Sql Injection Method(Advanced)
The idea here is to find the email addresses stored in the database. The First thing that comes to mind when trying to get information from a database should be an SQL Injection.
If you are not sure how SQL Injections work read the post SQL Injection Walkthrough. You will notice that sql injection does work here.If you play around with the site and enter an invalid e-mail address you will get an error that it could not enter the e-mail address into table ‘email’. This is important information because it tells us the table we are looking for. Another thing you should notice is that the page products.php takes a query string.
| products.php?category=1 |
This is indicating to me that the page is doing something like this:
| SELECT * FROM products WHERE category=1 |
What we should try then is UNION. UNION allows us to merge the results of two SELECT statements into one. For example:
| SELECT * FROM table1 UNION ALL SELECT * FROM table2 |
would return all the columns from table1 and all the columns from table2. It is important to note that in order to use UNION the columns in both tables must be the same, so if table1 has 5 columns table2 must have five columns.
So Let’s find out how many columns the tables have. We can start with the products table because this is the easy one. If we use the ORDER BY command we can methodically increase the value. So
| products.php?category=1 ORDER BY 1 |
might change the page slightly. As we increase the number you might continue to notice changes. It is not until you go to far that the page looks completely different (either a blank page, error, or something else). If you try:
| products.php?category=1 ORDER BY 5 |
You will see what I mean. Which indicates that the number of columns in products is four.
Now for the email table. Lets assume that the email table only has one column (the emails). That means we would have to add at at most 3 columns. We can achieve this by using NULL. If we have three NULL columns plus the email column (which adds up to four) and we have no results we now know that the email table has more columns then the product table. So we would have to remove all the NULL columns from the email table and start adding them to the product table.
I know what your thinking…”What am I talking about?” Lets take a look. We start with this:
| products.php?category=1 UNION ALL SELECT *, NULL FROM email |
We get nothing so we add another NULL
| products.php?category=1 UNION ALL SELECT *, NULL, NULL FROM email |
Nothing again so another NULL. But realize this is the last one we can add as noted above:
| products.php?category=1 UNION ALL SELECT *, NULL, NULL, NULL FROM email |
You notice there are a bunch of broken images at the bottom. You have it. Now if you still got nothing that is when the email table has more columns then the product table and you would have to add NULL columns to the product table instead.
Now when I said you had I really meant it, but you are probably asking where are the e-mail addresses. View the source code. There they are. Now if you wanted to see the e-mail addresses on the page try moving the * around:
| products.php?category=1 UNION ALL SELECT NULL, *, NULL, NULL FROM email |
The hardest part was finding where to send the email addresses through HTS mail system…If you do not know how to send then click your username on left up corner and it will lead u to your profile and then click on your username in the profile again and a message composing box will open. Copy-Paste the emails in message area and the send the email to ‘SaveTheWhales’
Pingback: HTS Realistic Mission 4 | Hack This Site Solutions