CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.
DOUBLE QUERY INJECTIONS OR SUBQUERY INJECTIONS.
In the last 5 parts of the series we learnt about some basics about the error based injections and used the UNION statements to dump the database using the web application. Well we could achieve it because the database was interacting with web page and some database fields were visible on the web pages. A basic injection looked like id=-1 union all select 1,2,3 --+ and we were able to see the username name and password field displaying value 2 and 3. For detailed explanation watch video's 2 to 5.
In a scenario when the database does not directly display columns on the wep page, then the above technique cannot be used. To understand this better you can check Lesson 5 or 6 of the sqli-labs series.
As we see we just see a generic message "You are in". Therefore in this case, the database is not displaying any files on the page. In this case only way the database is displaying into is through the mysql error. (note: I am interchangeably using the Lesson 5 and 6, only thing different is way to produce error)
So primary objective in a double query injection is to create a query injection in such a way which is syntactically correct (correct at compile time) but produce an error at run time thereby spitting useful information in the errors. In case of MSSQL server cast errors dumps the info but in case of MYSQL, being flexible returns empty rows. Therefore some genius researchers found a combination of use of aggregate functions, group by clause, and use of random functions to produce errors are run time due to dynamic calculations involved in random function and aggregate function like count.
Hope this makes some sence, after all I am a dhakkan.
Less-5 line number 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
Less-6 line number 28,29
- ' or '1'='1 Will work nicely. id = ' ' or '1'='1 ' LIMIT 0,1
- ' or 1=1 --+ Will also work. id = ' ' or 1=1 --+ ' commented out
- ' or 1=1 # will also work. id = ' ' or 1=1 # ' commented out
Less-6 line number 28,29
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
- " or "1"="1 Will work nicely. id = " " or "1"="1 " LIMIT 0,1
- " or 1=1 --+ Will also work. id = " " or 1=1 --+ " commented out
- " or 1=1 # will also work. id = " " or 1=1 # " commented out