SQL injection is a code injection technique, used to attack data-driven applications, in which nefariousSQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
1. Finding vulnerable sites
To find vulnerable sites we used google dork. Some of google dorks are:
You can find the largest collection of google dorks from here.
So as an example I find vulnerable site that is
I know about vulnerability by using string (‘). At the last of url use ‘ and if you got a error then it is vulnerable. In many sites don’t show error but some text or image are missing. This kind of sites are also vulnerable.
2. Finding Amount of Columns
To find the right number of column we are using “order by”. After the url type ‘order by 5’ and see the page.
Here I do
It seems that the page load normally and there are no error. That means columns are more than 5.
It’s showing error. That means columns number is less than 10.
By this try for finding columns number.
So total column number is 8.
Now we find vulnerable column. To do this please folow me:
After id= please insert [-] and it means null.
We got the vulnerable column is 4.
3. Getting Mysql Version
Now we wanna know the MySQL version. If its over 5 then its injectable by this Tut. (if its under 4 then you have to guess tables and columns).
In the vulnerable column we use @@version instead of column number.
ok we find it.
4. Getting Databases
Now we wanna find the databases and the Current database.
Here the syntax for all databases:
And it displays like this:
Now wel would like to now what is the current database, it’s pretty obvious in this case but usefull sometimes.
Syntax for current database:
This should display something like this:
5. Getting Tables
Now we want to know the tables on in the database and for this we will conintue using “union select”.
It’s output look like this:
Here admin table is ‘utilisateurs’. In maximum sites tables are admin, users, administrator etc.
6. Getting Columns
Now we want to know the columns.
We will use following code:
We got column and it looks like:
7. Dumping users/pass
Now you would like to dump logins and passwords.
union all select 1,2,3,group_concat(login,0x3a,pass,0x3a),5,6,7,8 from utilisateurs–
Now we got admin login and password.
Here login: atign and pass: 720a7e98c63c155ae17b0e7d3ce10a09
If you like, please comment and share !