iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
SQLi Vuln Types Question
  • Mr. P-teoMr. P-teo
    Posts: 269
    So basically i was using a dork scanner so i could learn and practice my SQLi and i keep getting these two errors that i dont understand. Most of the urls dont seem to inject simply and so i was wondering how do you go about with these errors?

    Error's
    - mysql_num_rows()
    - mysql_fetch_array()


    It says they are vulnerable, but how would you exploit a vuln like this?
    Skype: mrpt3o
    Twitter: MrPteo


    image
  • Sh3llc0d3
    Posts: 1,910
    Do you have an example? Sorry i'm more of a practical person lol.
  • Mr. P-teoMr. P-teo
    Posts: 269
    erm yer sure here are two dork results:

    - mysql_fetch_array - http://www.seaony.org/publications/article.php?id=185'

    sorry was mysql_fetch_assoc
    - mysql_num_assoc - http://www.rav.org/alumni/newsDetail.php?id=129
    Skype: mrpt3o
    Twitter: MrPteo


    image
  • Sh3llc0d3
    Posts: 1,910
    said:


    erm yer sure here are two dork results:

    - mysql_fetch_array - http://www.seaony.org/publications/article.php?id=185'

    sorry was mysql_fetch_assoc
    - mysql_num_assoc - http://www.rav.org/alumni/newsDetail.php?id=129



    http://www.rav.org/alumni/newsDetail.php?id=129 order by 10--

    seaony.org wasn't responding to me attempting to find the columns. I was however doing it manually... you may have more luck trying SQLihelper 2.7 (I think it's version is) or something along those lines anyway.
  • CrashOverron
    Posts: 13
    these are just the first functions that the variable you're injecting hits that is throwing an error. each of those functions actually uses the content returned from the MySQL server and because the query you injected(appending ') is not valid it throws an error but just adding ' doesnt always give a good result when searching for sqli vulns btw i typically just stick with "+and+1=1--" and "+and+1=0--" without quotes of course
  • Sh3llc0d3
    Posts: 1,910
    Yeah thats the other problem I forgot to mention but Crash mentioned... ' is not always a reliable way of testing a page. Unfortunately a lot of sql vulnerablility (dork) scanners use that method. I know the one reiluke made definitely does.
  • Sh3llc0d3
    Posts: 1,910
    Another helpful tip is if you get stuck looking for vulnerable columns after the UNION SELECT or UNION ALL SELECT then put a "-" in... like:

    before:
    index.php?id=9 UNION SELECT 1,2,3,4,5,6,7--

    after:
    index.php?id=-9 UNION SELECT 1,2,3,4,5,6,7--

    It'll remove all the crap and show you the vuln columns hopefully more clearly.

    Edit: Another tip... some tutorials mention when searching for column/table names that you should user table_name and column_name... instead use group_concat(table_name) or group_concat(column_name). The difference being it'll concatenate all of your results into one string seperated by commas. Otherwise you'll get a page of repeated shit with all your needed info all over the place. Eitherway is down to you but I find it easier to work through.
Add a Comment