search

πŸ’‰Group By and Order by SQL injection

hashtag
First of all i will start with order by injection because injecting into group by queries is really simple and simple union based injection can be used when we are injecting in order by clause.

hashtag
There are Three ways to inject into order by clause:

hashtag
1. Error Based Injection 2. Error Based Blind Injection 3. Time Based Blind Techniques.

hashtag
-------------------------------------------------------------

hashtag
Exploitation using XPATH injection:

hashtag
Query:


select posts from content where submit=1 order by $sort

hashtag
Injection:


input : 1,extractvalue(0x0a,concat(0x0a,(select database())))#
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--+

hashtag
The above query will output the data in form of error. for rest of Exploitation using XPATH

hashtag
if Query:

hashtag
In such cases you will see the column name in the parameter so just close that first and then inject

hashtag
then Injection:

hashtag
The above query will output the data in form of error. for rest of Exploitation using XPATH

hashtag
-------------------------------------------------------------

hashtag
Error Based Blind Injection:

This is the case when you can not see any direct error from database. So in such cases we create the error ourselves and by the behaviour like no output or some other kind of error we can know that its a Error. Now below is a query i created in such a manner that if the output is true only then it will create error else it will work. By looking at the page we will come to know is it true or false.

hashtag
Query:

hashtag
Injection:

Here you can see the condition database() like database() here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection.

hashtag
Query:

Remember when you will try to create an error over here it will show unknown column error its not different from the above one which we injected using XPATH, but the same can be injected using the below injection which can be used in cases when XPATH functions are not available of disabled.

hashtag
Injection:

Here you can see the condition database() like database() here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection

hashtag
-------------------------------------------------------------

hashtag
Exploitation using Time Based Blind Techniques:

Some times you could face a condition where both true and false are not having any difference or the page is redirected somewhere. In such case it becomes tough to use Blind Injection. What we will do now is create query in such a way that it will delay if its true else reply normally.

hashtag
Query:

hashtag
Injection:

The above query will Reply normally if the condition is false otherwise it will take time to reply and this is how we will extract the data. for rest of Exploitation using Time based Blind injection

PreviousUnion Based Oracle InjectionNextRouted SQL Injection

Last updated