Sign in or Sign up

The Basics of Structured Query Language Injection (SQLi)
Started by Caiky


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


9 posts in this topic
[NS]Caiky Offline
That one girl who writes tutorials
***


NulledSystems
Posts: 80
Threads: 17
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 83 CZP
CoolContributorDiamondDonator
Star  10-31-2017, 12:04 PM -
#1
Now with pictures!  Girl_pinkglassesf

Intro

Structured Query Language injection, more commonly known as SQL injection, SeQueL injection, or SQLi, is a very basic way of hacking into a website. If a website is vulnerable to SQLi, it can be an extremely easy way to get inside, especially if you can manage to find an admin panel. While occasionally SQLi can be extremely tedious, there are many ways to automate it, which I will list existing and add on future tutorials at the bottom of this tutorial. Let's begin!


Bypassing the Administrator Panel

Most websites vulnerable to bypassing the admin panel with SQLi end in ".asp"
First things first, we need to find a vulnerable website. We do this in google by typing in a "dork" into the URL bar.
There are massive amounts of different dorks available for us to use, but the best that I have seen so far, and the ones I use myself are:
Hidden Content
You must register or login to view this content.


Go ahead and put any of those dorks into your URL bar and hit enter. After finding a website of your choice, you should arrive at a screen looking something like this. 
[Image: KrdB9cY.png]

Now here, for the username we always type "Admin" and for the password we will put our SQLi.
You can find a list of plenty of different SQL injections on the internet, but here are some basic ones that sometimes work.

Hidden Content
You must register or login to view this content.

It should look something like this:
[Image: jpZlYGP.png]

Go ahead and login, if it works, congratulations! You have successfully used SQLi to hack a website.
If it does not, then it is possible that the website is either not vulnerable, or they have blocked that injection. Go ahead and try other websites or injections!


Checking if a Website is Vulnerable

Let's say you want to see if a specific website is vulnerable. If you manage to find a page on the website that ends in 

Hidden Content
You must register or login to view this content.

That means we can test if it is vulnerable here. We just simply add an apostrophe or a single quote to the end of the link, so it will look something like this:
[Image: yzAogat.png]
If we get an SQL error on the website (this varies a lot, but it should say SQL in the error obviously) then the website is vulnerable! Now we need to find the number of columns. We do this by entering "order by 10 --" after the link without the apostrophe or quotes.
If we get an error, we must lower the number. Lets try "order by 5 --"
The page opens normally, this means the number of columns is between 10 and 5.
Lets try 8, the page opens normally. 9, the page opens normally. 10, we get an error. This means the number of columns is 9!


Finding Accessible Columns

Now that we have the number of columns, we must find which ones are accessible.
we do this by adding a minus sign (-) before in our case 8, then swap out "order by X --" with

Hidden Content
You must register or login to view this content.

You would add on or shorten the list of numbers for how many columns there are.
Now, our URL bar should look something like this:
[Image: TjTmXkG.png]
Press enter, and it will tell us some numbers. In my case, it gave out 1, 4, and 7.
Now we know what columns are vulnerable!


Getting the Database Version

We need to do this because if the database version is under version 5.0.0, we will need to guess the names of the tables, which is obviously extremely tedious.
We do this by replacing any one of the columns in the link in the picture above with
Hidden Content
You must register or login to view this content.

I'm going to replace 7, so the link would look like this.
[Image: W5M0dC8.png]
Lets press enter, and now we will be able to get the version. In my case, it's version 5.0.77, so I do not need to guess the table names because the version is greater than 5.0.0.


Hidden Content
You must register or login to view this content.

Our (now extremely long) link will look like this:
[Image: YJ3oiJL.png]
Press enter, and now we would now search the table we want to access. Look for something with "admin" in it, and in my case it is tbladmin.




Getting the ASCII Value

We would go to http://asciivalue.com/ to turn tbladmin to it's ASCII value.
Now we would replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--
In our case for our ASCII value we put (116,98,108,97,100,109,105,110)--
After entering that into our URL, press enter, and we would search for something like "username" and "password."
Remove everything after the 9 and add:
Hidden Content
You must register or login to view this content.

0x3a is the ASCII value of "a" so we can separate the username from the password.

Finally, we have the password and username, and we may login.
Occasionally the password is encrypted, so we may have to decrypt it with a program such as Rainbow Crack.


End
Hope you beautiful bastards find this tutorial useful!  Hi
Leave a post if you enjoyed, it motivates me to make more tutorials. If you have any recommendations for a tutorial, include it in your post. 
Written by Caiky. I'm not responsible for whatever you do with this tutorial, and this tutorial was made for the community of CorruptZone and only for the community of CorruptZone.

https://corrupt.zone/Thread-SQLiv-Massiv...ty-Scanner
https://corrupt.zone/Thread-SQLMap-TUT
<3
This post was last modified: 10-31-2017, 12:28 PM by Caiky.
All my HQ tutorials can be found here. Click me! <3
Donate some BTC if you like my stuff <3 1krWpnAG4NNBJyfYWBBKuurgywbPGNdL3
Dox Offline
Cyber Security Student
***


Contributor
Posts: 414
Threads: 125
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 136 CZP
OnFireContributor
10-31-2017, 12:16 PM -
#2
Alright, alright... How long did this one take to make? Legit...
Contact E-Mail: [email protected]
BTC Address: 1JmJrbmQn4Bg24r68bSyZ7TxNZGad3iPWM
[NS]Caiky Offline
That one girl who writes tutorials
***


NulledSystems
Posts: 80
Threads: 17
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 83 CZP
CoolContributorDiamondDonator
10-31-2017, 12:17 PM -
#3
(10-31-2017, 12:16 PM)Dox Wrote: Alright, alright... How long did this one take to make? Legit...

