1

I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.

(1) http://url/?departamento=1 union select user()

By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):

(2) http://url/?departamento=1 union select 1,user()

Nevertheless, If I change again the injection to one of these the results change.

(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)
(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)

I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?

Thanks!

Miguel.G
  • 377
  • 1
  • 6
  • 20
  • 1
    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the `departamento=1` parameter expects two fields. – digijay Nov 25 '18 at 19:21
  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D – Miguel.G Nov 25 '18 at 19:24
  • 1
    It's just like in this cartoon: https://xkcd.com/327/ Keep hacking! :o) – digijay Nov 25 '18 at 19:32

1 Answers1

1

Suppose the backend is Java, the code is doing something similar to that:

// 1 union select 1,user()
String query = "select a, b, c from someTable where departamento = " 
             + request.getParameter("departamento"); // the injection is here
try (Statement stmt = con.createStatement()) {
  try (Result rs = stmt.executeQuery()) {
    while (rs.next()) {
      int a = rs.getInt(1); // column "a"
      String b = rs.getString(2); // column "b"
      Date c = rs.getDate(3); // column "c"
      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);
    }
  }
}

For the injection to work, you need to generate a valid SQL statement.

  • Your union must have the same number of columns than the source query
  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).
  • Your criteria ("1") must match the right hand side of the filter (departemento)
  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.
NoDataFound
  • 11,381
  • 33
  • 59