The Art of Getting Along...

Skills needed in this mission:

Basic understanding of sql injection, including the commands used to modify existing tables

Ok, the first thing to do in this mission is, the same as in every other mission, explore the site and see what you can find. Now already you should notice something interesting. On the home page, there is a form that we may be able to exploit in some way. Testing that theory may yield some interesting and useful results. Now, on to the next page. This page displays a simple listing of three products and three descriptions. Not very interesting in itself, but take a look at the url... This may contain something we can use... Now let's check out the second page. Same situation as before, and again, take a look at the url...

---------------------------------

Now before we get into what must be done to complete the mission, let's talk about the way values are defined in the url bar using php. In our example, the url is "products.php?category=1". This basically is telling the php script to display information where the value for category is one. Experiment with that, try putting in other values instead of 1.

If you put in a two, you should have gotten the second products page. Fascinating, isn't it? If you put in a number that was not 1 or 2, you would have received

either an error, or a page that displayed incorrectly. In this case, it was a page that displayed incorrectly, ie. a blank page. If you put in a value that was not a number, you would have seen a page that displayed incorrectly as well, ie. a page containing an undefined image. This demonstrates our ability to modify, or select, the output from the table that the sql query is referancing. Doesn't seem to be a very secure page, now, does it?

----------------------------------

Ok, let me sum up what we have in the site so far. A home page, which contains a form that is vulnerable to sql injection, and two products pages, which are vulnerable to same. We know that there are at least two tables, one, that we know the name of, contains our ultimate objective, a list of all their emails. The second, which we do not know the name of, contains a list of products and descriptions, and outputs to a page we can see. We also know that we can modify what the output of that page is. What we need to do, is find some way of viewing the contents of the table containing the emails. Hmm... We need to view the CONTENTS of the table containing the emails, and we have a page in which we can modify the output to display different CONTENTS. Hmm... If at this point you are thinking that there must be some way to tell one or both of the two products pages to output the contents of the table containing the emails, then you are correct. Below are some sql commands that may prove useful.

-----------------------------------

UNION

The UNION command is used to join two tables into one output. For instance, if we had two tables, table1 and table2, and wanted to output both sets of data in one set of content, we might use the sql command:

SELECT all FROM table1 UNION SELECT all FROM table2

One thing about unions is that they require the same number of columns in every table that you're unioning, or it wont work....

(For more information check out: http://www.w3schools.com/sql/sql_union.asp )

SELECT

This command selects the column/s to be outputted from a table. So for instance, if we had a table (table1) and it contained 5 columns (column1, column2, column3, column4, and column5), and we wanted to display all the information in column1 and column4,