Myanmar H4x0r

Hey guys,

i wrote this in the past for another forum BUT its deleted there so before its getting lost in my trash i decided to leave it in here exclusiv  maybe some noob need it some time! It was a hard work and somebody has to see this 

---

I know we already got some GOOD BASIC TUTORIALS and i will link them as i also link some good tuts about further information. 
So any new member should be able to find interesting information about all SQL INJECTION related topics in this thread.

*english is not my native language - if you face any language related issues, feel free to hit me up with a PM!

again: its a NEWBIE thread, so other can leave!

---

First of all: I WILL NOT COVER THE BASICS OF THE STRUCTURED QUERY LANGUAGE!
I assume some basic knowledge about SQL, websites, queries and some database management.
In best case you are a webadmin and you came from managing some CMS like Joomla!, wordpress or similar.
Maybe you have some PHP knowledge or similiar. That may help you!

To cover the basics of SQL you can check this:
http://www.w3schools.com/sql/default.asp

So now you already know how SQL works and how databases where setted up - but you dont know how to inject them.
The way to inject depends on several things like: what SQL-server is the target running and wich framework use the website?
That we have to figure out before we can start to exploit it! The Framework is the programming-language of the Website and the SQL-server is the software that is used to store data and manage databases on the server. So the framework is used in order to built the website and to transmit SQL queries TO and receive results FROM the SQL-Database-Server.

Different SQL-Database-Server: MySQL, MSSQL, Oracle, PostgreSQL, Ingres, Db2...
Different frameworks: PHP, ASP/ASPX, JAVA ...
Different server: Linux, Windows,...

In this tutorial i will "only" cover MySQL as server and PHP as framework but basically you can come across different combinations.
The most commonly occurring combiniations are PHP/MySQL and ASP/MSSQL (Microsoft servers).

So what makes a website dynamic and how are the user inputs processed?

You may seen some url's like this:
example.com/index.php?id=1
example.com/index.php?book=hello_sql

The things after "index.php?" are PARAMETERS (id=1,book=hello_sql). In this case these are GET parameters.
You will come across some other parameters like POST paramater but for the beginning we use the GET parameter.
(GET parameters you directly see next after the URL. POST parameter you dont see, they where transmitted in the background)

These parameters are used to built requests to the SQL-server. 
So in this tutorial we will inject this webseite:

Target:
Injectable parameter: book

Table where the coder stores the data of each book called „shp_books":

Please remember that table. We will use it for the whole tutorial!

PHP query behind the scenes:

This is a INTEGER based query.

To navigate the webuser to the correct book and display correct data with a INT-query, the coder has built the URL i posted above:

Another possible solution for SAME RESULT is:

This is a STRING based query.

To navigate the webuser to the correct book and display correct data with a STRING-query, the coder would built the URL like this:
*%20 = space in URL encoding, cos browser likes no space so its encoded in %HEX
(but such a parameter does not exist in our target - i just wanted to show you another way for same result with another query.)
______
THIS HAS TO BE CLEAR FOR YOU.

If you dont understand this, you have to go back and learn the basics of SQL.

---

---

After the tutorial you may try to find another page for SQL injection (if you want to inject - skip this part and go on with our target)
Using Dorks is the best way for finding random sites. Dorks are basically modified queries for search engines. In this tutorial we use google for finding our targets. 

Let's start dorking ;)

As i said a dork is used to get a detailed search result that matches perfectly to what we are looking for.
(Special target topics like: health, shops, forums or a special combination/configuration of SQL-server and Framework.)
With dorks we are able to get results that are tailored directly to our search queries. In this tutorial we are looking for a website that use MySQL-server and PHP as Framework.

The most widely used one to find those is probaly this dork: inurl:index.php?id=
Go to Google and enter this dork above. You will see a result like this including our dork matches:


Explanaition:
The function "inurl:" tells google that we are looking for results in URL. So we dont search for text on page, or included images,
we directly want to search in the URL (link) of pages. In the first chapter we learned how a website interacts with the SQL-server (parameter). With "index.php?id=" we are getting two things in one result: All pages that have a website file called "index.php" in combination with a parameter called "id=".

Basically you have to be creativ when dorking!

For example if you looking for a page that might have a member area and use MYSQL-server you would do something like this:
inurl:index.php?member= or use inurl:login.php?id= or inurl:user_login.php?id=

you also can try to define the parameters with guessing things the coder might use for generating the links:
inurl:member.php?id=1 or use inurl:login.php?name=admin or inurl:panel.php?id=1

Of course there are many more options for dorking:
intext:some text in the website // searching for some text in a website (for finding specific contents)
site:example.com // searching directly in a specific domain
intext:some text in the website + site:example.com // combination of both for a better result / more specific result

After getting the basics you schould check this for a better understanding of building dorks:
Prepaired Dorks for you: 7000+ Dorks!

