06-19-2011, 12:34 AM
SQL Injection
Hi, this thread covers all your basic SQL Injection needs. After reading this, you should be able to successfully retrieve Database information such as the username and password that are crucial for defacing sites.
Bookmark this for future reference if you want.
Lets start.
Hi, this thread covers all your basic SQL Injection needs. After reading this, you should be able to successfully retrieve Database information such as the username and password that are crucial for defacing sites.
Bookmark this for future reference if you want.
Lets start.
What is SQL Injection?
If the page simply refreshes, the site is not vulnerable. But if an error of any kind pops up, the site is prone to SQLi. When you have successfully found a vulnerable site, proceed to Step 2.[/hide]
Now here's where it gets tougher (not really). You have to look for errors as you enter new numbers. For example:
The goal here is to find the least column the shows the error. As you can see in the example, the lowest column that we found an error on is column 6, therefore, column 6 doesn't exist and there are only 5 columns.
Now we have to find which one of these five columns (it may be different in your case) is vulnerable, to do that, add this code to the end of the URL:
Make sure to include the - in the beginning and the -- at the end, this is crucial. Remember that the code above may be different in your case regarding how many columns there are.
Now, if you see numbers on the screen. You can proceed. The very first number is the number of the vulnerable column. If the number is "4" that means that the 4th column is the vulnerable column.
If the version is 5 or above, proceed. If not, it will be harder to hack. There are other tutorials covering how to hack database versions 4 or lower.
Now we must find the database name. To do this, replace the "@@version" from before with "concat(database())" like this:
And BOOM! The database name should appear on your screen. Copy this somewhere safe, we will need this for later.
Now, names appear. Look for obvious names hinting to tables where user information can be stored. You are looking for table names such as "Admin", "Users", "Members", "Admin_Id", Admin_pass", "User_id", etc..
The last character is chopped off? Don't worry. Count how many tables you can see, then add this code based on the tables that you can see. We will be assuming that the last table you can see is the 8th table.
This code is to view the 9th table. Replace the 8 with a 9 to view the 10th table, and so on until you find the table that you think has the most crucial information.
When you find the table, copy the name somewhere safe. We will need both the database and table names for the next step.
For this tutorial, we will be using the table name of "admin".
Didju get an error? OH NO! YOU FAIL. Choose another site. Just kidding.
Go
In my case, this is the string that I got after I inputted "admin" to the input space:
Now, replace the table name with hex as so:
Notice how I added the "0x", that is to indicate that hex is being used. Remember to get rid of the quotes.
Now after you enter this code, you should see where all the juicy information is contained. An example of what you should see is:
Now say you want to view what is in the "Admin_Username" and the "Admin_pass", add this code (in this example we will be using "database" as the database name and "admin" for the table name):
The "0x3a" will put a colon to where the information will be separated. You should get something like this:
The username is "MyName" and the password is.. WAIT! That is MD5, crack this using Havij. Download Havij
Now as you can see. This is the login info:
Now all you have to do is find the admin page, which is usually
or something similar. There are tools online that will find you the admin page.
Any questions? PM me.
[/hide]
[/hide]
[/hide]
[/hide]
Hidden Content
Hidden Content
If the page simply refreshes, the site is not vulnerable. But if an error of any kind pops up, the site is prone to SQLi. When you have successfully found a vulnerable site, proceed to Step 2.[/hide]
Hidden Content
Now here's where it gets tougher (not really). You have to look for errors as you enter new numbers. For example:
Hidden Content
The goal here is to find the least column the shows the error. As you can see in the example, the lowest column that we found an error on is column 6, therefore, column 6 doesn't exist and there are only 5 columns.
Now we have to find which one of these five columns (it may be different in your case) is vulnerable, to do that, add this code to the end of the URL:
Hidden Content
Make sure to include the - in the beginning and the -- at the end, this is crucial. Remember that the code above may be different in your case regarding how many columns there are.
Now, if you see numbers on the screen. You can proceed. The very first number is the number of the vulnerable column. If the number is "4" that means that the 4th column is the vulnerable column.
Hidden Content
If the version is 5 or above, proceed. If not, it will be harder to hack. There are other tutorials covering how to hack database versions 4 or lower.
Now we must find the database name. To do this, replace the "@@version" from before with "concat(database())" like this:
Hidden Content
And BOOM! The database name should appear on your screen. Copy this somewhere safe, we will need this for later.
Hidden Content
Now, names appear. Look for obvious names hinting to tables where user information can be stored. You are looking for table names such as "Admin", "Users", "Members", "Admin_Id", Admin_pass", "User_id", etc..
The last character is chopped off? Don't worry. Count how many tables you can see, then add this code based on the tables that you can see. We will be assuming that the last table you can see is the 8th table.
Hidden Content
This code is to view the 9th table. Replace the 8 with a 9 to view the 10th table, and so on until you find the table that you think has the most crucial information.
When you find the table, copy the name somewhere safe. We will need both the database and table names for the next step.
For this tutorial, we will be using the table name of "admin".
Hidden Content
Didju get an error? OH NO! YOU FAIL. Choose another site. Just kidding.
Go
[To see links please register here]
and type in your table name where is says "Say Hello to My Little Friend".In my case, this is the string that I got after I inputted "admin" to the input space:
Hidden Content
Now, replace the table name with hex as so:
Hidden Content
Notice how I added the "0x", that is to indicate that hex is being used. Remember to get rid of the quotes.
Now after you enter this code, you should see where all the juicy information is contained. An example of what you should see is:
Hidden Content
Now say you want to view what is in the "Admin_Username" and the "Admin_pass", add this code (in this example we will be using "database" as the database name and "admin" for the table name):
Hidden Content
The "0x3a" will put a colon to where the information will be separated. You should get something like this:
Hidden Content
The username is "MyName" and the password is.. WAIT! That is MD5, crack this using Havij. Download Havij
[To see links please register here]
.Now as you can see. This is the login info:
Hidden Content
Now all you have to do is find the admin page, which is usually
Hidden Content
or something similar. There are tools online that will find you the admin page.
Any questions? PM me.
Well, that's it for this tutorial! Thanks for reading! :thumbs:
+rep for my work is appreciated.[/hide][/hide]
[/hide]
[/hide]
[/hide]