Ethical Hacking and Penetration Testing Guide

Yüklə 22,44 Mb.

Pdf görüntüsü

səhifə	219/235
tarix	07.08.2023
ölçüsü	22,44 Mb.
	#138846

1 ... 215 216 217 218 219 220 221 222 ... 235

Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Guessing the Columns Now since we have figured out that a “user” table exists in the database, we will try guessing the columns. Syntax
Automating SQL Injections with Sqlmap

Guessing the Columns
Now since we have figured out that a “user” table exists in the database, we will try guessing the
columns.
Syntax
http://192.168.75.147/peruggia/index.php?action=comment&pic_id=13&pic_id=13 and
IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_
table_name] limit 0,1),1,1)=1,SLEEP(5),1)--

Web Hacking
◾
365
From this screenshot, we can conclude that the password column exists in the database.
Extracting Data from Columns
Finally, we will try to enumerate the data present in the columns, again one character a time.
Along with the password column, there also exists a username column, so we will try to enumerate
the username; you can do the same with the password. The syntax is as follows:
Syntax
http://192.168.75.147/peruggia/index.php?action=comment&pic_id=13&pic_id=13 and if((select
mid(column_name,1,1) from table_name limit 0,1)=’a’,sleep(5),1)--

366
◾
Ethical Hacking and Penetration Testing Guide
From this screenshot, you can see that our first query succeeded and the first character of the
username is “a”; the second query failed since the second character is not “a”. In this way, we can
extract the entire username, “admin”. I will leave extracting the password to you.
Automating SQL Injections with Sqlmap
We talked about many types of SQL injection vulnerabilities and how to exploit them. You might
have realized by now that exploiting SQL injection sometimes can be a very tedious task; there-
fore, a better option is to use automated tools such as sqlmap.
Sqlmap is one of the best tools for exploiting SQL injection vulnerabilities. It supports many
databases and helps us not only to enumerate and extract database but also to execute system com-
mands. I will discuss the basics of sqlmap and leave the rest for you to explore, since it includes a
huge list of functions, which cannot be explained here.
We will use the same vulnerable application that was used for demonstrating UNION-based
and Boolean-based SQL injection.
Sqlmap can be found in the
/pentest/database/sqlmap
directory in BackTrack 5 R3.
This might differ based on what version of BackTrack you are using. You can use the locate com-
mand to search for sqlmap. Once in the directory, execute the following command to launch the
sqlmap help menu.

Yüklə 22,44 Mb.

Dostları ilə paylaş:

1 ... 215 216 217 218 219 220 221 222 ... 235