EvilZone
Hacking and Security => Hacking and Security => Topic started by: Mrgood on August 26, 2012, 03:55:41 PM
-
First of all i really don't want to give you a link for the website. I also want to know how the script would work.
...page=news&id=2 (actually i can't get the script which find news id. Probably it's php. If its a 'must have' for the insertion i would look for it deeper)
The thing which i want to do is for example add new news or update old one. Let's say I want to add news which id=3. I know the database structure thanks The Mole tool. The separator is " ' " and delimiter is "#" (if it can help somehow).
I have learn so many articles. I know how SQLi works and i tried so many tutorials with no results. I have also tried lots of SQLi tools. Only The Mole was able to get some data (but it doesn't help me with any SQL command like insert).
For example:
...page=news&id=2; UPDATE news_update SET content = 'hacked' WHERE id='1'"#
I am getting mysql synteax error until i form the query like the sample above. Now i got the whole website with "wrong news id" message.
I am not sure what else I should write here. Any clue would be a great gift for me;)
PS. I tried benchamark function like the sample on wikipedia and it worked.
x' AND BENCHMARK(9999999,BENCHMARK(999999,BENCHMARK(999999,MD5(NOW()))))=0 OR '1'='1
Are there any other ways to use some function in malicious way?