Forum Thread: Need Help Constructing Proper SQL Query to Extract Data

I have a error based mysql injection I'm having problems exploiting and was wondering if someone could help. I only have a basic knowledge of sql scripting. Here is the request and it's response.

Request:
POST /tourplanner/login/verify HTTP/1.1
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=c2nlsn3gel9c023mb8lu58di44; csrfcookiename=a565487fecb389397156de204f2cbd74;
Host: website.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /

csrftestname=a565487fecb389397156de204f2cbd74&password=goodpassword&username=1

Response:
A Database Error Occurred
Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'') && password='a0d540a78cd61daa5fb872ac29272c00' && activate='1'' at line 1

select id,fname,lname,uname,password from tpuser where (uname='1'' || email='1'') && password='32cc5886dc1fa8c106a02056292c4654' && activate='1'

Filename: models/tourplanner/Tpcommonfunctions_model.php

Line Number: 94

From the error message I know the following:
The values for uname and email have an unequal number of quotes surrounding them which is triggering the vulnerability.
There's a database named tpuser with tables id,fname,lname,uname and password.
The password 'goodpassword' was returned as an MD5 hash (a0d540a78cd61daa5fb872ac29272c00).

How do I construct a nested query to dump the data in those columns in tpuser? Thanks for the help.
SQLMAP is completely unable to identify the vulnerability so I can't use it.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active