Introduction to SQL injections, Additions welcomed Options

[jez_mp3]

Hey guys, I'm off work for the week (got the flu (seasonal, not swine)). So decided to write a small piece on SQL injections and I don't know where else to post it. However, I'm pretty heavily dosed on all sorts of meds right now and I'm pretty sure I've made a lot of mistakes. If you see any mistakes please respond and I'll edit this piece ASAP.

------------Introduction to SQL injections-------------------

What is a SQL injection?

In the magic world of the internet, websites have to deal with large amounts of data. This can become a confusing mess of information that relates to other information that relates to other information. For example: passwords that relate to user names etc. Website admins deal with this by the use of a relational database management system (RDMS). The most popular of systems used is a 'SQL database' (Structured Query Language, pronounced like 'sequel'). The most popular of these management systems is 'Oracle DBMS' and Microsoft's 'SQL Server'. But don't worry SQL is an internationally standardised language, so all SQL query syntax is the same across all systems. To get to know how SQL databases work, create your own by using Microsoft's free SQL server and Visual C++/C# express editions at: Microsoft Express Editions

Great, right? But what is a SQL injection? Well, when you are supposedly inputing data like your user name and password, they sometimes get put directly into a SQL database. However, some lazy programmers won't check for a valid input. This is where you can type (or inject) SQL commands into the database that execute and control that database. This can include deleting tables or simply returning information.


Where should you do SQL injections? Wherever you have permission. Seriously, DO NOT TRY TO 'HACK' WEBSITES WITHOUT PERMISSION.

On a less serious note. The latest version of ASP.NET and IIS7 has an automatic input validation control. So before any input is put into the database it is checked for any SQL commands and stopped unless specified otherwise by the programmer. So avoid websites if their URL's end in '.asp/x'. You are much more likely to be able to find a flaw in a site written in other server side languages like 'PHP'. To check for this, just click around and see if any URL's end with '.php'.


SQL Commands
This article is long enough, learn all commands and what they do at: http://www.sqlcommands.net/


Let's Get Started!
Unless you have your own site, written in PHP, head on over to: http://www.hackthissite.org/missions/realistic/4/. You may have to get a free account. This is a safe, legal place to practice SQL injections.

1. Firstly, get some information about the database. For this you're going to have to find a form that puts something in that database. Surprisingly, on the main page there is a form that puts your email into a table. We are going to try a general comment in SQL, '.

2. Entering ' or # returns a error. Unfortunately it looks like they have employed an input validation (so something like ' or 1=1-- for login forms wont work here). Fortunately, they tell you what it failed to do. "Error inserting into table "email"! Email not valid! Please contact an administrator of Fischer's" This tells you the table that stores the email string is called 'email'. Of course, you could always guess the table name of an uncreative programmer's database.

3. Now we need to find where it is stored in the database. Click on the fur coats link. We are going to use the 'ORDER BY' statement to find just how big the email table is.

After the URL, type:ORDER BY 1--; The URL should now be:
"http://www.hackthissite.org/missions/realistic/4/products.php?category=1ORDER BY 1--;"
Notice there is no space between 1 and order.

Press enter. NO ERROR? This is telling us that there is the first column to our database table.

Keep incrementing the integer at the end by 1 until:
"http://www.hackthissite.org/missions/realistic/4/products.php?category=1ORDER BY 5--;"

Looks like we got an error. This has told us that we have 4 columns, as this is the last integer that didn't return an error.

4. Great. Now we got our number of columns and the name of the table, we can start the injection. Type after the URL:
"UNION ALL SELECT *,*,*,* FROM email;"
The URL is now:
"http://www.hackthissite.org/missions/realistic/4/products.php?category=1UNION ALL SELECT *,*,*,* FROM email;"
Notice there is no space between 1 and UNION.

What this command actually does:
UNION: This merges the result of two or more SELECT queries into 1 result
SELECT: This selects the data from the table and returns it.
*,*,*,*: These represent what to return from each column.
In programming, * is the standard 'wild card' symbol. This can be used to select all fields in a column. If you don't want to see all that info, try replacing *,*,*,* with NULL,*,*,* or NULL,NULL,*,NULL. Null returns nothing. As long as there are 4 total columns it will return different information. NULL, NULL, *, NULL returns just the emails as this 3rd column where the actual email string is stored.
FROM email: This gets the data from the specified table, and this is why we had to know what the table was called.

You should see a list below the original page content of all the emails in the database.

Congrats, you've completed your first and LEGAL SQL injection.


This is a really simple example. If you want to learn to hack more difficult examples, get permission, and HACK TO LEARN.

If you don't have permissions, other hackthissite realistic missions use SQL injections to retrieve data. So give it a go.

- Jez ()

[555]

thanks for the tutorial, i have never really got into databases and SQL yet but i am sure this will help because probuly next semester i will have to learn all about databases..

[MaxRabbit]

I appreciate the tutorial, man. SQL Injections are like puzzles, I like

[operat0r_001]

take a look at url snooper and just watch as the automate tools poke

Absinthe
IHv2
pangolin_pw_password
Paros
PRIAMOS
SQLPowerInjector

http://rmccurdy.com/scripts/sql/

[x忍者x]

what is the easiest fastest way to copy all of the files from your site? ftp? or is there a program you know of that will copy all of the files from a website/server to my pc?