Sunday, June 24, 2012

SQLI-LABS SERIES PART 6,7


CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned. 

DOUBLE QUERY INJECTIONS OR SUBQUERY INJECTIONS.

In the last 5 parts of the series we learnt about some basics about the error based injections and used the UNION statements to dump the database using the web application. Well we could achieve it because the database was interacting with web page and some database fields were visible on the web pages. A basic injection looked like id=-1 union all select 1,2,3 --+ and we were able to see the username name and password field displaying value 2 and 3. For detailed explanation watch video's 2 to 5.
In a scenario when the database does not directly display columns on the wep page, then the above technique cannot be used. To understand this better you can check Lesson 5 or 6 of the sqli-labs series. 


As we see we just see a generic message "You are in".  Therefore in this case, the database is not displaying any files on the page. In this case only way the database is displaying into is through the mysql error. (note: I am interchangeably using the Lesson 5 and 6, only thing different is way to produce error)



So primary objective in a double query injection is to create a query injection in such a way which is syntactically correct (correct at compile time) but produce an error at run time thereby spitting useful information in the errors. In case of MSSQL server cast errors dumps the info but in case of MYSQL, being flexible returns empty rows. Therefore some genius researchers found a combination of use of aggregate functions, group by clause, and use of random functions to produce errors are run time due to dynamic calculations involved in random function and aggregate function like count. 
Hope this makes some sence, after all I am a dhakkan


Less-5 line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

  • ' or '1'='1 Will work nicely.   id = ' ' or '1'='1 ' LIMIT 0,1
  • ' or 1=1 --+ Will also work.   id = ' ' or 1=1 --+  ' commented out
  • ' or 1=1 # will also work.   id = ' ' or 1=1 # ' commented out


Less-6 line number 28,29
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  • " or "1"="1 Will work nicely.   id = " " or "1"="1 " LIMIT 0,1
  • " or 1=1 --+ Will also work.   id =  " " or 1=1 --+ " commented out
  • " or 1=1 # will also work.       id = " " or 1=1 # " commented out

4 comments:

  1. What a great weekend going through these. Just finished video 6. GREAT WORK and THANK YOU! My head hurts from all this knowledge I am trying to fill it with! I am going to try at least one more video this evening.

    ReplyDelete
  2. Hi friend,

    I have one confusion in your part6, why same query is giving different results with "group by", first time it gives result in table format and second time it gives error of "duplicate entry".

    Please explain little bit more about "group by clause"

    Thanks for this great video series. :)

    ReplyDelete
  3. I've watched nearly all your video about sql injection and i found it really interesting. But in real situations, i find it difficult to bypass WAFs. Could you please help me with this?
    One more thing, after get all knowledge from your videos, which things or documents should I study more to get all skills in sql injection or other web hacking methods?
    Hope you could response soon. Thank you very much :D

    ReplyDelete
  4. Hi Dhakkan,

    You have a great tutorials about SQL inj. really helpful. Please, can you explain a little bit more, why are you using randomnes function in double queries? What's the final point using this? Thanks man!

    ReplyDelete