We saw in Chapter 4, Finding Vulnerabilities, how to detect an SQL Injection. In this recipe, we will exploit an injection and use it to extract information from the database.
- We already know that DVWA is vulnerable to SQL Injection, so let's login using OWASP-Mantra and go to
http://192.168.56.102/dvwa/vulnerabilities/sqli/. - After detecting that an SQLi exists, the next step is to get to know the query, more precisely, the number of columns its result has. Enter any number in the ID box and click Submit.
- Now, open the HackBar (hit F9) and click Load URL. The URL in the address bar should now appear in the HackBar.
- In the HackBar, we replace the value of the
idparameter with 1' order by 1 -- ' and click on Execute. - We keep increasing the number after
order byand executing the requests until we get an error. In this example, it happens when ordering by 3.
- Now, we know that the query has two columns. Let's try if we can use the UNION statement to extract some information; now set the value of
idto1' union select 1,2 -- 'and Execute.
- This means that we can ask for two values in that union query, how about the version of the DBMS (Database Management System) and the database user; set
idto1' union select @@version,current_user() -- 'and Execute.
- Let's look for something more relevant, the users of the application for example. First, we need to locate the users' table; set
idto1' union select table_schema, table_name FROM information_schema.tables WHERE table_name LIKE '%user%' -- '.
- OK, we know that the database (or schema) is called
dvwaand the table we are looking for isusers. As we have only two positions to set values, we need to know which columns of the table are the ones useful to us; setidto1' union select column_name, 1 FROM information_schema.tables WHERE table_name = 'users' -- '.
- And finally, we know exactly what to ask for; set
idto1' union select user, password FROM dvwa.users -- '.
In the
First namefield, we have the application's username and in theSurnamefield we have each user's password hash; we can copy these hashes to a text file and try to crack them with either John the Ripper or our favorite password cracker.
From our first injection 1' order by 1 -- ' through 1' order by 3 -- ' we are using a feature in SQL language that allows us to order the results of a query by a certain field or column using its number in the order it is declared in the query. We used this to generate an error and be able to know how many columns the query has, so we can use them to create a union query.
The UNION statement is used to concatenate two queries that have the same number of columns, by injecting this we can query almost anything to the database. In this recipe, we first checked if it was working as expected, after that we set our objective in the users' table and investigated our way to it.
The first step was to discover the database and table's names, we did this by querying the information_schema database, which is the one that stores all the information on databases, tables, and columns in MySQL.
Once we knew the names of the database and table, we queried for the columns in such table to know which ones we were looking for, which turned out to be user and password.
And last, we injected a query asking for all usernames and passwords in the table users of the database dvwa.