Topic: "sql injection stuck!" (page 1 of 1)

1
Author Post
Visualq
groupmastergroupmastergroupmaster
Recently I got the hang of sql injection and started to understand it better and better. However, I've come across a few site which had some difficulty to inject. Right.
(note: I did notify all owners of the website. Such a good boy! sigh)

One website was running osCommerce with a vulnerable poll plugin.. Atleast I think it's vulnerable.
when I did a
/results/pollid/999' union select 1 from customers --
right resulted in a lack of defined columns.
SELECT pollid, timeStamp FROM phesis_poll_desc WHERE pollid='999' union select 1 from customers -- ' was what I got in return.
so pollid and timestamp eh.. guess we'll add another 1
/results/pollid/999' union select 1,1 from customers --
Right, that would work however the query appears to be ran twice on 2 different table.
SELECT optionText from phesis_poll_data where pollid='999' union select 1,1 from customers -- ' and voteid='0' and language_id = '4'
which only has 1 column..

Just for educational purpose only, how would I go around this? cause it's bugging me.. :(

Visualq.
Edited by Visualq on 19.03.2008 12:51:09
private message
unknown user
first of all, i would advice against reporting, nowadays it only gets you in trouble. certainly in ecommerce sites, if an oscomerce site was vulnerable, it was most likely googled from the moment some hackers new of the vuln. and i'm guessing they keep payment details. You do not want to be their skapegoat when things go badly.

second of all, there are methods around that, that work depending on some factors, however, I am done injecting information in this website. Contact me on a good day privately, or wait for someone else to provide the solution here.
EMail

Topic: "sql injection stuck!" (page 1 of 1)

1