mysql exploitation with error messages

June 29, 2010

A colleague of mine(Aleks) forwarded me a russian presentation on exploiting SQL Injection:

http://devteev.blogspot.com/2009/10/advanced-sql-injection-lab-full-pack.html

Of all the slides, i particular liked the one in which the author demonstrates that if the mysql error messages have been enabled (using mysql_error() function), then it is possible to retrieve the data from the back-end database using the ExtractValue() function:
——————————————
>SELECT 1 AND ExtractValue(1, CONCAT(0x5c, (SELECT @@VERSION)))

produces:

Error Code : 1105
XPATH syntax error: ‘5.1.44-community’

———————-
This should not be confused with the php errors. While the php errors are usually enabled its not “very” common to see developers printing the mysql errors using mysql_error() function. However, its still good to know and could sometimes come handy.

Overall, very nice presentation.

Comments

5 Comments

Dmitry Evteev says:

June 29, 2010 at 11:46 am

hi! now there’s more effective way to exploit error-based sql injection in mysql. see http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf

Reply
Bugtrace says:

June 29, 2010 at 12:18 pm

Good trick.

Reply

3 Trackbacks

Trackback

HackDoxMSSQL Injection Cheat Sheet | HackDox says:

March 6, 2013 at 4:42 am

[…] From Dan Crowley: A way to extract data via SQLi with a MySQL backend […]

Reply
MSSQL Injection Cheat SheetJF's blog | JF's blog says:

June 13, 2013 at 2:50 pm

[…] From Dan Crowley: A way to extract data via SQLi with a MySQL backend […]

Reply
MSSQL Injection Cheat Sheet - MOSHIUR RAHMAN NIC says:

July 4, 2013 at 5:42 pm

[…] From Dan Crowley: A way to extract data via SQLi with a MySQL backend […]

Reply

mysql exploitation with error messages

Comments

5 Comments

3 Trackbacks

Leave a Reply Cancel reply

Trackback