If you are trying to hack the databases with methods like single quotes error based injection, Integer based injection or double quotes method but the databases are not vulnerable to those methods injection will fail and you cannot connect with database.In short, the error based Manual SQL injection will use single quote to break the query and join the query, Integer based injection will be joining the query without the single quote and double quotes will be joining the query with double quotes.
So Today we are about to learn another method which is Single quote Error Based Parenthesis in the MySQL database in order to perform Manual SQL Injection.
Manual SQL Injection ONLINE LAB:
- Beginners can use this website to practice skills for SQL injection.
- To Access the LAB Click Here
STEP 1: Breaking the Query
- Let me try out with error based single quote injection method
- Above figure shows double quote error based not working.
- Above figure shows Integer based injection not working.
- Above figure shows single quotes are breaking the database so its vulnerable to SQL injection.
STEP 2: Copying the Error Statement
- Copy and Paste the SQL Error statement into Notepad.
- Above figure shows that Highlighted single quote with parentheses are breaking the backend database.
- Now you can found out this is Single quote error based parentheses injection.
STEP 3: Joining the Query
- Let us add –+ to join the query http://leettime.net/sqlninja.com/tasks/basic_ch4.php?id=1′) –+
- Above figure illustrates SQL errors are fixed with –+
STEP 4: Finding the Backend Columns using Manual SQL Injection
- It is time to have a conversation with the database to find the number of columns.To enumerate columns we can use order by command.
- Above Figure shows Database with error statement Unknown column ‘5’ in ‘order clause and this error statement says as “There are only 4 columns in database”.
STEP 5: Finding the Backend Tables using Manual SQL Injection
- SQL backend may contain more Tables names with empty data also.Therefore You should first able to find out which table names are present in this 4 columns.
- Now we can select all 4 columns with union all select to existing URL.
- Number 2 is the right-path for database names and more.Now we have successfully found out.
STEP 6: Finding the Backend Table Names using Manual SQL Injection
- We already knew the location of table path, so will directly ask database name, version etc
- Above figures show the database name found is leettime_761wHole.
- Above figures show the database version as 5.6.36-cll-lve
STEP 7: Dumping Database Tables
- Group_concat() is the function returns a string with the concatenated non-NULL value from a group.
- So we can use this Function to list all Tables from the database.
- In Addition, we can use Information_Schema to view metadata about the objects within a database.
- The Above Figure shs the dump of all tables as testtable1, userlogs, users.
STEP 8: Dumping all Data in Columns of Tables
- We can dump users
- The Above Figure shows the dump of all columns of tables contains id,username,password,user_type,sec_code.
STEP 9: Dumping all Usernames
- The Above Figure shows the dump of all usernames admin,decompiler,devilhunte,grayhat,injector,khan,Zen,Zenodermus.
STEP 10: Dumping all passwords
- The Above Figure shows the dump of all passwords in the database.HAPPY HACKING !!!
Source : GBHackers