Sign in to follow this  
Followers 0
k3rn3l

MySQL injection in mutillidae in user-info.php at level 5

4 posts in this topic

Hello there ,

i need some help in mysql injection in mutillidae.

In user-info.php at level 5 , iam not able to break the query.

Path to the injection page is

Owasp Top 10 > A1 sql injection > sqli extract data > user info then toggle security to level 5

Plz walk me through this injection.

Thanks

0

Share this post


Link to post
Share on other sites

Recently I have spent some time learning sqli, 2 tools you must try, 'mole' & 'darksqli'

They both have functions to find your injection point...

Try darksqli first with the --findcol option...

This is cheating but it may help u understand

0

Share this post


Link to post
Share on other sites

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:

1) MySQL will return a "Bad query error

2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.

1) mysql does not allow stacked queries. So use UNION SELECT

2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:


http://www.injectiable.org/index.php?name=something&id=something

You would need to do something like:


http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--

Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.

Edited by tekio
0

Share this post


Link to post
Share on other sites

Posting a link would be a lot better than pointing to sections of OWASP. I was able to follow your directions to A1: SQLI injection

in any case to find the "injection point", use a single quote in the query. It will cause one of two things:

1) MySQL will return a "Bad query error

2) the page will be blank

Either way you know you've found the "injection point".

To extract data there are a few rules to follow with MySQL.

1) mysql does not allow stacked queries. So use UNION SELECT

2) You can only extract data by injecting the same amount of columns the query is expecting.

So something like:


http://www.injectiable.org/index.php?name=something&id=something

You would need to do something like:


http://www.injectable.com/index.php?name=something' UNION SELECT ALL FROM passwd WHERE 1=1--

Basically you need to quote the first query, union select a new one then finally comment the remaining old query out so MySQL ignores it.

actually i think you got it wrong

go to this link in your installation

http://localhost/mutillidae/index.php?page=user-info.php

their you will see username and pass input fields , you need to inject in them , but first toogle security to 5 using toggle security button

Plz mail me at k3rn3l@live.in

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0