Myanmar H4x0r

---

The first and easiest function is receiving data through system variables. These variables are predefined on the SQL-server and will give us some nice BASIC INFO about the server. Lets try to get the SQL-server version, the current user and the database name of the given original query. You know from above how to display the vulnerable colums on screen (UNION STATEMENT). Now we inject our system variables directly into these vulnerable columns in our URL. Remember: vulnerable columns are COLUMN 3, COLUMN 4 and COLUMN 5...

Result:


VERSION() = 5.1.70-cll // The MySQL-server version the server is running
USER() = devartch_apropos@localhost // The current database user (Scriptuser)
DATABASE() = devartch_apropos // The current database (The current script uses)

congrats to your first injection with UNION  ....ok i admit its not a huge DUMP but this is important cos:

UNION BASED SQLI splits into two main ways: Injection in MySQL-server version 5+ above and MySQL-server version 4- lower.
Thats why the first thing to check is the SQL-server version with system variables!

---

---

VERSION 5:
The main difference between version 5 and version 4 of SQL-server is that version 5 and above has a INDEX-DATABASE for all user databases, tables and columns. Its basically a system database (beside all other user databases) that stores information and structured data about all databases,tables and columns of the user. This INDEX DATABASE is calledINFORMATION_SCHEMA. It is installed with all MySQL-server versions 5 and above. If the admin going to create some database, the SQL-server will automatically store information about this created database in the INFORMATION_SCHEMA database.

In the INFORMATION_SCHEMA database the MySQL-server automatically save things like:

• The name of each database the user created
• All table information of that databases (names, columns, rows,...)
• All column information for each table of all databases

BUT it do not store the data(values) of the tables itself. The data of each tables (values) of course are stored in the tables itselfs.
Maybe a lil confusing but you soon will see clear....

So yes you are right - that sounds like heaven:
a huge index where we can trace, locate & identify the complete structure of the user databases! And it is like that! :cool:

VERSION 4:
Guy‘s here comes the hard part:
Unfortunately such a INDEX DATABASE like in version 5 does not exist in version 4  
The table and column names are not easy to get, cos there is no index where we are able to reach them. WE HAVE TO GUESS THOSE NAMES.
That can be time intensiv and its not funny BUT possible! I think the version 4 and lower will getting less and less but sometimes you will see such a target in the wild.

Basically that‘s it about the main difference (sure there are more, but for injecting thats it)
We now go forward with our example target cos it is version 5+

---

---

After we are getting the vulnerable columns on screen and we get the basic info via system variables, the next step is to get the table names.
We know our target is version 5+ and there is a database where we are able to get those information called INFORMATION_SCHEMA.

So lets try to get the tables of our target...

The injection query for getting the table_names is:

So let's fit this into a vulnerable column, i pick number 4 for that:

--> SUCCESS! Now you see all table_names listed on the page separated with commas:


SQL-Query explanation:

That means the SQL-server SELECT all table names FROM the index (INFORMATION_SCHEMA).
Because we only want the table names of the current DATABASE() we use a WHERE-CLAUSE for this.
table_schema = the column name of the INFORMATION_SCHEMA.TABLES table where all Database names are stored.
So basically the SQL-server matches all stored values in the table_schema column with our database name (devartch_apropos) and will give us only the table_names of the current DATABASE().

Injection-Query explanation:

You noticed in the URL above that we have to do some changes before we are able to inject the SQL SELECT query.
We have to put the query in brackets ( WHOLE SELECT QUERY ABOVE ) to inject in in one vulnerable column.
We also have to use the MySQL function GROUP_CONCAT() otherwise we would get a error that our SUBQUERY return more than 1 row.
If we GROUP the results we are able to receive all data through one SELECT query!

For any further information about this SQL function you can check:
http://dev.mysql.com/doc/refman/5.6/en/g...oup-concat

Next step is to pick a table you are interested in and get the column names of it - i would say let's pick table „user" :oui:

The injection query for getting the column_names is:

The URL look like this:
--> VOILA! These are the column names of table „user“:


SQL-Query explanation:

That means the SQL-server SELECT all column names FROM the index (INFORMATION_SCHEMA).
Because we only want the column names of the table name "user" we use again a WHERE-CLAUSE for this.
MySQL now give us all column names of the table „user".

Injection-Query explanation:

As you see again the GROUP_CONCAT() function that i have already explained above (Group the results).
NEW IN HERE: we put the table name we choosed in HEX-FORMAT: 75736572 = user (u=75 s=73 e=65 r=72). 
We have to tell MySQL that we will use HEX and we will do this with put a 0x in front of the HEX VALUE. 
So finally the table name „user“ in hex is built: 0x75736572

NOTICE: this function is CASE SENSITIVE so "user" is not "USER".
In HEX you will get two different results (user = 75736572 / USER = 55534552)
How to convert Strings to HEX?: Online converter

Now let's dump the data of this columns!

NOTE: You will get some admin/login data in next step. I dont know if they are working to login for any panel. I havent tried and i will not try!
Do me a favour and to the same. Leave it as it is. This is a tutorial for educational purposes only and other user will also learn from this in future! You get enough vulnerable pages in SQLI-section, with dorking, with pastebin lists and so on....you dont have to "hack" this tutorial-example. I thought it would be nice to grab some user/password data for the first injection, if you think the same than you now how to act ;) ...stay HQ friends!

Ok guy‘s query for dumping the data:

Injection URL:
--->VOILA! You get a user name and a password (no more user stored in there):


SQL-Query explanation:

The SQL-server now SELECT all VALUES of the columns "name" and "password".
We dont need the INFORMATION_SCHEMA database cos we now know table name AND column names, in this case we can driectly reach the values without using the INFORMATION_SCHEMA.

Injection-Query explanation:

We need no WHERE-CLAUSE and no need for HEX any string (we directly grab the data and we are now knowing each column name and the table name).
Only the GROUP_CONCAT() we need again to group the results.

The password is a MD5-Hash. I will not cover cracking of hashes. 

That was your first successful UNION BASED SQL INJECTION with a MySQL-server version 5.xx and the PHP framework! CONGRATS :thumbsup:

---

---

So guys now it‘s time for another injection technique called ERROR BASED SQLI.
In some cases that work faster for us or some guy‘s just simply like that more. With this injection technique we stuck with our results directly in the error-message of the server! I will use the same target for this.

Get the version:

Get tables:

Get columns for our above union based example table user:

Values of columns name and password of table user:

NOTE:
In error based SQLi we are limited in output (because of we stuck in MySQL error message). 
To get more results than one table name you have to change the LIMIT PART in each query above: from LIMIT 0,1 to LIMIT 1,1 and than LIMIT 2,1 and so on 

credit:T-pro