1

I am trying to exploit (legally) a MariaDb database with an SQLi vulnerability.

I have identified the vulnerability here...

/?o=1&page=app

The o=* is vulnerable and produces the following error...

DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5' or dest like '1'') LIMIT 10' at line 1

I am using Burp Suite and have landed upon the following syntax which seems to be closer to the mark but is still producing a syntax error.

I think it is closer to the mark because the error is only spitting out the query that I have introduced and not the 'extra' field: '5' or dest like '1'') LIMIT 10'.

I am assuming that is part of the original query as the 1 is included and when I test with other random strings that remains true.

I am after the admin password hash which I know from the page clues is uid 1.

What am I missing with this query?

SELECT Password FROM mysql.user WHERE (uid = '1' or dest like '%') --') LIMIT 10

3therk1ll
  • 149
  • 1
  • 10

2 Answers2

2

You are missing a space after your comment marker.

From a '-- ' to the end of a line. The space after the two dashes is required (as in MySQL).

Comment syntax

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
0

It is hard to say without more details, but possible the number from UID is not enclosed within quotes:

SELECT Password FROM mysql.user WHERE uid = 1 ...

Unlike strings, numbers do not necessarily have to be within quotes.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Good point but doesn't seem to affect the result... `DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'SELECT Password FROM mysql.user WHERE (uid = 1 or dest like '%') --') LIMIT 10')' at line 1` – 3therk1ll Feb 21 '19 at 14:49