' & 'darksqli'
They both have functions to find your injection point...

Try darksqli first with the --findcol option...

This is cheating but it may help u understand

#3 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 17 December 2012 - 12:38 AM

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:
1) MySQL will return a "Bad query error
2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.
1) mysql does not allow stacked queries. So use UNION SELECT
2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:
http://www.injectiable.org/index.php?name=something&id=something

You would need to do something like:
http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--

Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.

Edited by tekio, 17 December 2012 - 12:40 AM.


#4 k3rn3l

k3rn3l

    Will I break 10 posts?

  • Members
  • 2 posts
  • Country:
  • Gender:Male
  • Location:New Delhi

Posted 18 December 2012 - 06:58 AM

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:
1) MySQL will return a "Bad query error
2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.
1) mysql does not allow stacked queries. So use UNION SELECT
2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:

http://www.injectiable.org/index.php?name=something&id=something

You would need to do something like:
http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--

Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.


actually i think you got it wrong
go to this link in your installation

http://localhost/mut...e=user-info.php

their you will see username and pass input fields , you need to inject in them , but first toogle security to 5 using toggle security button
Plz mail me at k3rn3l@live.in





Also tagged with one or more of these keywords: sqlsql injection, mysql, mysql injection, web application, hacking

BinRev is hosted by the great people at Lunarpages!