352
◾
Ethical Hacking and Penetration Testing Guide
An error was generated, indicating that the admin table does not exist. If a table existed, there
wouldn’t have been an error message.
Guessing Columns
In
a similar manner, we can guess column names, and based upon the errors generated, we can
conclude if it’s a valid column or not.
Syntax
http://target.com/index.php?support=yes’ and 1=0 union select 1,2,user,4,5 from dvwa.users--+
(Table doesn’t exist or any other error)
If we have determined
the correct column name, all the data inside the column would be
displayed to us.
SQL Injection to Remote Command Execution
SQL injection vulnerabilities are also used to execute commands on the target operating system.
Obviously, it depends upon the operating system and the privileges that our user has.
In our case,
we have root-level privileges upon the mysql server. Therefore, we would be able to execute all
commands
such as SELECT, INSERT, UPDATE, and DELETE. However, we are interested
only in higher-level privileges such as FILE, which would allow us to read/write
files on the web-
server. Let’s see the syntax for enumerating user privileges:
