Even more SQL Injection (this time I get an admin password) part 2

To recap, in part one I went over getting setup, discovering the vm, finding open ports, playing with the website, and how to use order by to find out how many columns are in a SQL table.  Now I will continue to enumerate the table by exploring rows.

Go to union select 1,2,3,4
This displays the columns and the rows, I believe, of the SQL tables.
then change it to to be: cat.php?id=-1 union select 1,user(),3,4
and it will show you as the current user at local host.
A bit of knowledge about mySQL is that the default setup for its tables is called information_schema, and on many CTF’s, challenges, labs etc they just use the default.  I’m not sure if you can/should change it.

next, we type 1 union select 1,table_name,3,4 from information_schema.tables
and we get the full list of all the different columns in all the tables from the entire schema, which is a lot.  On the bottom though, we find the one we are looking for: users!

Drilling further down, we type 1 union select 1,column_name,3,4 from information_schema.columns where table_name=’users’
this spits out the three columns in the users table: id, login, and password.

Finally, to spit out the table information, we type:
1 union select 1,concat(id,0x3a,login,0x3a,password),3,4 from users
I believe what this telling it to do is to spit out the id, place a colon and a space, spit out the login, colon space, then the password.
The password is hashed, but i copied and pasted it into a google search to find that it was an MD5 hash and that the password is P4ssw0rd

From SQL Injection to Shell part 1

Leave a Reply