Mutillidae — Lab 10 — Pivoting with SQL Injection

This lab can be found under: Labs > SQL Injection > Lab 10 — Pivoting with SQL Injection

If we run a union select statement, we can see that we’ve gotten the table name correct: ‘ union select 1,2,3,4,5,6,7 from credit_cards — -

We can retrieve the database type, version, and user via the following command (in this command, you only need a space after the 2 dashes, I add the 3rd for readability)

We can use another command to list out all of the installed databases

MySQL :: MySQL 5.7 Reference Manual :: 24.3.22 The INFORMATION_SCHEMA SCHEMATA Table

This next command will retrieve all of the tables that are within the mutillidae database

https://dev.mysql.com/doc/refman/8.0/en/information-schema.html#:~:text=INFORMATION_SCHEMA%20provides%20access%20to%20database,data%20dictionary%20and%20system%20catalog.

https://docs.tibco.com/pub/streambase_cep/7.6.2/doc/html/authoring/tableschema.html#:~:text=A%20table%20schema%20is%20a,secondary%20indices%20(if%20any).

Now we need to find out what columns exist within the cred_cards table

As you can see, we have 4 columns, but only 3 usable fields that are vulnerable, we can pull all of the data by concatenating 2 columns together into 1. You’ll notice that the 3 digit ccv number and the expiration are both within the signature line

Answer: 1234567812345678

Assistance from this great author:

Extracting database contents via SQL Injection Union attack