---

---

Ok first off all i want to work out something. You may often read about "find vulnerable column" but basically its not the column thats vulnerable!
A column is a column :yeye: ...you can save data (values) in it and thats it. Vulnerable is the PARAMETER that is used in the framework to built the query,
not the column itself! But of course we use that column (that the parameter uses) to inject through it - so thats why many people say "find vulnerable coulmn" and not "find vulnerable parameter" ...

But let's start :oui:

Back to our target from the opnening. This we will now use for injecting:
(the dork we could use to find it is: inurl:index.php?book=)

In a SQL injection we are adding malicious code to the exisiting URL! So we use the URL-Bar of our favorite browser for that and we will directly modify the URL itself. 
To check if the site is vulnerable we simply add a ' (single quote) after some parameter. I picked the "book" parameter for that:

Now you see a MySQL error directly on page:


Check the message in detail und you will see our used ' in the error message:


So that means our input was phrased with php interpreter and is directly send to SQL-server.
No input check and directly a response from SQL-server with a error message ...THAT‘S ... 
But at this moment we do not knowing much of the website only that it is MAYBE vulnerable. Time to try to go further and find our injection type...

---

---

As i said in the opening, there are several ways to inject but we only will use these two in this tutorial:

UNION BASED SQLI 
With this injection technique we get the most output. For huge dumps or much output as possible this is the best way. But it is not in all vulnerable sites possible. We need a direct page-output of the database values on the website (or in source code, e.t.c.). Sometimes this technique is not possible - so we have to switch to ERROR BASED SQLI.

ERROR BASED SQLI 
It is like the name said: Injection result in MySQL-Error directly on page (or source code, e.t.c.). But usually showing MySQL errors is turned of by the coder. It is basically a framework debbuging function for the testing of the website. After successfully finishing the website the coder schould turn off displaying those kind of errors - but sometimes we get lucky and see these errors! 

There are some more types and the above types also splitting into other sub-types (like TIME-BASED-SQLI or you may hear BLIND-INJECTION sometimes).
But in this tutorial we cover only the two above ones in the main way's - i will link you further information in second post

I will show you both injection types with one target! I prefer to use UNION BASED SQLI - so lets start with this (that's always my first try).

---

---

For UNION BASED SQLI we need the number of columns that are vulnerable.
(Another thing that is not 100% correct but i will explain later why the sentence "find number of vulnerable columns" isnt correct in all cases.
But its widly known as above so lets call it this way!)

To count the columns we can use several functions. I will explain the most commonly used called "ORDER BY". As you know from learning the basics of SQL there are two kinds of query we can have: INT based or STRING based. At this moment we dont know wich one is used in our example target. The ORDER BY url for both would look like this:

INT:
(we dont need a ' to inject here or build a valid query - thats why the PHP function mysql_real_escape_string or similar makes no sense in INTEGER based queries)

STRING:
(in string based injection we need the ' to build a valid query. BUT our target is INT based so lets go further with INTEGER BASED UNION SQL INJECTION)

Now we want to count the columns with our target. Let's start with a higher column number that hopefully does not exist and throw us some error (cos it dont exists):
--> BINGO!!! - you now see a error like this:


That means we ORDER the results BY column #100 but this column dont exists --> so MySQL-server response with above error message.

What we can do with this information? The error tell us 3 things:

• Query was interpreted correctly from SQL-server (we built a valid query!)
• it‘s an INTEGER based original query behind in the framework (otherwise SQL-server would response with a "wrong syntax" error cos the ' is missing in this case)
• column 100 does not exists

Now the plan is to count less column numbers till no error appear on page! 
--> still error but closer: 

(now we know there are less than 20 columns)
--> PAGE LOADS NORMAL! 
CONCLUSION: The column count has to be between 10 and 20 columns cos ORDER BY 20-- throws a error (20th column do not exist) and ORDER BY 10-- throws no error (min 10 columns exist)

Now let's count from 10 upwards till the error appear (step by step):
--> BINGO!!!:


Now we know this: With ORDER BY 10-- the page loads normal (10th column exist) and with ORDER BY 11-- page throws a error cos column 11 does not exist --> NOW WE KNOW THERE ARE 10 COLUMNS :)

We know the column count and now we have to build our UNION STATEMENT to inject queries and reciving data from the server.
I will not cover the UNION function itself, cos this is some further information that might confusing you.
Just a Short UNION workflow: UNION is used two combine the result of different SELECT queries as one set.
Thats enough for the start. Cos we work (inject) with a original page query we have to UNION our injection query to that original one!

The goal is to get some RANDOM NUMBERS on screen --> these are the injectable columns for us!
A UNION STATEMENT is build by the UNION function and the column count (we counted above) and will look like this:

But in most cases we have to NULL OUT the original query parameter. We can do this simply by nulling it:
* but in some cases you have to keep it and dont null it out

---> BINGO!!! We get our RANDOM NUMBERS directly on screen:

These are our vulnerable columns! Time to receive data from the server!Credit:T-Pro