We need to have ability to produce errors in a controlled way i.e, we have to write our own query in such a way that it has to dump some sensitive information in the form of sql error from the backend when we perform injection.
We can call it as sub query injection and error based blind sql injection.
It seems similar to error based sql injection but in case of error based sql injection we are dumping the information through errors that are produced by backend but in case of double query injection we are dumping the information by producing errors using our own sql query.
Attacker uses double query injection to retrieve data in the form of sql errors i.e, dumping the information like database names, table names and data in the tables through errors.
Performing error based sql injection to break the query:
First we have to enumerate the application that means we have to assume the backend query by trying to break the sql query used by the developer.
Eg: Almost all the sql injections performed in the fields where the client is inputting some information that is having interaction with back end database.
Assume that one application having username and password field to access that application And assume the sql query as:
Select * from table where username= and password=;
While breaking the query attacker may enter some special characters to break the query that means we are getting sql error that is providing some information regarding the query.
Those errors will be like this,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” LIMIT 0, 1’ at line1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ LIMIT 0, 1’ at line 1
From these errors attacker comes to know that developer enclosed user name between single quotes and thereby he will fix the query to gain unauthorized access.
Fixed query will be like this,
select * from table where username=’’ and password=’’;
Retrieving database name in the form of sql error:
We already know that developer enclosed username in between single quotes
Our fixed query will be like this:‘ or 1=1 –+
Here we are replacing or 1=1in ‘ or 1=1 –+ with following query
‘ and (select 1 from(select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.tables group by a)b) –+ By using this query we can dump the database name in the form of sql error
The error will be like this:
Duplicate entry ‘::security::1’ for key ‘group_key’
We got database name i.e, Security
In the same way by making some modifications to the query we can dump table names and data in that tables
Developing the query:
Use of rand():-To generate random numbers we are using this function, when we invoke this function repeatedly it will generate a series of random numbers, We used this function to add some randomness to the query result.
| rand() | rand() | rand() |
| 0.7331027926254112 | 0.8492102975484079 | 0.04674314059945116 |
Use of floor():-to get the floor value of any floating point number we use this function.
Eg: floor(0.7331027926254112) returns 0
References: reffer audi series less-5 and less-6 in sqli labs to get more information (URL: https://github.com/Audi-1/sqli-labs)