Watch It on Vimeo
Watch It on Youtube
Hello Security Explorers, Welcome to Security Explored.
Today I Am going to teach you basic sql injection with a live demo.
As you have already heard of sql injection ..
An often used way to attack the security of an website is to input SQL statements in a web form to get a badly designed website to dump the database content to the attacker - an SQL injection. It's a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Now lets start ,
I have a sql vulnerable site with me .
I have got this site from Google using google dorks.I hope you know how to find sql vulnerable sites.
If don’t then let me know through comments or mails.
Now move forward ,
Lets check for vulnerability, using a “ ‘ “ apostrophe sign.
Now our url will look like
After that we got this Sql error
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1”
Showing that this site is vulnerable to Sql injection.
nOw NeXt thing to do is to find number of columns.
For this,
As we load this url we get no error but a normal page .
This shows that there is atleast 1 column in the database.
Now to Check the validity of 2nd column
again we got no error and a normal page ,this shows that column 2 is available in the database and there are atleast 2 columns in the database.
Similarly to check for 3,4,5,6,7,8,9,10,11 columns the url will be,
Now till 11 columns we got no error means there are atleast 11 columns in the database .
Now if we check for 12th column,
we go this error “Unknown column '12' in 'order clause' ”
This shows that there is no 12th column in the database or there are only 11 columns in the database .
Ok next Step
We got the number of columns in the database , now we need to find the vulnerable column, the column in which we will inject and extract data.
To do that we are going to use “Union all select”
The “order by” , “union all select “ and much more , all are Mysql commands .If you want to learn the real knowledge behind sql injection , you need to learn about MY-SQL.
Now to find vulnerable column
The url will be ,
By entering this url into the address bar and loading we will get numbers somewhere on the webpage.
In this case,Check out on the bottom side of the webpage you will see some numbers .
In some cases you don’t get numbers on entering this url .
For that cases you have a add a “-“ sign in the url in the place shown below
As you see I have added a minus sign before the number 44.
By this I will get numbers on the webpage.
Ok here we got 8 ,3 ,4 ,5 on the webpage.
It means columns 8,3,4,5 are vulnerable ,means we can inject in any of these 4 columns – 8,3,4,5.
I am going to inject in column 3.
Now we need to find Mysql database version.
For this we have to replace one of the vulnerable columns with “ vsersion() “ or “@@version”
Now our url will be
As we see instead of 3 we are getting 5.1.52.
This means MYSQL database version is 5.1.52.
You can also get current database name by replacing one of the vulnerable column with “database()” or “@@database”.
To get current database name ,
Similarly our current database name is “32908_leadacidbatteryinfoorg”
The current database name helps when there are more than 2 database of that site.
Now next we need to find table names.
Tables are elements in the database in which columns are stored and , in columns information(data) is stored.
To find tables name ,you have to use group_concat.
Now here you see all the tables name stored in the database.
We got thses tables
pdigclicks,pdigengine,pdigexcludes,pdigincludes,pdigkeywords,pdiglogs,pdigsite_page,pdigsites,pdigspider,pdigtempspider,tbladmin,tblbanner,tblbanner_page,tblfaq,tblncategory,tblnews
Now this depends on you that which type of data you want
Since I need administrator information , I will choose table – tbladmin
Similarly to find columns name ,
We got these columns
c_num,c_url,c_val,c_time,spider_id,key_id,weight,ex_id,ex_site_id,ex_path,in_id,in_site_id,in_path,key_id,twoletters,keyword,l_id,l_includes,l_excludes,l_num,l_mode,l_ts,l_time,site_id,days,links,depth,site_id,site_url,upddate,username,password,port,locked,stopped,spider_id,file,first_words,upddate,md5,site_id,path,num_words,last_modified,
The columns “username “ and “password” are from the table “tbladmin”
Suppose I need to get the data stored in these two columns ,mean I am going to dump these two columns.
So our syntax will be,
The “0x3a” between these two columns just put “ : “ ,colon sign such that you can easily distinguish betwwen username and password.
Here we get admin information ,
Username : ishir
Password : ishir123
If you need to get data other than username and password , so you have to choose columns name and table name .
Like ,
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-44+union+all+select+1,2,group_concat(COLUMNS NAME SEPARATED BY “,” SIGN),4,5,6,7,8,9,10,11+from+TABLE NAME--
Now you have username and passwords of the admin , so the next thing you need to find admin page where you can login with this data ,
You can use “HAVIJ” to find admin login page.
If you don’t know how to do this then contact me.
Here in this case admin page of the site is,
http://www.leadacidbatteryinfo.org/admin/
Note - If site have a Mysql database version less than 5 then you have to guess table and column names skip to the dumping step.
Note - If site have a Mysql database version less than 5 then you have to guess table and column names skip to the dumping step.
Don’t forget to use the proxy while login otherwise your ip will be stored in the database of this site.
If u have any problem or query about this tutorial then feel free to caontact me.
Email – cyberdash@live.in
Facebook- http://www.facebook.com/cyberdash
Don’t forget to subscribe to our SMS channel and liking our page
How can i spot sql vulnerable sites?
ReplyDeleteThx
serach for websites and check them for vulnerability or use packetstormsecurity.org for vulnerable sites . :)
ReplyDelete