Description: Description: Description: Part 6 of the Sqli-labs series based on error based sqlinjections, blind injection boolian type and time based type. This video covers basics of double query injection.
Link to part 1: http://www.securitytube.net/video/4171
Link to part 2: http://www.securitytube.net/video/4200
Link to part 3: http://www.securitytube.net/video/4208
Link to part 4: http://www.securitytube.net/video/4210
Link to part 5: http://www.securitytube.net/video/4269
Link for test bed: https://github.com/Audi-1/sqli-labs
Tags: Sqli , SQLi , Sqli-Labs , Sqli-labs walkthrough , SQL injections , sqli-labs , learn SQLi , learn sql injections , Double query injections. ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Great videos AUDI. Keep going on.
Great video.. Thnx a lot :)
Nice Video Audi ......And Nice Explanation ...
Thanks for the great concept demo on sqli. It is great to demo it on the sql backend instead of just test on web page. If you can add a little details/demo on the two points below, your tutorial will be perfect:
1) Can you explain a little bit the nature of the mysql duplicate entry error? That is the one you use to display the database()
2)Also, can you give more details on the *connection* between random number (0 or 1) and "Duplicate entry" error message?
I read the originial exploitdb article but wasn't able to grasp the explanation. I bet there are other audiences who want to know the "connection" ...
I like all of Sqli-Labs Series ..thanks....Keep going on.
till now i did not get such brief material on sql injection.
all videos are great.
thanks
Thank you all for such wonderful comments, I am happy, excited and would be firing all guns to complete this series at the earliest, and start with postgres, MSSQL and oracle backends thereafter.
Special thanks to Vivek,
your feedback on facebook means a lot to me.
@testhack, I am not a mysql expert and this can be correctly answered by some core mysql developer but from my understanding, we need to write logically correct queries (syntactically correct), which can pass the compile time check, and error is produced at the runtime. So in here
rand() function is evaluated many times before the group by clause and use of aggregate function count(*) would be repeating the cycle and use of rand(), thereby causing random function to replace the entries in the so calculated rows, thereby throwing the error. you can have a look at http://bugs.mysql.com/bug.php?id=8652 which explains this behavior. Though not much is explained on the why side....
From SQLI perspective, someone discovered this behavior, flaw,bug or whatever and people utilize their work and adapt it to their use and benefit.
I would definitely work on it and try to present a separate video on these later, for now, I am so excited that i wanna finish the first phase with mysql quickly... though it would be around 21 to 22 videos in this series... :)
I have viewed all 6 videos. These are brilliant, very easy to understand.
Keep rolling out these awesome videos
Waiting for later videos
Hey Audi please post the next videos....
good one, keep going....
i had a problem once which has not yet been solved. Hope you can help.
Problem: I had this SQL PHP app which fetched rows from table and displayed it on screen. It was vulnerable to sqli but whenever I made a query it generated an error something like this: mysql_fetch_row() invalid query.
but my injection was correct.
I think it was unable to handle the union and the previous query.
Any solution?
As it is stated here: http://lists.mysql.com/commits/35894
ERROR 1062 (23000): Duplicate entry '' for key 'group_key'
Problem: lying to the optimizer that a function (Item_func_inet_ntoa)
cannot return NULL values leads to unexpected results (in the case group
keys creation/comparison is broken).
I think the error:
Duplicate entry '' for key 'group_key'
occurs when all the rows of the output are either "::security::0" or "::security::1" leading to either zero "::security::0" rows or zero "::security::1" rows. Since one of the random concatenated parts has 0 rows, it leads to a NULL returned to some internal function. Hence the error. You can try it out by making a small table having, say, 6 records and running the double query against it. I did that and observed that there was never any output showing count(*) as 0 for either of the 2 random concatenated strings. The output always had a combination of count(*) that added up to 6 but the combination (0,6) or (6,0) never occured. This combination leads to the error most probably.
another awesome one Audi :D
totally loved it :)
it's very easy to understand the way you demonstrated it :)
thanx a ton :D
another awesome one Audi :D
totally loved it :)
it's very easy to understand the way you demonstrated it :)
thanx a ton :D
another awesome one Audi :D
totally loved it :)
it's very easy to understand the way you demonstrated it :)
thanx a ton :D
hello sir, i dont get the error for the query
select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,0),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
output.>>
+----------+------+
| count(*) | a |
+----------+------+
| 4865 | NULL |
+----------+------+
1 row in set (0.26 sec)
i keep getting this but no error. :( pls help
worked fine till this query >>> select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;
.. wrking fine now :) thread closed
@jeevan,
Sorry could not pick up your message as there is no way to track comments on videos. you can catch me on irc
freenode.net channel #offtopicsec