After order by payload is used to find out the number of columns in the table, we have to go with the Union based SQL Injection for achieving the below:
- Finding the numbers of the vulnerable columns in the table
- Also to retrieve the required information from these vulnerable columns using various ways
Pre-requisites: Go through the below pre-requisites which are required for understanding this post.
- Install XAMPP on your machine, configure it and start Apache Server & SQL
- Host BWAPP in the server
- SQL Injection – The beginning – Part 1
- Security Testing – SQL Basics for understanding SQL Injection vulnerability
- SQL Injection – order by Payload – Part 6
Caution: Look into the following steps before testing the application for SQL Injections:
- Don’t try the following example on other websites.
- Only perform these payloads on the application which are open for Penetration testing.
- If you perform Penetration testing on the application without a written statement from its owner, you have to face legal problems, face cyber police and even go to jail.
Finding vulnerable columns using union-based SQL Injection – After finding the number of columns available in the table using order by Payload, we now need to follow the below steps to find out the number of columns which are vulnerable in this table using union :
Note: In SQL, the purpose of union is to combine and display all the columns inside a table from more than one supplied SQL Queries.
Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:
Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:
Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:
Step#4 – Since we already know that there are 7 columns in the table, let’s find out the columns in the table which are vulnerable to SQL Injection. Let’s do this by searching with payload Iron Man’ union select 1,2,3,4,5,6,7- – as shown below and click on ‘Search’ button:
Note: Provide a space after – – of the payload in the below input field.
Payload: Iron Man’ union select 1,2,3,4,5,6,7- –
Step#5 – Observe that the details related to the search term ‘Iron Man’ along with the numbers of the vulnerable columns will be displayed as shown below:
Note: From the above screen-shot, the columns – 2nd, 3rd, 5th and 4th are vulnerable are found as vulnerable to SQL Injection.
Finding the database name using any of the vulnerable columns – After finding the column numbers of vulnerable columns, we can use any of these column number say 3 to find out the database name. Follow the below steps to retrieve the database name using Union based SQL Injection:
Step#1 – Pass database() in the SQL Payload instead of 3 as shown below:
Payload: Iron Man’ union select 1,2,database(),4,5,6,7- –
Step#2 – Once the above specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:
Finding the table names in the Database – We can also retrieve the table names using the Union based SQL Injection. In order to understand this payload, we have to understand the below concepts first:
- Database is used by the application for storing their data.
- Relational Database is nothing but a database used by the application which stores the data in the form of tables.
- Database Schema is a structure/blueprint that describes how the data in the database system is organised and how the relations among data are associated using a formal language supported by the Database Management system.
- Database Management System: Database of your applications will be implemented using any of the Database Management Systems like MangoDB, MariaDB, Apache Cassandra, MySQL etc.
- SQL is the structured query language used by most of the Database Management Systems while querying their Relational Database Management Systems.
Now lets follow the below steps for using Union based SQL Injection for retrieving the table names in the Database:
Step#1 – On giving a single quote into the ‘Search for a movie:’ text box field and click on Search button, we will get an error message from the database which reveals the Database management system that the application is using.
- In bWAPP, the application is using MariaDB (Refer this article for more details)
Step#2 – Once the DB name is revealed, we can use the DBMS name MariaDB to find out how the information schema looks like by just searching on web for ‘Information schema tables MariaDB’. After searching on web, I came across the below article which gives more details on how to retrieve the table names from the DB using an SQL query:
In the above referred article, they used a SQL query which is kind of advanced version of the below one:
- Select table_name from information_schema.tables
- Here in the above query
- information_schema is the Database schema
- tables is a table having all the high level details of the complete tables in the database
- table_name is a column name in the tables table
Since we cannot run the Select query as payload directly in the ‘Search for a movie:’ text field, we can modify the query to form the below Union based payload:
- Payload: Iron Man’ union select 1,2,table_name,4,5,6,7 from information_schema.tables– –
- In the above query, I have given table_name in one of the identified vulnerable columns
- Also add a space as usual after – – in the above query
Step#3 – Enter the above specified payload into the ‘Search for a movie:’ text field and click on ‘Search’ button as shown below:
Payload: Iron Man’ union select 1,2,table_name,4,5,6,7 from information_schema.tables– –
Step#4 – Observe that all the table names in the database got displayed in the results as shown below:
Finding the Columns in the Users table – As we know that there is users table in the Database from the above activity, we need to find the columns in the Users table by following the below steps:
Step#1 – Once the DB name is revealed, we can use the DBMS name MariaDB to find out how the information schema looks like by just searching on web for ‘Information schema table columns MariaDB’. After search on web, I came across the below article which gives me more details on how to retrieve the column names in the tables using an SQL query: Go through the below article and re-frame the payload as shown below:
- Article: Click here for the article (find the column_name column and information_schema.columns table)
- Payload: Iron Man’ union select 1,table_name,column_name,4,5,6,7 from information_schema.columns—
Step#2 – Enter the above drafted payload into the ‘Search for a movie:’ text box field and click on ‘Search’ button as shown below:
Step#3 – Observe that all the table names along with their column names will be displayed as shown below:
Retrieving the values of the users stored in Users table – As we know that there is a users table having different columns in it, we can now query the DB to get these column values from the users table. Follow the below steps to retrieve the users details:
Step#1 – Enter the below payload into the ‘Search for a movie:’ text field and click on ‘Search’ button:
Payload: Iron Man’ union select 1,login,password,email,admin,6,7 from users—
Note: login, password, email and admin column names provided in the above screenshot are the nothing but the columns we found in the before section using SQL Injection query.
Step#2 – Observe that the values under the specified columns will be retrieved and displayed in the results as shown below:
Conclusion: Hence using Union based SQL Injections, we can find the column numbers which are vulnerable to SQL Injections and also we can retrieve the sensitive data from the tables. All the examples provided in this post, shows the ways the Union based SQL Injection can be used to retrieve the sensitive data from the Database tables.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)