I have a problem I'm hoping someone could help with regarding the use of UNION SELECT
, in a scripted/automated way to find columns that are exploitable (having already found the number of columns using ORDER BY
)
Doing this manually
Using http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,4,5,6,7,8--
I am aware I can manually view the column numbers that appear on the page to find the columns that are exploitable, but it is extremely difficult to try and parse these out of the response content or page source using a script in an automated way to find the expoloitable columns that are revealed (unless someone knows of a reliable way this can be done?).
Automating this using a scanner/fuzzer
In a few scanners/fuzzers and sql injection tools I have found some references to getting the UNION SELECT
to return a specific 'keyword' on the page which will indicate that this particular column is exploitable if that 'keyword' is then found in the response-content....
For example:
http://www.site.com/index.php?id=-2 UNION SELECT "EXPLOITABLE",2,3,4,5,6,7,8-- <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,"EXPLOITABLE",3,4,5,6,7,8-- <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,"EXPLOITABLE",4,5,6,7,8-- <-- The word EXPLOITABLE **DID** appear on the page content so this column **IS** exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,"EXPLOITABLE",5,6,7,8-- <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
http://www.site.com/index.php?id=-2 UNION SELECT 1,2,3,4,"EXPLOITABLE",6,7,8-- <-- The word EXPLOITABLE did not appear on the page content so this column is not exploitable
and so on until it reaches the last column number 8.......
The 'keyword' being a word that would not normally be found on a webpage so that false positves are prevented e.g EXPLOITABLE, InJeCtAbLE, AASSDDFFGG (or any variable you want).
The problem I am having:
As I am writing an sql injection tool/fuzzer I am looking to find the best way to find these exploitable columns in an automated/scriptable way and the most logical method seems to be the one described above using the 'keyword' (unless anyone can suggest a better way)
This is because I can then just GET
each url with the UNION SELECT
and the 'keyword', store the response-content and then see if the variable 'keyword' I used appears in the response-content. If it does then I will know it is exploitable, if not I will then move onto the next url and so on until the script has tried this on all column numbers.
Would this be the best/most reliable method to determine exploitable columns using UNION SELECT or can you suggest any better method to use?