Hey! guys as the title says we are going to learn Error Based Sql Injection.
Before reading anymore of this article please read our previous articles to understand everything better:
1. SQL Injection Explained From Scratch
2. Login Bypass With SQL Injection
So basically what we are going to learn now is dumping things like username and passwords from the database of website.
Now lets get started…First of all we will find a website which may be vulnerable to SQL Injection and check then confirm its vulnerability. To find websites we will use Google Dorks.
Well Google Dorks are kind of Advanced Search Filters.
Here are some Google Dorks for you:
inurl:downloads.php?id= inurl:showproduct.php?cat= inurl:index.php?lang= inurl:product.php?bid=
For more click here.
After entering any of the dorks in google you will get result like This :
So, we will choose a website from search results and then check for vulnerability in it. So let’s suppose I have a webpage “http://www.targetwebsite.com/index.php?id=310”, now we are going to check whether it is vulnerable or not.
To do that we will add a ‘ *single quote* sign at the end of the URL. Like this :
Now, If this gives you an error or a blank page or even any of the page changes that means it is vulnerable, and if not it is not vulnerable. So if you get an error it would look like this :
You might be wondering what the hell this ‘ *single quote* did so the website gave an error?
Basically what it does is that it disturbs the syntax and the database gives an error like that in image. To know more about it read the previous article.
Now, Let’s check how much columns are there in this database.
To check that we have to write the following query :
http://www.targetwebsite.com/index.php?id=310 order by 1
I have written 1 to check whether there are 1 or more columns. Let’s check weather there are more columns or not. But wait before that let’s see what the heck order by does?? Order by is a clause which is used to sort data in database in ascending or descending order. Which is based on one or more columns in the database. Now let’s check weather there are more columns or not. Let’s check for 2
http://www.targetwebsite.com/index.php?id=310 order by 2
We got no error which means 2nd column exists.
http://www.targetwebsite.com/index.php?id=310 order by 3
We still got no error which means 3rd column exists.
Now we will check for 4th column:
http://www.targetwebsite.com/index.php?id=310 order by 4
It gave me an error like this,
Now this error means 4th column doesn’t exist which implies that there are 3 columns.
Gotcha! We found columns. So now we will find out which of the 3 columns is vulnerable.
For that we will use UNION SELECT query. Like this :
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,3--
So in this query UNION is an operator in SQL which is used to combine the result of 2 or more SELECT statements. And SELECT is a statement which is used to select number of rows/columns from the database. And 1,2,3 is the number of columns we found while doing order by. And — is a comment and is important for our query to work properly. Now when we enter this query the webpage will print the vulnerable column number in bold letters. Like this :
This shows 3 number is vulnerable and we can inject through that. Damn!! So, Let’s do this.
So lets check the database type, version and website user. For that we will use the query :
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,database()--
What we did is we just replaced 3 to database(). It is used to print database type/name (like MSSQL, Oracle etc.) of the website.
It will give a similar result to this one:
Now Let’s dump/enumerate (get/download) user and version of database.
For user we will type :
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,user()--
And we will get the user:
And for version we can type @@version and version() both will give you the same result
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,version()--
It will give you result like :
So, Till now you have seen how to print database, user and version of website. Now, we will print tables and columns then username and password of the website. Let’s go…
So, to dump table names we have to type :
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--
So what this query UNION SELECt 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() is it will dump all table names from the database of the website and print them on the screen.isn’t this good? lel. So as you all know what UNION SELECT does, so now i’ll tell you what other things i have written in the query do. group_concat this clause is used to group the things which are written in () *brackets* like i have written table_name which means it will group table names from the database and print them on the screen. Now what the hell this “from information_schema.tables where table_schema=database()” is?!! so this query is to dump information of tables from the database of the website. In this information_schema means metadata (a set of data that describes and gives information about other data.) of data in database.And table_schema means metadata of tables. And .tables refers to tables in the database.
Now let’s dump column names from the database. To dump column names we have to make slit changes in our previous query which was “UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()”. Now we will replace table_name and .tables with column_name and .columns. Let’s see how this query will look like after changes.
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()--
This is how it will look like and after executing this will give you column names from the database of the website as a result. There is nothing to get confused between the previous query and this query as both work as the same both dumps data from the database its just that previous query dumps table names and this query dumps column names. Now Let’s head up to the most awaited part of dumping username passwords. So Let’s go and Dump them. Let’s suppose we have found a column named admin_users so we will dump username and password from here.
To dump username and password our query would be :
http://www.targetwebsite.com/index.php?id=310 UNION SELECT 1,2,group_concat(username,0x3a,password) from admin_users--
Now in this query we have written “group_concat(username,0x3a,password) from admin_users–” you know what group_concat works, what from works, now what is username and password?? Username and password here in the query are data which we want to dump. what is 0x3a?? It is the hex value for colon ” : “. and from admin_users is we will dump these username and password from admin_users which is the column name for the data of admin’s username and password. Now this print username and password but passwords could be in some hash like md5, mysql hash or sha1 etc or may be in plain text.
Result of dumped username and password would be like this :
So that’s it guys hope you liked it.
Happy Hacking!! Stay Tunned to Ultimate Hackers for more tutorials and articles.
Also Read : OS Fingerprinting With NMap, XProbe2 And p0f