Ultimate SQL Injection Tutorial For Beginners
------------------------------------------------------------------------
1A: Understanding SQL Injection
SQL Injection is one of todays most powerful methods of system penetration, using error
based queries one is able to extract data (tables & columns) from a vulnerable system,
namely the (database).
1B: Tricks & Tips
Beginners tend to believe that using tools created by advanced SQL injection artists are the
best way around things, please believe that they aren't, everything seems nice and easy with
tools such as (BSQLi and SQLi Helper) which they are, but the users posting the download
links for both applications around the world on hacking forums have been known to very
securely encrypt these tools with malicious files or backdoors etc, I've experienced this
first hand when I first started out. Learning everything manually will help you understand
the environment you are attempting to penetrate, whilst experimenting with commands you have
learnt will only help you become more advanced in SQL injection, as for tricks, there are
many articles named (Cheat Sheets) because this is what they are, purposely created for SQL
injectors to use commands which aren't normally spoken of or known about, Samples are
provided to allow the reader to get basic idea of a potential attack.
1C: Requirements:
When I first started SQL injection personally for me it wasn't to hard to get on the ball
and learn quickly, this is because I had previous knowledge of web-scripts, how the internet
works, and the ability to read and understand complicated tutorials. I believe it's a whole
lot easier if you know the basics of a computer system and how the internet works.
To learn you must be able to read and understand the tutorial or article provided and take
on board everything you see. When I was a beginner I found it easier to attack whilst
reading, do everything in stages, don't read the whole tutorial and go off and expect to
inject off the top of your head.
------------------------------------------------------------------------
2A Searching for Targets
Ahh, the beauty of searching for targets is a lot easier than it sounds, the most common
method of searching is (Dorks). Dorks are an input query into a search engine (Google) which
attempt to find websites with the given texxt provided in the dork itself. So navigate to
Google and copy the following into the search box:
inurl:"products.php?prodID="
This search will return websites affiliated with Google with "products.php?prodID=" within
the URL.
You can find a wide range of dorks to use by searching the forum.
I advise you to create your own dorks, be original, but at the same time unique, think of
something to use that not many people would have already searched and tested.
An example of a dork I would make up:
inurl:"/shop/index.php?item_id=" & ".co.uk"
So using your own dorks isn't a bad thing at all, sometimes your dorks wont work, nevermind
even I get it..
------------------------------------------------------------------------
2B: Testing Targets for Vulnerabilities
It's important that this part's done well. I'll explain this as simply as I can.
After opening a URL found in one of your dork results on Google you now need to test the
site if it's vulnerable to SQL injection.
Example:
http://www.site.com/index.php?Client_id=23
To test, just simply add an asterik ' at the end of the URL
Example:
http://www.site.com/index.php?Client_id=23'
How to tell if the sites vulnerable:
- Missing text, images, spaces or scripts from the original page.
- Any kind of typical SQL error (fetch_array) etc.
So if the website you're testing produces any of the above then the site is unfortunately
vulnerable, which is where the fun starts.
------------------------------------------------------------------------
2C: Finding Columns & the Vulnerable Columns
As I noted in the first section of the tutorial I advise you do pretty much everything
manually with SQL injection, so by using the following commands (providing they're followed
correctly) you will begin to see results in no time :D
Example:
http://www.site.com/index.php?Client_id=23'
^^^^^^^^^^^^^^^^^^^^^^^^
IF THE SITE IS VULNERABLE
Refer to the following to checking how many columns there are.
(order+by) the order by function tells the database to order columns by an integer (digit
e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the
column isnt there
wxw.site.com/index.php?Client_id=23+order+by+1 < No Error
wxw.site.com/index.php?Client_id=23+order+by+2 < No Error
wxw.site.com/index.php?Client_id=23+order+by+3 < No Error
wxw.site.com/index.php?Client_id=23+order+by+4 < ERROR
From using order+by+ command and incremating the number each time until the page
displays an error is the easiest method to find vulnerable columns, so from the examples
above when attempting to order the columns by 4 there's an error, and so column 4 doesn't
exist, so there's 3 columns.
------------------------------------------------------------------------
2D: Finding Vulnerable Columns
Ok so let's say we were working on the site I used above, which has 3 columns. We now need
to find out which of those three coluns are vulnerable. Vulnerable columns allow us to
submit commands and queries to the SQL database through the URL. (union+select)
Selects all columns provided in the URL and returns the value of the vulnerable column e.g.
2.
Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3
The site should refresh, not with an error but with some content missing and a number is
displayed on the page, either 1, 2 or 3 (as we selected the three columns in the above URL
to test for column vulnerability).
Sometimes the page will return and look completely normal, which isn't a problem. Some sites
you are required to null the value you're injecting into.
In simpler terms, the =23 you see in the above URL after Client_id must be nulled in order
to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 23
like so: -23
So the URL should now look something like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,2,3
Now that should work, let's say the page refreshes and displays a 2 on the page, thus 2
being the vulnerable column for us to inject into.
