Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 21
Members Online: 2

Registered Members: 82807
Newest Member: Black Hawk
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Don't bother reading. Shouldn't have even asked.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 11-07-10 01:10
I'm new to MySQL. I'm pen-testing a site for a friend, and I just can't get the syntax right to view these listings that are supposed to be hidden. Anyone want to help? I've got:
Code
 SELECT listing.id, dealer.display FROM (listing,dealer)
WHERE dealer.display='on' AND hide != 'true'
AND dealer.id=listing.dealer_id
AND listing.make='/*begin injection*/'Acura'
AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r'))
OR 'g'='r /*end injection*/  '
 AND listing.model='anythinghere'
 




Edited by jghgjb790 on 12-07-10 03:10
http://todaystopsite.site90.net
Author

RE: MySQL syntax?

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 11-07-10 01:32
jghgjb790 wrote:
I'm new to MySQL. I'm pen-testing a site for a friend,


Stopped reading -right- there.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: MySQL syntax?

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 11-07-10 22:46
I'm surprised people keep thinking someone is going to fall for something *that* obvious.
Come on, at least get a little creative, guys?


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: MySQL syntax?

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 11-07-10 23:27
Okay, fine. The father of one of my friends. But w/e. I already showed him an XSS-able input form... I'm totally serious. Don't believe me if you don't want to, but help with the syntax please?

Also, updated code I'm trying.

Here's the output.

A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
Code
 'INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1'


at line 3
Code

SELECT listing.id, dealer.display FROM (listing,dealer) WHERE dealer.display='on' AND hide != 'true' AND dealer.id=listing.dealer_id AND listing.make='Acura' AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1901' AND listing.mileage >=0






Edited by jghgjb790 on 11-07-10 23:29
http://todaystopsite.site90.net
Author

RE: MySQL syntax?

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 12-07-10 01:11
I didn't help you because you're obviously a security novice and yet insist on "helping" people.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: RTFM


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-07-10 01:52
You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up.
Author

RE: MySQL syntax?

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 12-07-10 03:09
outis wrote:
You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up.


Yeah... I'm sorry for even posting this now. I'm going to bookmark that, and do all those steps before asking. Lesson learned! Thanks for your time!
http://todaystopsite.site90.net
Author

RE: Don't bother reading. Shouldn't have even asked.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 16-07-10 08:47
MoshBat wrote:
You could learn MySQL, and then injections.
Or maybe I'm overestimating you.

Well, I've learned 3 "real" languages pretty well, and I've experimented with that game maker crap. So, idk... Don't do game maker, kids!
http://todaystopsite.site90.net
Author

RE: Don't bother reading. Shouldn't have even asked.

fuser
Member



Posts: 960
Location: in front of a computer (duh)
Joined: 05.04.07
Rank:
Mad User
Posted on 17-07-10 07:59
a-hack wrote:
Well, I've learned 3 "real" languages pretty well

And they are?[/quote]

html, english, and L337 5P34|< :xx:[/quote]

Fail. Utter fail.


img.userbarz.com/51/10006.png
img.userbarz.com/146/29144.gif
img.userbarz.com/99/19602.jpg
img.userbarz.com/4/600.png
img.userbarz.com/45/8814.gif
img360.imageshack.us/img360/9231/bfbarlr0.jpg
[url=http://userbarz.com/][img]ht
catinthecpu@hotmail.com