issuhub.com

CEH

(Jeff_L) #1

338 Chapter 14 ■ SQL Injection


If this code returns any result other than an error, then increment the number after the

order by statement by 1 (or some other amount if desired) until an error is returned. When

an error is encountered, it indicates that the last entry that did not return an error is the

number of columns in the database.

Once the columns have been determined, you can establish whether you can make

queries against the system. Do so by performing what is known as a union select on the

system by appending it to the end of the URL:

http://www.somesite.com/default.php?id=-1 union select 1,2,3,4,5,6,7,8

Take a close look at this statement. This statement assumes that you discovered that

there were eight columns in the database in your previous step. If more or fewer were

encountered, you would adjust the numbers after the select accordingly. Also note that you

add a hyphen after the = sign and before the number 1 (after the id).

Once the results of this query are returned, you will see that column numbers are

returned. The numbers that are returned indicate that queries are accepted against these

columns, and you can now inject further refined SQL statements into each.

You can now start doing some interesting tasks. Let’s begin by identifying the SQL

version that is in use. To do this, you will use the command @@version or version() to

extract the version information from the database. You will target one of the columns that

accept SQL queries. In our example, let’s use column 3:

http://www.somesite.com/default.php?id=-1 union select 1,2,@@version,4,5,6

The version information returned will replace the @@version. Depending on the

database version being returned, you can determine the next stage of the attack. In our

example here, let’s assume the version returned is correct for our next step.

This example assumes that the database in use is MySQL and that the ver-

sion is at least version 5. If another version or brand of database is in use,

then be sure to tailor the attack to that environment.

With the version information checking out, you can do something even more interesting.

You can obtain a list of the databases present on the system by executing the following

command:

http://www.somesite.com/default.php?id=-1 union select ~CA

1,2,group_concat(schema_name),4,5,6 from information_schema.schemata--

To determine the current database:

http://www.somesite.com/default.php?id=-1 union select ~CA

1,2,concat(database()),4,5,6--

To get the current user:

http://www.somesite.com/default.php?id=-1 union select ~CA

1,2,concat(user()),4,5,6--
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.