17 hours of actually making and perfecting the tut over the time of 3 days
This post was last modified: 10-31-2017, 12:23 PM by Caiky.
All my HQ tutorials can be found here. Click me! <3
Donate some BTC if you like my stuff <3 1krWpnAG4NNBJyfYWBBKuurgywbPGNdL3
deadeye Offline
Programmer
***


Registered
Posts: 247
Threads: 19
Joined: Sat Apr 2017
Reputation: 2

CZPoints: 28 CZP
HQMember
10-31-2017, 12:42 PM -
#4
I have only injected SQL a single time, but wouldn't it be better to write "order by X; --" if batched SQL is used? Otherwise it probably would crash
[Image: cw2gsbi.png]

Discord: deadeye#7164

Disclaimer: I have no idea what I'm talking about.
[NS]Caiky Offline
That one girl who writes tutorials
***


NulledSystems
Posts: 80
Threads: 17
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 83 CZP
CoolContributorDiamondDonator
10-31-2017, 12:45 PM -
#5
(10-31-2017, 12:42 PM)deadeye Wrote: I have only injected SQL a single time, but wouldn't it be better to write "order by X; --" if batched SQL is used? Otherwise it probably would crash

In my experience (20+ injections) it has never crashed for me, so I don't know for sure.
All my HQ tutorials can be found here. Click me! <3
Donate some BTC if you like my stuff <3 1krWpnAG4NNBJyfYWBBKuurgywbPGNdL3
deadeye Offline
Programmer
***


Registered
Posts: 247
Threads: 19
Joined: Sat Apr 2017
Reputation: 2

CZPoints: 28 CZP
HQMember
10-31-2017, 12:48 PM -
#6
(10-31-2017, 12:45 PM)Caiky Wrote:
(10-31-2017, 12:42 PM)deadeye Wrote: I have only injected SQL a single time, but wouldn't it be better to write "order by X; --" if batched SQL is used? Otherwise it probably would crash

In my experience (20+ injections) it has never crashed for me, so I don't know for sure.

Ah well :)

At my first try I forgot to put a ";" and the whole service crashed...
[Image: cw2gsbi.png]

Discord: deadeye#7164

Disclaimer: I have no idea what I'm talking about.
[NS]Caiky Offline
That one girl who writes tutorials
***


NulledSystems
Posts: 80
Threads: 17
Joined: Mon Oct 2017
Reputation: 6

CZPoints: 83 CZP
CoolContributorDiamondDonator
10-31-2017, 12:51 PM -
#7
(10-31-2017, 12:48 PM)deadeye Wrote:
(10-31-2017, 12:45 PM)Caiky Wrote:
(10-31-2017, 12:42 PM)deadeye Wrote: I have only injected SQL a single time, but wouldn't it be better to write "order by X; --" if batched SQL is used? Otherwise it probably would crash

In my experience (20+ injections) it has never crashed for me, so I don't know for sure.

Ah well :)

At my first try I forgot to put a ";" and the whole service crashed...

That's pretty odd, never heard of that happening before.
All my HQ tutorials can be found here. Click me! <3
Donate some BTC if you like my stuff <3 1krWpnAG4NNBJyfYWBBKuurgywbPGNdL3
deadeye Offline
Programmer
***


Registered
Posts: 247
Threads: 19
Joined: Sat Apr 2017
Reputation: 2

CZPoints: 28 CZP
HQMember
10-31-2017, 01:01 PM -
#8
(10-31-2017, 12:51 PM)Caiky Wrote:
(10-31-2017, 12:48 PM)deadeye Wrote:
(10-31-2017, 12:45 PM)Caiky Wrote:
(10-31-2017, 12:42 PM)deadeye Wrote: I have only injected SQL a single time, but wouldn't it be better to write "order by X; --" if batched SQL is used? Otherwise it probably would crash

In my experience (20+ injections) it has never crashed for me, so I don't know for sure.

Ah well :)

At my first try I forgot to put a ";" and the whole service crashed...

That's pretty odd, never heard of that happening before.

Ikr. They put another SQL statement after the vulnerable one, and because I didn't end the first one with ; the second one was not a correct statement. The resulting error couldn't be handled properly so the system was fucked up.
[Image: cw2gsbi.png]

Discord: deadeye#7164

Disclaimer: I have no idea what I'm talking about.
Tonyzoo1234 Offline
Junior Member
**


Registered
Posts: 27
Threads: 2
Joined: Wed Apr 2017
Reputation: 0

CZPoints: 0 CZP
11-01-2017, 01:18 PM -
#9
I love SQL Injections, especially statements.
Bloodhound Offline
Python Enthusiast
****


Diamond
Posts: 105
Threads: 14
Joined: Thu Apr 2017
Reputation: 2

CZPoints: 6 CZP
ContributorDiamond
11-08-2017, 10:24 AM -
#10
Some real effort, good job
[Image: rElVjPf.png]




Users browsing this thread: 1 Guest(s)