1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

X-forwarded-for SQL Injection

Discussion in 'Black Hat SEO' started by 50bullets, Jun 23, 2014.

  1. 50bullets

    50bullets Newbie

    Joined:
    Feb 25, 2014
    Messages:
    1
    Likes Received:
    0
    Hello everybody,
    I have discovered an SQL Injection in the X-forwarded-for http header, but i got troubles exploiting it, i use the firefox plugin "X-forwarded-for Header" to edit the value and put the quote.
    Actually i should double quote to see the error message using : '",
    this is the error message i get :
    Code:
    [B]Fatal error[/B]:  Uncaught exception 'PDOException' with message  'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an  error in your SQL syntax; check the manual that corresponds to your  MySQL server version for the right syntax to use near '" or 1/*, VALUE_OF_THE_HEADER'' at line 1' in xxx/www/inc/function.php:190 Stack trace: #0 xxx/www/inc/function.php(190):  PDOStatement->execute() #1 xxx/www/index.php(56): is_banned() #2 {main}   thrown in [B]xxx/www/inc/function.php[/B] on line [B]190[/B]
    I tried replacing the value of the header by : '" OR 1=1 and everything that i had read about sql injection but i failed.
    I would appreciate it if anyone help me :)
    Thank you all.
     
  2. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,112
    Likes Received:
    28,543
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    This is not a Hacking or Computer Security site. If you would like to learn how to make money online then stick around and read.