So. There is a website with php and mysql. It is injectable, but not perfectly, or I don't know how.
Example to reproduce the problem:
Url: http:/ /site.com/?param1=6') -- a¶m2=5
Param1 is used in this context:
- Code: Select all
$sql_count = mysql_query('SELECT COUNT(*) AS cnt FROM table WHERE (... AND id=' . $param1 . ')');
$sq_result = mysql_query('SELECT a, b, c FROM table WHERE (... AND id=' . $param1 . ')');
If you try to inject it (for example with union poisoning) you'll be fail, because it always die's with
error (union param num doesn't match). So you can't get any information.
Is there a was to get thru this? I don't know any injection method which can do things like:
IF cnt THEN union all select 1 ELSE union all select 1,2,3 ENDIF
(It is one of my really old website where I found this, I don't care about blackhat hacking, it is just interesting problem to me)
PS: sorry for my english.