search

πŸ’€Death Single Row Injection

hashtag
What is Death row?

hashtag
While injecting a Web application you will usually face it, this is the scenario when the whole array output of the Query do not gets printed. The web application only prints the first.

hashtag
For Example:

hashtag
The query "Select username,password from users;" Will output the complete list of users. but now it depends on how the web application is giving you output. So normally in 70% cases you may have to face "Death Row Injection"

hashtag
To overcome such situation we use Limit or if we are intelligent enough to make a condition through which we can output the data which we actually need. Here we will discuss both of these ways.

hashtag
Let us First understand the Internal Queries.

Select username from users;

hashtag
This will output all the usernames...but our target web application is outputting only 1. So in order to iterate through the situation we will user limit.

hashtag
Syntax : Limit "From Row Number", "Number of Rows"

hashtag
I hope its very clear to understand that the first parameter takes the row number from which you want to start, and the second one takes number of rows you want to output. Now let us try it with the above Query

Select Username from users limit 0,1;

hashtag
Example from the injection Point of view

hashtag
If you have read the basic injection then i don't need to tell you how to get the error and then comment out the rest part and then find the number of columns. After doing all that let us assume the injection is:

hashtag
As you can see single Quote is missing after 43 that means i am injecting in a integer Input Query. So now when we try to get the usernames and password using the above Query.

hashtag
----------------------------------------------------------------

hashtag
Method 1

hashtag
The above query will output all rows as once but the web application may just return one. So to get all using Limit we will go one by one.

So now we can keep increasing the first parameter to get each row one by one. But if the database is huge. Damnnn...its a headache to go like this. And a lazy guy like me will never like to go through this torture. Yeah so now there is an another way to handle the situation.

hashtag
----------------------------------------------------------------

hashtag
Method 2

hashtag
We can use Sub Query to extract particular number of rows from the Database and then concat them into the output. Herez an example to do this one: Query:

hashtag
So the above query got 100 rows conctenated into the output. Lets see how the Injection:

hashtag
----------------------------------------------------------------

hashtag
Method 3

In this way we can speed up the Process...But again if the we think of a Database Containing lacks of Rows. It again becomes a headache. So one will think that we we can increase the number of rows each time we Inject to fasten up the process. Hmmmm but a problem, Group_concat function have a limit of 1024 characters and it will Trim the rest of characters. So there is another way out of it. we can use the Cast Function to increase the Buffer. Query:

I have increase the buffer to 2048, you can try and increase more like increasing 8192, but not more than that as you know its the default limit of a POST output. hmmm so what if you cant get all at once?. we can again use the Sub Query trick.

Query:

hashtag
Well Now the process is enough faster. Let us check our Injection:

PreviousMultiQuery InjectionNextEvil Twin Injection

Last updated