MySQL Injection: Manual Enumeration

Friday, August 30, 2013

Let's build on last week's post and go over some manual My SQL injection techniques. After reading and trying out some combinations of manual SQLi I believe these are a good bunch to use.

If you want practice with manual SQLi I recommend loading some vulnerable web applications such as bricks, webgoat, or dvwa. You can also check out our friends at for pre-built VMs.

Although tools like SQLmap make our life easier, it is still good to know how to manually test a database.

Please remember, this is solely for educational purposes. 
The techniques mentioned below are not to be used for malicious purposes outside of a controlled research environment.

Our goal in this scenario is to use a UNION SELECT query but in order use it one must first know the number of columns in the database. Let's dive into it!

Number of Columns

Detecting the number of columns can be done in two ways. The first method is using ORDER BY clauses and increment the number of columns till an error is depicted. 

The second method is using a UNION SELECT query and incrementing NULL values.

Vulnerable Columns

Great so we determined how many columns are contained in the database, but now let's see which columns are the ones depicted by the web application on our screen. To do this we provide a false query and the UNION SELECT query.

Go Enumeration

Now that we know the number of the columns being depicted on the screen we can use those to enumerate the database. In this scenario column 1,2 and 3 are being depicted so we can use any of those to query the database and see the results.

Working Directory

Database Name

Table Name

Column Name

The first number in LIMIT is the column number (i.e. LIMIT ,1) . Increase that number to see the different columns within the database.

Pulling Column Data

We now have the database name, table name, and column names. Let's pull some data from columns named 'username' and 'password'.

Hidden Bonus: Congrats! You found a hidden bonus. Use 'file_priv from mysql.user' and 'load_file('x')' to check for LFI vulnerabilities. Remember to use this in a controlled research environment and not for malicious intentions!
 That's it! There might be some modifications one might do depending on the web app (e.g. adding quotes, comments). The mitigations to this are the same as our previous post on MS SQL injection.

No comments :

Post a Comment