'mysql'에 해당되는 글 57건
Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:
If the database is vulnerable, the page will spit out a MySQL error such as;
If the as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.
If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of after the number, change it with , as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.
We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.
We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
or dont work try...
For example the url would look like:
union all select
The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the and column names, programs can be used to do this.
In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.
In this Step we want to list all the column names in the database, to do this we use the following command:
So the url would look like this:
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.
Finally we need to dump the data, so say we want to get the "username" and "password" fields, fromtable "admin" we would use the following command,
union all select from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--
Here the " command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website
sqlcake is an automatic SQL injection and database information gathering exploitation kit written in Ruby. It’s designed for system administration and penetration testing. It offers a few useful functions to gather database information easily by sql injection usage. It also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
It supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.
Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features.
Current DB: web
Database : mysql
# mysql.user Data
News Source : Jackh4xor
출처 : thehackernews.com