Determining the Vulnerable Columns
Now as we know that we have six columns, we can now use the UNION SELECT statement to
extract the database. However, to extract the database, we would first need to determine the col-
umns that could be used to print the information from the database as there might be some columns
that the database does not want the data to be printed from. To do that, we will use the following
command:
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION all select 1,2,3,4,5,6--±
The syntax is pretty simple. We have used UNION all select statement; we could also use
UNION SELECT instead of UNION ALL SELECT, and this would prevent duplicate values to
Web Hacking
◾
347
be printed out from the database. Before the UNION statement, we have used “1=0” to prevent
the values of the first part of query (before left-hand side of UNION) to be displayed on screen/
☺
.
Now we can print the data in all the six columns, as can be seen from this screenshot. This is
a highly unusual case; in most cases, you would be able to print the data of a few columns only.
Fingerprinting the Database
The next step would be to fingerprint the database, enumerating things such as the database name
and database version. We can use “
version()
”, “
user()
”, “
database()
”, and other built-in
functions to enumerate the database.
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION all select 1,version(),user(),
database(),5,6--±
In this query, we have replaced the values of columns 2,3,4 with our functions.
Enumeration Information
Version—5.1.41
Db _ us r
—root
Database—Information_schema
As we can see from the information we obtained from the earlier query, the MYSQL version is
5.1.41; this is extremely important; you’ll know why when we learn about SQL injection in mysql
database version <5. The second important information is the
db _ user
, which is
root
, which
means that we have root-level privileges on the database.
|