On many sites we can see a php script, with a variable assigned to a value. Based on the value assigned to the variable, a page will load.
Example
products.php?category=1
products.php?category=2
Depending on the value 1 or 2, will a page load.
Now this may be prone to SQL injection. To check insert a ' at the end of the URL. If it IS prone, the page will load but seem disfigured.
Example
products.php?category=1
products.php?category=2
Depending on the value 1 or 2, will a page load.
Now this may be prone to SQL injection. To check insert a ' at the end of the URL. If it IS prone, the page will load but seem disfigured.
That's how my page loaded. With a tiny missing link on the top left corner.
Now here comes the fun part. If you can find a table on the site, (which I've explained how to find in previous posts) we could view some sensitive information.
On this page, there was an "Enter your email to add your email to our mailing list". I just added a ' to cause a syntax error causing the message:
"Syntax error, could not add email to table MAIL"
Hence I found an email table on the site.
So on this page we have the table 'mail'
So lets start with UNION ALL SELECT NULL FROM MAIL, concatenate this to the end of the URL.
Most probably the page will load as shown above. This means that we haven't selected the correct amount of columns.
So lets try
UNION ALL SELECT NULL,NULL FROM MAIL
keep incrementing the number of null values till it turns out like this
So in my case it took 4 NULL values to display something weird. Apparently it would be some value from the table. So now let's try
UNION ALL SELECT *,NULL,NULL,NULL FROM MAIL
This again, may or may not work. What we're trying to do is to find a column in which the values are in a text form. The weird icons you see are due to reading values that aren't exactly text.
So lets rotate the value of * till we get something out of it.
UNION ALL SELECT NULL,*,NULL,NULL FROM MAIL
keep rotating the * value till you find something.
Like this.
Apparently the second column stored the email values! By using a * at the second position, we retrieved all values of the second column! Keep rotating the * around to see what other columns you can extract!
Hope this proved to be educational!
No comments:
Post a Comment