1A: Understanding SQL Injection
SQL Injection is one of todays most powerful methods of system penetration, using error
based queries one is able to extract data (tables & columns) from a vulnerable system,
namely the (database).
1B: Tricks & Tips
Beginners tend to believe that using tools created by advanced SQL injection artists are the
best way around things, please believe that they aren't, everything seems nice and easy with
tools such as (BSQLi and SQLi Helper) which they are, but the users posting the download
links for both applications around the world on hacking forums have been known to very
securely encrypt these tools with malicious files or backdoors etc, I've experienced this
first hand when I first started out. Learning everything manually will help you understand
the environment you are attempting to penetrate, whilst experimenting with commands you have
learnt will only help you become more advanced in SQL injection, as for tricks, there are
many articles named (Cheat Sheets) because this is what they are, purposely created for SQL
injectors to use commands which aren't normally spoken of or known about, Samples are
provided to allow the reader to get basic idea of a potential attack.
1C: Requirements:
When I first started SQL injection personally for me it wasn't to hard to get on the ball
and learn quickly, this is because I had previous knowledge of web-scripts, how the internet
works, and the ability to read and understand complicated tutorials. I believe it's a whole
lot easier if you know the basics of a computer system and how the internet works.
To learn you must be able to read and understand the tutorial or article provided and take
on board everything you see. When I was a beginner I found it easier to attack whilst
reading, do everything in stages, don't read the whole tutorial and go off and expect to
inject off the top of your head.
------------------------------------------------------------------------
2A Searching for Targets
Ahh, the beauty of searching for targets is a lot easier than it sounds, the most common
method of searching is (Dorks). Dorks are an input query into a search engine (Google) which
attempt to find websites with the given texxt provided in the dork itself. So navigate to
Google and copy the following into the search box:
inurl:"products.php?prodID="
This search will return websites affiliated with Google with "products.php?prodID=" within
the URL.
You can find a wide range of dorks to use by searching the forum.
I advise you to create your own dorks, be original, but at the same time unique, think of
something to use that not many people would have already searched and tested.
An example of a dork I would make up:
inurl:"/shop/index.php?item_id=" & ".co.uk"
So using your own dorks isn't a bad thing at all, sometimes your dorks wont work, nevermind
even I get it..
------------------------------------------------------------------------
2B: Testing Targets for Vulnerabilities
It's important that this part's done well. I'll explain this as simply as I can.
After opening a URL found in one of your dork results on Google you now need to test the
site if it's vulnerable to SQL injection.
Example:
http://www.site.com/index.php?Client_id=23
To test, just simply add an asterik ' at the end of the URL
Example:
http://www.site.com/index.php?Client_id=23'
How to tell if the sites vulnerable:
- Missing text, images, spaces or scripts from the original page.
- Any kind of typical SQL error (fetch_array) etc.
So if the website you're testing produces any of the above then the site is unfortunately
vulnerable, which is where the fun starts.
------------------------------------------------------------------------
2C: Finding Columns & the Vulnerable Columns
As I noted in the first section of the tutorial I advise you do pretty much everything
manually with SQL injection, so by using the following commands (providing they're followed
correctly) you will begin to see results in no time :D
Example:
http://www.site.com/index.php?Client_id=23'
^^^^^^^^^^^^^^^^^^^^^^^^
IF THE SITE IS VULNERABLE
Refer to the following to checking how many columns there are.
(order+by) the order by function tells the database to order columns by an integer (digit
e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the
column isnt there
wxw.site.com/index.php?Client_id=23+order+by+1 < No Error
wxw.site.com/index.php?Client_id=23+order+by+2 < No Error
wxw.site.com/index.php?Client_id=23+order+by+3 < No Error
wxw.site.com/index.php?Client_id=23+order+by+4 < ERROR
From using order+by+ command and incremating the number each time until the page
displays an error is the easiest method to find vulnerable columns, so from the examples
above when attempting to order the columns by 4 there's an error, and so column 4 doesn't
exist, so there's 3 columns.
------------------------------------------------------------------------
2D: Finding Vulnerable Columns
Ok so let's say we were working on the site I used above, which has 3 columns. We now need
to find out which of those three coluns are vulnerable. Vulnerable columns allow us to
submit commands and queries to the SQL database through the URL. (union+select)
Selects all columns provided in the URL and returns the value of the vulnerable column e.g.
2.
Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3
The site should refresh, not with an error but with some content missing and a number is
displayed on the page, either 1, 2 or 3 (as we selected the three columns in the above URL
to test for column vulnerability).
Sometimes the page will return and look completely normal, which isn't a problem. Some sites
you are required to null the value you're injecting into.
In simpler terms, the =23 you see in the above URL after Client_id must be nulled in order
to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 23
like so: -23
So the URL should now look something like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,2,3
Now that should work, let's say the page refreshes and displays a 2 on the page, thus 2
being the vulnerable column for us to inject into.