First we have to know what SQL injection is exactly.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
What is covered in this tutorial?
Part One - Website Assessment
Section One - Finding a vulnerable website
Section Two - Determining the amount of columns
Section Three - Finding which columns are vulnerable
Part Two - Gathering Information
Section One - Determining the SQL version
Section Two - Finding the database
Part Three - The Good Stuff
Section One - Finding the table names
Section Two - Finding the column names
Now let's begin.
Part One - Website Assessment
In order for us to start exploiting a website we must first know exactly what we are injecting into. This is what we will be covering in Part One along with how to assess the information that we gather.
Section One - Finding a vulnerable website
Vulnerable websites can be found using dorks (I will include a list at the end of this tutorial), either in Google or with an exploit scanner. For those of you that are unfamiliar with the term "dorks", I will try to explain.
Dorks are website URLs that are known to be vulnerable. In SQL injection these dorks look like this:
inurl:buy.php?id=
This will be inputted into a search engine and because of the "inurl:" part of the dork, the search engine will return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection.
Now let's say we found the page:
http://www.site.com/buy.php?id=1
In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so it looks like this:
http://www.site.com/buy.php?id=1'
or
http://www.site.com/buy.php?id='1
After pressing enter, if this website returns an error such as the following:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/galler
y.php on line 7
Or something along those lines, this means it's vulnerable to injection.
In the case where you are to find a website such as this:
http://www.site.com/buy.php?id=1&dog;catid=2
Then you must use the same technique with adding a ' except it must be between the value (in this case the number) and the operator (the "=" sign) so it looks like this:
http://www.site.com/buy.php?id='1&dog;catid='2
There are programs that will do this for you but to start off I would suggest simply to do things manually, using Google, and so I won't post any for you guys. If you feel so compelled to use one anyways. I recommend the Exploit Scanner by Reiluke.
Section Two - Determining the amount of columns
In order for us to be able to use commands and get results we must know how many columns there are on a website. So to find the number of columns we must use a very complex and advanced method that I like to call "Trial and Error" with the ORDER BY command :biggrin:
NOTE: SQL does not care whether or not your letters are capitalized or not and I'm just doing it out of clarity, for all it cares your queries could look like this:
http://www.site.com/buy.php?id=-1 CaN I HaZ TeH PaSSwOrDs? PLz aNd ThX
IT DOESN'T MATTER (btw please don't think that was an actual command).
So back to the ORDER BY command. To find the number of columns we write a query with incrementing values until we get an error, like this:
http://www.site.com/buy.php?id=1 ORDER BY 1-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 2-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 3-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 4-- <---No error
http://www.site.com/buy.php?id=1 ORDER BY 5-- <---ERROR!
This means that there are four columns!
more updates on SQLI coming soon
.png)
No comments:
Post a Comment