SQL injection

So, I decided to practice SQL on a random vulnerable site to see if I could actually do some kind of web hacking outside of this site.

First off, if anyone thinks this is a bad idea, then tell me now. But I'm merely doing this to practice, not to do anything malicious.

I found a vulnerable site, used ORDER BY and found the number of columns.

Then I tried the UNION statement… the only problem is, I dont know what to select from or how to find it. I tried google, but this is something that has stumped me. In general, how do you know what table to select from? Will it be in the source code somewhere? Do I just have to take wild guesses? Or should I try simpler injections to discover that information?

Any advice on this would be much appreciated.

sharline23 wrote: So, I decided to practice SQL on a random vulnerable site to see if I could actually do some kind of web hacking outside of this site.

First off, if anyone thinks this is a bad idea, then tell me now. But I'm merely doing this to practice, not to do anything malicious.

I found a vulnerable site, used ORDER BY and found the number of columns.

Then I tried the UNION statement… the only problem is, I dont know what to select from or how to find it. I tried google, but this is something that has stumped me. In general, how do you know what table to select from? Will it be in the source code somewhere? Do I just have to take wild guesses? Or should I try simpler injections to discover that information?

Any advice on this would be much appreciated.

To answer your first question, no I think nobody minds, make sure you use proxy, just to be safe, but from my experience the best way to start of with sql injections is have your own mysql on apache, and then code and try injections locally. The sql injection you are trying is fully called Blind sql injections, and guess why, because you don´t see the name of columns and/or tables. This however doesn´t mean that you can´t find out. One of the common ways is through error messages, if the coder was careless enough to actually print the error message you get from injection to the page, you are half way there, since with some injections you can force the script to print out the table/column names. If you have right privileges, you can try to access the schema table, which contains all data about all the tables within that database (for more info refer to this site http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/). Lastly it should never be 'wild' guessing, you try the common names for columns and tables(users/user,username/password etc..), look at POST and GET variables, it's quite common that those match the sql database names and just look around for any hints the programmer may have left(checking the source, comments etc). And lastly you can always write a sql injection bruteforcer (even though that a very last resort;))

Have you done basic 21 yet. You should start there. It will make you learn what injections you need including how to find what tables to look for.

And no they aren't in the source.

EDIT: Little late but should still help.

I'd say it's better to try on your own server, since you can never be too careful. :)

Alright, thanks a lot guys. This really helped me to understand SQL better and i am going to code my own server now. B)

If you have right privileges, you can try to access the schema table

Just check to see what version of MySQL they're running and that'll tell you whether or not information_schema is present.

As far as knowing what to select, you select the number of columns. (union+all+select+1,2,3,4,5–) << Something like that. Whatever numbers are displayed on the page correspond with a column through which you can display information.