Ethical Hacking and Penetration Testing Guide


Union-Based SQL Injection (MySQL)



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə206/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   202   203   204   205   206   207   208   209   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Union-Based SQL Injection (MySQL)
As explained earlier, a UNION statement is a combination of two select statements, hence a pow-
erful technique for extracting the database. However, with this technique, you should remember 
two important things:
1. Both the 
select
statements should return the same number of columns. This means that it’s 
essential for us to enumerate the total number of columns.
2. Data types defining the columns should always be the same.
Let’s now talk about how this attack could be exploited. I have coded a simple application in PHP 
that takes input via GET parameter, and it does not filter out the input. The database running at 
the back end is “mysql version 5,” and it’s hosted on my local apache server.
Here’s the vulnerable code:
isset($_GET['support'])? {$result=mysql_query("SELECT * from ENGINES 
where support='".$_GET['support']."'") or die(mysql_error());}
The issue is very simple; the “$_GET[
'
support
'
]” parameter is not sanitized before it’s inserted in 
the query. Therefore, we can easily inject our SQL query to extract information from the database.
Testing for SQL Injection
This is how the application looks:
Target URL
http://localhost/index.php?support=yes

Web Hacking
◾ 
345
Obviously, the first step would be to inject a single quote and cause the application to throw 
an error.
Syntax
http://localhost/index.php?support=yes’
After injecting a single quote, we can see that the application responds with an SQL error, 
which indicates that something might have broken our SQL query. This indicates that the applica-
tion might be vulnerable to SQL injection. We will append another single quote to the URL and 
see if we are still receiving the same error.
Syntax
http://localhost/index.php?support=yes”
We see no error message, which means that the application is most probably vulnerable to SQL 
injection, because we have now defined the correct syntax.

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   202   203   204   205   206   207   208   209   ...   235



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət
gir | qeydiyyatdan keç
    Ana səhifə
Stomatologiya
Anesteziologiya
Cərrahlıq
Ginekologiya
Tibb

yükləyin