Web Hacking
◾
357
Syntax
http://localhost/index.php?support=yes’ AND SUBSTRING(user(),1,1)=’a’;--+
This query simply asks the database if the first character of the db user is “a”.
As we can see, a false result returned, meaning that the first character is not “a”. Let’s try asking
the database if it’s “r”, since we already know it starts with “r” (root).
Syntax
http://localhost/index.php?support=yes’ AND SUBSTRING(user(),1,1)=’r’;--+
A true response was obtained meaning that the first character indeed starts with “r”. Let’s try
asking
the database, if the second character is “o”.
Syntax
http://localhost/index.php?support=yes’ AND SUBSTRING(user(),2,1)=’o’;--+
A true result was obtained. So the second character is “o”; concatenating it with the first char-
acter leads us to “ro”. In a similar way, we will try to enumerate the
third and fourth characters,
and we will get the
db _ username
as “root”.
358
◾
Ethical Hacking and Penetration Testing Guide
Enumerating the MYSQL Version
The next step is to enumerate the mysql version. We can do it by using the
same query but with a
slight modification. Let’s ask the database if it’s version 4.
Syntax
http://localhost/index.php?support=yes’ AND SUBSTRING(version (),1,1)=4;--+
We get a false result meaning that it’s not version 4. Let’s ask if it’s version 5.
We get a true result, which means that we are up against mysql version 5. Similarly, you can
check if the version is 1, 2, or 3 by just substituting the appropriate
values and comparing the
response.
Guessing Tables
The next step would be to guess the table names. This would be a highly time-consuming task;
therefore, I won’t recommend you to do it manually; we will talk about automating this with
SQLMAP later in the chapter. For now, let’s stick to the manual method
and see how we can guess
the table names.
Syntax
http://localhost/index.php?support=yes’ and (SELECT 1 from dvwa.admin limit 0,1)=1--+
Web Hacking
◾
359
By replacing the word admin with the table you want to guess and dvwa with the database
name, let’s see what result we get.
We get an error that table “admin” is not present in the dvwa database. Now let’s search for the
table that we know already exists in the dvwa database.
Dostları ilə paylaş: