1

I'm learning SQL-injection (and SQL in the first place) by playing a CTF. I'm using sqlmap and have for my target IP so far found:

Uses: MySQL, PHP

2 databases:

information_schema
users

1 table in users database:

user

if I dump the user table in the users database I get:

+------------------------------+----------+
| name                         | username |
+------------------------------+----------+
| YouWillNeverCrakThisPassword | nochance |
| Jack Bob                     | jack     |
| Bill Sims                    | bill     |
| Bob Browne                   | Bob      |
+------------------------------+----------+

But there isn't any password hashes for me to try and crack. In the tutorial I've been following this is where the hashes were.

Any idea where the password hashes might be? Do they have to be somewhere? I don't know much about the schema, but I didn't really see anything in there.

Austin
  • 139
  • 1
  • 6

1 Answers1

1

The actual user table (Note: singular) you are looking for is in the mysql db not the users db (Note: plural). The users database you are referring to is probably something you (or DVWA, or whatever you're practicing with created). If you want the MYSQL users (and hashes), you'll need to get to the database engine's configuration tables, specifically: user.

REFERENCE

https://dev.mysql.com/doc/refman/5.5/en/password-hashing.html

HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • Hmm so if `--dbs` didn't show a database named `mysql` does that mean I need to find a different website address to start from? – Austin Oct 17 '16 at 04:12
  • 1
    It could be a lot of things. For one, the context (aka user) the webserver is using to query mysql may not have permission to view that DB. Can you login to mysql as root and see if the table exists? – HashHazard Oct 17 '16 at 04:15
  • I don't have any access all I was given to start with was an IP address of the target. It's a page with a PHP username input and running dirbuster on the IP with a large list hasn't shown me anything. – Austin Oct 17 '16 at 04:17
  • Use sqlmap to find out what user you're connecting to MySQL as. – HashHazard Oct 17 '16 at 04:18
  • after I do that can I change user permissions or switch user? – Austin Oct 17 '16 at 04:39
  • --user --privileges and there's only 1 user and its only privilege is 'USAGE' – Austin Oct 17 '16 at 04:57