Follow us on Twitter!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 35
Guests Online: 31
Members Online: 4

Registered Members: 82841
Newest Member: and3rv1sh
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

sql injection question


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-09 20:44
Hello all, a friend of mine got ahold of me and asked me if his website was hackable. After browsing it for a bit and several different attempts, I found that I could gain admin access at the login screen by using

admin 'OR M_NAME='admin

Which logged me in as the admin of the forum. Now what I'd like to do is get ahold of the table name. I have the column names but I can't seem to figure out the table name(s).

I've tried the following:

1. SELECT name FROM sysObjects WHERE xtype='U'

2. ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.'Wink

But they both give me a "Syntax error (missing operator) in query expression".

Does anyone know what operator I'm missing, or what the syntax error might be? Or does anyone have any other suggestions for getting the table name(s)?

Thanks in advance!

-w0rd
Author

RE: sql injection question


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-09 21:34
What you have shown is very little understanding of sql.

Its hard to help you with the information given. Infact even your login script doesnt make much sense at all. Is there even a password check or anything at all.

To try and answer you question first you need to close out the current command using '; then enter a correct statement.

Look into information.schema_table for being able to get the tables/columns.

Honestly I would try to help you more, but you are so off base atm its hard to pick up on where you are/what you know.


Author

RE: sql injection question


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-09 22:14
stdio, thank you for your quick response and I apologize for not being fully educated on sql injections/sql in general.

The reason why I used that login script is because when I attempted with one of the tradition sql injections (' or 1=1), it gave me an error stating

"Syntax error (missing operator) in query expression 'M_NAME = ''1 or 1=1' AND M_PASSWORD = MD5 hash bullshit"

So I knew I should use "M_NAME".

Also, whenever I add ; or -- it gives me this error:

[Microsoft][ODBC Microsoft Access Driver] Characters found after end of SQL statement.

So I figured I was unable to use them.

Is there any other information I need to provide that would inform you more?
Author

RE: sql injection question


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-09 22:23
http://www.hellboundhackers.org/articles/900-sql-injection-whitepaper.html