Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Enumerating the DB User
- Guessing Tables
|
Enumerating the DB User
While demonstrating a UNION-based injection, we figured out that our db user is root. In that case, we used the “ user() ” function to enumerate the username; however, in this case, we cannot use it, since the application is not returning an error. We will again use true and false statements to enumerate the db user. However, we can enumerate only one character at a time, which is why it takes so much time for exploiting a blind SQL injection. We can use the substring function to enumerate one character at a time. Web Hacking ◾ 357 Syntax http://localhost/index.php?support=yes’ AND SUBSTRING(user(),1,1)=’a’;--+ This query simply asks the database if the first character of the db user is “a”. As we can see, a false result returned, meaning that the first character is not “a”. Let’s try asking the database if it’s “r”, since we already know it starts with “r” (root). Syntax http://localhost/index.php?support=yes’ AND SUBSTRING(user(),1,1)=’r’;--+ A true response was obtained meaning that the first character indeed starts with “r”. Let’s try asking the database, if the second character is “o”. Syntax http://localhost/index.php?support=yes’ AND SUBSTRING(user(),2,1)=’o’;--+ A true result was obtained. So the second character is “o”; concatenating it with the first char- acter leads us to “ro”. In a similar way, we will try to enumerate the third and fourth characters, and we will get the db _ username as “root”. 358 ◾ Ethical Hacking and Penetration Testing Guide Enumerating the MYSQL Version The next step is to enumerate the mysql version. We can do it by using the same query but with a slight modification. Let’s ask the database if it’s version 4. Syntax http://localhost/index.php?support=yes’ AND SUBSTRING(version (),1,1)=4;--+ We get a false result meaning that it’s not version 4. Let’s ask if it’s version 5. We get a true result, which means that we are up against mysql version 5. Similarly, you can check if the version is 1, 2, or 3 by just substituting the appropriate values and comparing the response. Guessing Tables The next step would be to guess the table names. This would be a highly time-consuming task; therefore, I won’t recommend you to do it manually; we will talk about automating this with SQLMAP later in the chapter. For now, let’s stick to the manual method and see how we can guess the table names. Syntax http://localhost/index.php?support=yes’ and (SELECT 1 from dvwa.admin limit 0,1)=1--+ Web Hacking ◾ 359 By replacing the word admin with the table you want to guess and dvwa with the database name, let’s see what result we get. We get an error that table “admin” is not present in the dvwa database. Now let’s search for the table that we know already exists in the dvwa database. Yüklə 22,44 Mb. Dostları ilə paylaş:
|