Ultimate SQL Injection Tutorial For Beginners

------------------------------------------------------------------------
1A: Understanding SQL Injection
SQL Injection is one of todays most powerful methods of system penetration, using error

based queries one is able to extract data (tables & columns) from a vulnerable system,

namely the (database).

1B: Tricks & Tips
Beginners tend to believe that using tools created by advanced SQL injection artists are the

best way around things, please believe that they aren't, everything seems nice and easy with

tools such as (BSQLi and SQLi Helper) which they are, but the users posting the download

links for both applications around the world on hacking forums have been known to very

securely encrypt these tools with malicious files or backdoors etc, I've experienced this

first hand when I first started out. Learning everything manually will help you understand

the environment you are attempting to penetrate, whilst experimenting with commands you have

learnt will only help you become more advanced in SQL injection, as for tricks, there are

many articles named (Cheat Sheets) because this is what they are, purposely created for SQL

injectors to use commands which aren't normally spoken of or known about, Samples are

provided to allow the reader to get basic idea of a potential attack.

1C: Requirements:
When I first started SQL injection personally for me it wasn't to hard to get on the ball

and learn quickly, this is because I had previous knowledge of web-scripts, how the internet

works, and the ability to read and understand complicated tutorials. I believe it's a whole

lot easier if you know the basics of a computer system and how the internet works.
To learn you must be able to read and understand the tutorial or article provided and take

on board everything you see. When I was a beginner I found it easier to attack whilst

reading, do everything in stages, don't read the whole tutorial and go off and expect to

inject off the top of your head.

------------------------------------------------------------------------
2A Searching for Targets
Ahh, the beauty of searching for targets is a lot easier than it sounds, the most common

method of searching is (Dorks). Dorks are an input query into a search engine (Google) which

attempt to find websites with the given texxt provided in the dork itself. So navigate to

Google and copy the following into the search box:
inurl:"products.php?prodID="
This search will return websites affiliated with Google with "products.php?prodID=" within

the URL.
You can find a wide range of dorks to use by searching the forum.
I advise you to create your own dorks, be original, but at the same time unique, think of

something to use that not many people would have already searched and tested.
An example of a dork I would make up:
inurl:"/shop/index.php?item_id=" & ".co.uk"
So using your own dorks isn't a bad thing at all, sometimes your dorks wont work, nevermind

even I get it..

------------------------------------------------------------------------
2B: Testing Targets for Vulnerabilities
It's important that this part's done well. I'll explain this as simply as I can.
After opening a URL found in one of your dork results on Google you now need to test the

site if it's vulnerable to SQL injection.

Example:
http://www.site.com/index.php?Client_id=23

To test, just simply add an asterik ' at the end of the URL

Example:
http://www.site.com/index.php?Client_id=23'

How to tell if the sites vulnerable:
- Missing text, images, spaces or scripts from the original page.
- Any kind of typical SQL error (fetch_array) etc.

So if the website you're testing produces any of the above then the site is unfortunately

vulnerable, which is where the fun starts.

------------------------------------------------------------------------
2C: Finding Columns & the Vulnerable Columns
As I noted in the first section of the tutorial I advise you do pretty much everything

manually with SQL injection, so by using the following commands (providing they're followed

correctly) you will begin to see results in no time :D

Example:
http://www.site.com/index.php?Client_id=23'
^^^^^^^^^^^^^^^^^^^^^^^^
IF THE SITE IS VULNERABLE
Refer to the following to checking how many columns there are.
(order+by) the order by function tells the database to order columns by an integer (digit

e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the

column isnt there

wxw.site.com/index.php?Client_id=23+order+by+1 < No Error
wxw.site.com/index.php?Client_id=23+order+by+2 < No Error
wxw.site.com/index.php?Client_id=23+order+by+3 < No Error
wxw.site.com/index.php?Client_id=23+order+by+4 < ERROR

From using order+by+ command and incremating the number each time until the page

displays an error is the easiest method to find vulnerable columns, so from the examples

above when attempting to order the columns by 4 there's an error, and so column 4 doesn't

exist, so there's 3 columns.

------------------------------------------------------------------------
2D: Finding Vulnerable Columns
Ok so let's say we were working on the site I used above, which has 3 columns. We now need

to find out which of those three coluns are vulnerable. Vulnerable columns allow us to

submit commands and queries to the SQL database through the URL. (union+select)

Selects all columns provided in the URL and returns the value of the vulnerable column e.g.

2.

Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3

The site should refresh, not with an error but with some content missing and a number is

displayed on the page, either 1, 2 or 3 (as we selected the three columns in the above URL

to test for column vulnerability).
Sometimes the page will return and look completely normal, which isn't a problem. Some sites

you are required to null the value you're injecting into.

In simpler terms, the =23 you see in the above URL after Client_id must be nulled in order

to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 23

like so: -23
So the URL should now look something like this:

wxw.site.com/index.php?Client_id=-23+union+select+1,2,3

Now that should work, let's say the page refreshes and displays a 2 on the page, thus 2

being the vulnerable column for us to inject into.