0

I was recently given a subdomain to try and exploit with SQLi: gov.ns.agency. Unlike what I would see in most tutorials, I can't really inject parameters into the URL like I would see everywhere else.

Here's what I tried:

  1. At the login page, any username sufficed with password: ' OR '1'='1 and I'm directed to gov.ns.agency/users. Here a form returns whether a user exists. I'm supposed to get info from columns 'name' and 'pass' from table 'users'. There's a hint also that MySQL is the database and the requests sent are GET and not POST with the exception of some queries which return a 500 Internal Server Error.

  2. 'UNION ALL SELECT NULL,version()'--returned MySQL version 8.0.11 - omitting single quotes would return 'user not found'.

  3. 'UNION SELECT 'Found', COLUMN_NAME FROM information_schema.columns WHERE table_name = 'users' AND column_name LIKE 'pa% returned [name]Found -> [priv]pass. I'm still scratching my head over what 'priv' is, it might describe privileges? admin perhaps?

  4. 'UNION ALL SELECT NULL,concat(schema_name) FROM information_schema.schemata' this would give DB names but instead gave me a 500 Internal Server Error.

I'm quite new to penetration testing and I'm not sure which query would get the tables and even how I'd use tools such as SQLMap or Burpsuite to do it, or even how I'd approach this kind of site where I can't even inject queries into the URL (normally ending in .php?id=123) so any tips would be greatly appreciated!

jonroethke
  • 1,006
  • 2
  • 7
  • 21
Calahan
  • 1
  • 1
  • 4
  • This works for me: `' UNION ALL SELECT NULL,group_concat(schema_name SEPARATOR ',') FROM information_schema.schemata #` – Siguza Jun 07 '18 at 13:34

2 Answers2

0

sqlmap -u "http://vuln.url/x.php?param1=..."

You can add --dbms parameter like --dbms=myqsl if you're sure about the database used or --forms to inject the form in the page.

schroeder
  • 123,438
  • 55
  • 284
  • 319
MrCheesyHead
  • 11
  • 1
  • I see, so let me try to understand this: in my case this would work with: sqlmap -u "https://gov.ns.agency/users" along with --dbms and --forms despite there being no parameters to inject into the URL? – Calahan Jun 07 '18 at 09:25
  • try to force your sqlmap suffix " '-- " – Soufiane Tahiri Apr 09 '21 at 09:10
0

To begin with, you say you're not sure which query would get the tables, so in my opinion you should do a crash course in SQL.

Sqlmap and burpsuite are webapp pentesting tools which can be found in pentesting distros like Kali Linux, or if you don't want to install a new distro you can download them and install them in your computer. Apart from Sqlmap and burpsuite there are many others webapp pentesting tools, like nikto, owasp-zap and others...

You also mention you are not sure on how to approach a site you want to hack. Webapps have different vulnerabilities other than Sqli, I recommend you to read this carefully (OWASP top ten).

SleetyNine018
  • 62
  • 3
  • 1
    I'm sorry but I think you misunderstood my question. I was bringing up the specific example of [gov.ns.agency](https://gov.ns.agency). There, the nature of the replies to the queries is such that I can't extract whole tables for this specific example. For DVWA and Mutillidae this is not a problem as just about every tutorial will get you started. If you have spare time on your hands, I think you should visit it once and try it out, I think you'll see what I mean, it's a bit difficult to describe in words alone. – Calahan Jun 07 '18 at 09:20
  • Have you tried to exploit it using SQLi POST method? – SleetyNine018 Jun 07 '18 at 20:38