In SQL (Structured Query Language) Injection, there are many kinds of techniques that are partnered with UNION SELECT statements like LOAD_FILE(), INTO OUTFILE(), INFORMATION_SCHEMA, Char(), CAST(), and LIMIT. Most attackers usually take advantage of the union statements, information_schema, and the order by statements but neglecting some of the techniques just for the sake of getting the usernames and the passwords of the website administrator, just like the example below:
Below is the sample code I wrote and used for this article:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | <?php// Jay Turla made this script vulnerable on purpose :p$id= $_GET["id"];// Open a Connection to the MySQL Server$con= mysql_connect("localhost", "username", "password");if(!$con){ die('Could not connect to the MySQL Server :( '. mysql_error());}//Set Databasemysql_select_db("database_name", $con);// SQL Query$sql= "SELECT * FROM table_name where id_number = $id";echo"<h2>I am Vulnerable to SQL Injection :)</h2><br /> ";$res= mysql_query($sql);while($row= mysql_fetch_array($res)){ echo"<strong>Username:</strong> ". $row['username'] . "<br />"; echo"<strong>Password:</strong> ". $row['password'] . "<br />"; echo"<strong>Signature:</strong> ". $row['mysignature'] . "<br />"; echo"<br />";}// Close a Connectionmysql_close($con);?> |
Now, let’s get to the point! In this article, let’s discuss the possible things we can do using the MySQL LOAD_FILE() function and a new tool called SQLNuke.
read more...........http://resources.infosecinstitute.com/sqlnuke-simple-but-fast-mysql-injection-load_file-fuzzer/