Donate to us via Paypal!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Thursday, October 29, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 100
Guests Online: 98
Members Online: 2

Registered Members: 129474
Newest Member: ZoboCop2
Latest Articles

View Thread

HellBound Hackers | Computer General | Web hacking

Author

blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-06-07 18:32
Now, here's the deal. I've been trying to get a full path disclosure on this site to make my load_file sufficient. Unfortunately, i can't find one. Out of all the junk and holes this person has in his site, i can't manage to get a f*cking path without being malicious and destroying some stuff/adding a new user into mysql.user.

Anyways, i was wondering if it's possible to somehow grab a path from within the sql injection. I've already tried to execute phpinfo() into an outfile, but it has some problems with that.

And...i have no restrictions and it's MySQL


Author

RE: blind sql load_file

Mr_Cheese
Member



Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 20-06-07 18:53
i would continue doing what your doing, sticking php info() into an out file.

what errors are you getting when you do it?


Author

RE: blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-06-07 19:03
Just presents me with a blank page, same as 1=0.

Um...let's see. Let me show you what i'm doing:
Code
http://www.site.com/notreal/blah.php?fu=16999/**/UNION/**/ALL/**/SELECT/**/null,null,null,null,char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,63,62),null,null,null,9,null,null,null,null,null,null,null,null/**/INTO/**/OUTFILE(char(47,98,108,97,104,47,121,101,115,46,112,104,112))/*







Edited by on 20-06-07 19:03
Author

RE: blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-06-07 19:49
i got an error on a site i was trying something similar on, it might help some?

SELECT INTO must be the first query in an SQL statement containing a UNION operator.


Author

RE: blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 20-06-07 20:20
Well, it seems that i can't use char() in outfile. Seeing as i can't use quotes, i'm shit out of luck on that method. Can anyone think of another way to get me a path?




Edited by on 20-06-07 20:41
Author

RE: blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-08-07 23:49
What SQL server are they running?


Author

RE: blind sql load_file

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 11-08-07 23:54
nights_shadow wrote:
Now, here's the deal. I've been trying to get a full path disclosure on this site to make my load_file sufficient. Unfortunately, i can't find one. Out of all the junk and holes this person has in his site, i can't manage to get a f*cking path without being malicious and destroying some stuff/adding a new user into mysql.user.


Path as in full server path?

Example: /var/www/site.com/public_html/

If you want something like that, try this:

?getVar[]=someVal

That should spit out an error as it tries to push an array to a string Wink


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: blind sql load_file


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-08-07 21:14
Nah, system, that, among other things, are what i tried for an information disclosure bug. Anyways, i got it all sorted out a while ago.

Thanks for the help anyways guys.