Today we will perform manual SQL injection with integer based method for the MySQL database. I hope the last article on error based string injection is useful to everyone, especially for beginners.Now I will quickly drive into yet another writing for SQL injection with the integer based method.
SQL Injection ONLINE LAB:
- Beginners can use this website to practice skills for SQL injection
- To Access the LAB Click Here
STEP 1: Breaking the Query
- Visting the website testphp.vulnweb.com/artists.php?artist=1
- let us add & check single quote to existing URL to check whether the website is vulnerable to SQL Injection by adding testphp.vulnweb.com/artists.php?artist=1′
- Here we are trying to break query to receive error messages with the database so that we can balance the query.
- But we are not getting error statements with respect to our input, which means single quote as input.
- Now I understand that when the input string is not getting an error with the database, let me try to fix without a single quote.
- Above figure shows that website is getting fixed & we have joined the query with no errors with integer method.So this is called as SQL Injection With Integer Based Method.
STEP 2: Finding the Backend Columns
- It is time to have a conversation with the database to find the number of columns.To enumerate columns we can use order by command.
- Let me ask database with any number so that I can check that columns availability in the database.
- Above figure, I have asked for 4 columns, but it throws an error.
- Keep asking database, let me ask for 3 columns !!!
- Above Figure shows no SQL errors, Yes! we have only 3 columns
STEP 3: Finding the Backend Table & Table Names
- Let us ask database its table path with the command union all select
- Above figure shows the execution of union all select gives the path of tables.2 & 3 the tables path.
- Above figure shows the execution of database() & version() on the path of tables 2 & 3 provides us the database name and version.
- So here database name is acuart and version is 5.1.73-0ubuntu0.10.04.1
STEP 4: Dumping Database Tables
- Group_concat() is the function returns a string with the concatenated non-NULL value from a group.
- So we can use this Function to list all Tables from the database.
- In Addition, we can use Information_Schema to view metadata about the objects within a database
- The Above Figure shows the dump of all tables as carts,categ,featured,guestbook,pictures,products,users
STEP 5: Dumping all Data in Columns of Tables
- Here I will dump for users in table
- The Above Figure shows the dump of all columns of tables contains
uname,pass,cc,address,email,name,phone,cart.
STEP 6: Dumping all Usernames & passwords
- Here we can dump all usernames & passwords in the database.
- Here we got the username as test and password as test !!!!
- practice and try to dump all columns of tables contains cc,address,email,name,phone,cart. Happy Hacking !!!
Source : GBHackers