Sign in to follow this  
Followers 0
Bi0X

SQL Injection (NOT for malicious purposes)!

10 posts in this topic

Hello.

I know this may sound like I am looking for someone to help me break into a site, and I know even if I say I won't some people will not believe me, but I assure you, I want help with this only so I know I can identify and exploit an SQL Injection vulnerability.

So here it is.

I recently came to this site: http://www.robertkeeley.com/product.php?id=5 and by following a tutorial on how to identify if a site is vulnerable to SQL Injection, I added an ' at the end of the URL. The tutorial said if it gave me an SQL error, similiar to the one the site is giving me, then the site is vulnerable. So I moved on to where the tutorial says:

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/* <-- no error

http://www.site.com/news.php?id=5 order by 2/* <-- no error

http://www.site.com/news.php?id=5 order by 3/* <-- no error

http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)

that means that the it has 3 columns, cause we got an error on 4.

I tried making the URL look like this on the site: http://www.robertkeeley.com/product.php?id=5 order by 1/* and I got an error.

Here is my problem, if it gives me an error when entering the number 1 before the /* part, how many columns does it have.

I have tried using the numbers 1-3 and they all give me errors, what does this mean?

Thanks for any help, I don't quite fully understand it yet, but I would like to know as it would probably help me get a better job in the future, knowing about how to identify and prevent SQL Injections.

0

Share this post


Link to post
Share on other sites

~snip~

I tried making the URL look like this on the site: http://www.robertkeeley.com/product.php?id=5 order by 1/* and I got an error.

~snip~

From a quick test, I get this error:

MySQL error: failed to run query 'SELECT * FROM products WHERE ID=5\'order by 1/* LIMIT 1': You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'order by 1/* LIMIT 1' at line 1

Honestly, looks like that site sanitizes the url input, from the

WHERE ID=5\'

where you can see the \ before the '

Another test using \\\''order by 1/* results in WHERE ID=5\\\'\'\'order by 2/* in the error.

The site properly delimits certain characters to prevent this type of exploit.

Also, don't use someone else's site without permission for this. Host your own site and sql table on your computer or a spare :/

Edited by chaostic
0

Share this post


Link to post
Share on other sites

You're going to have to give a little more information. What error are you getting? "I'm getting an error" doesn't help much.

0

Share this post


Link to post
Share on other sites

You're going to have to give a little more information. What error are you getting? "I'm getting an error" doesn't help much.

He's getting unexpected syntax errors instead of the expected selected column is out of bounds error.

0

Share this post


Link to post
Share on other sites

Yeah that's right.

I'm not exaclty sure what I should be looking for, but I know the SQL Syntax error is NOT it.

0

Share this post


Link to post
Share on other sites

Is there a chance I am doing something wrong, or the tutorial made a typo or something? Am I definately meant to enter order by 1/*?

0

Share this post


Link to post
Share on other sites

Is there a chance this method doesn't work any more?

Is there any other way I can find out how many columns it has?

Also, just because using the ' sign gave me the error message the tutorial says, is the site definately vulnerable to SQL Injection, and is there another way to test if a site is vulnerable.

Thanks.

0

Share this post


Link to post
Share on other sites

It is strange that everything appears as a syntax error.

And this is odd:

"/product.php?id=1 ORDER BY 1" gives this error message:


MySQL error: failed to run query 'CREATE TABLE pay_5 ORDER BY 1 (ID INT PRIMARY KEY AUTO_INCREMENT, payName VARCHAR(255), payNum VARCHAR(50), payAmt VARCHAR(20), payText TEXT)'

while "/product.php?id=1 ORDER BY 1;" (note the semicolon) gives this error message:


MySQL error: failed to run query 'SELECT * FROM products WHERE ID=5 ORDER BY 1; LIMIT 1'

and "/product.php?id=1 UNION ALL SELECT" gives an Internal Server Error.

0

Share this post


Link to post
Share on other sites

It is strange that everything appears as a syntax error.

And this is odd:

"/product.php?id=1 ORDER BY 1" gives this error message:


MySQL error: failed to run query 'CREATE TABLE pay_5 ORDER BY 1 (ID INT PRIMARY KEY AUTO_INCREMENT, payName VARCHAR(255), payNum VARCHAR(50), payAmt VARCHAR(20), payText TEXT)'

while "/product.php?id=1 ORDER BY 1;" (note the semicolon) gives this error message:


MySQL error: failed to run query 'SELECT * FROM products WHERE ID=5 ORDER BY 1; LIMIT 1'

and "/product.php?id=1 UNION ALL SELECT" gives an Internal Server Error.

If you would look at the query, you'd realize why the ORDER BY portion gives a syntax error. It's a CREATE statement, not a SELECT. Why it's creating a new table, I have no idea, but that's what it's doing.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0