This method is one of the more advanced SQL Injection methods. There are three steps.First, we have to generate an error so that we can see the table names (so that we can create a privileged account). Next we have generate a slightly different error to gain another important table name. Finally, we will inject SQL in order to create a new administrator account.
To accomplish our first goal we will inject something like the following:
Username: ‘Having1=1–
Enter this and leave the password field blanks. Once this is injected we will, hopefully, receive an error message that will reveal a table name. We are hoping to get an error such as this:
Column user_member.user_id is invalid and was not found etc.
The error will be longer than that but all we really need is the table name.
‘user_member.id’. Next, we will inject some SQL so that we can produce yet another error. Like so:
‘UNION SELECT * FROM user_member WHERE USER_ID=‘admin’ GROUP BY USER_ID HAVING 1=1;–
Now we have generated another error. The error may look something like the following :
Column user_member.user_id is invalid and was not found… Column user_member.passwd is invalid and was not found etc.
The above example shows us that there user_member.passwd holds the passwords. We will now attempt to create another user, thus gaining us privileges. Use the bellow code in the Username field to insert the user :
‘INSERT INTO user_member (USER_NAME, LOGIN_ID,PASSWORD, CREATION_DATE) VALUES(‘Ethernet’,’hacked’,’hacked’,GETDATE();–
Success! We can now login with the username ‘Ethernet’ and the password ‘hacked’.Please note that the errors have been shortened down and everything simplified for the purpose of this post.
