SQL Injection

[Stackprotector]

l33tas did you try to break the first SELECT statement by throwing a -1 instead of a 1 so for example 

Code: [Select]

: SELECT * FROM `table_test` WHERE straipsnio_id = '-1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10

[l33tas]

I get error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5,6,7,8,9,10 LIMIT 0, 30' at line 1
mb my MySQL db dont understand concat( table_name )? or all db must execute this function?
But if I try SELECT concat(table_name) FROM `tables` WHERE table_schema='test_table' its works fine..

[Kulverstukas]

Videos are shit. You do not learn SQL injection without knowing SQL... this way you can learn few commands and that's it! Only if you know SQL you can make queries and inject them... ugh.

Learn SQL and ONLY THEN learn how to inject!

[ande]

I try this tutorial.. and have problem.
First: when you try write http://evilzone.org/index.php?id=17+ORDER+BY+5 or http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3 you get nothing.. I solved this problem with ...?id=17' UNION ALL SELECT 1,2,3# but if you write in url in my case # dont works so I change it to %23. like ?id=17' UNION ALL SELECT 1,2,3%23.
Second: when I try this ?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() its dont work.. I try in MySQL and its gives this error: #1109 - Unknown table 'table_test' in information_schema
in my case Sql query is : SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
any solution?

Your SQL query is invalid:

Code: [Select]

SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
That is not a valid SQL query. I think you mean:

Code: [Select]

SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name),5,6,7,8,9,10 FROM `information_schema.TABLES` WHERE table_schema=database()

[D4rk0rD]

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .

[Stackprotector]

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .

Also the way php/asp/python etc. Vreates and executes the querys

[dataspy]

Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)

Code: [Select]

<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>

ViewRecords.php

Code: [Select]

// assign vars
$MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID']));

if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID)))
{
    // query to database
    $Query = "SELECT
        MaintenanceRecords.MaintenanceRecordID,
        MaintenanceRecords.MaintenanceRecordDate,
        MaintenanceRecords.MaintenanceRecordNotes,
        Vehicles.VehicleNumber,
        MaintenanceJobs.MaintenanceJob
        FROM MaintenanceRecords
        LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID
        LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID
        WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'";
       
    // result from $query
    $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));

when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject

oh well something to play with later

[D4rk0rD]

Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site  .

[ande]

Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .

I disagree, learning PHP alongside SQL(MySQL) is the best way. Then study the concept(s) of SQL injection vulnerabilities.

Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)

Code: [Select]

<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>

ViewRecords.php

Code: [Select]

// assign vars
$MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID']));

if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID)))
{
    // query to database
    $Query = "SELECT
        MaintenanceRecords.MaintenanceRecordID,
        MaintenanceRecords.MaintenanceRecordDate,
        MaintenanceRecords.MaintenanceRecordNotes,
        Vehicles.VehicleNumber,
        MaintenanceJobs.MaintenanceJob
        FROM MaintenanceRecords
        LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID
        LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID
        WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'";
       
    // result from $query
    $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));

when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject

oh well something to play with later

Your code cant be injected to do any harm because the PHP script checks if the MaintenanceRecordID is numeric or not. However you can do things like MaintenanceRecordID=123e31 and you will most likely get a overflow problem, but it wont cause more than an error message.

Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site  .

Not sure how this will help must people..

[Droaxenius]

Again and awesome tutorial ande. 


Keep up the quality!

[Conch]

Amazing tutorial, very informative.

Thanks!

[Phage]

I must say that this is a HQ tutorial. I will expect nothing less from an admin. You made it very clear what you are saying and i understood it all. But i do have a lot of experience in SQLi so i dont know how it looks from a newbie.

HQ and great tutorial!

Regards
Narraz

[Horny Cat]

euhh i'm a very bigenner in hacking lol, but i'm good at coding, so my problem is that i can't find tergets (i mean website where i can apply what you just teach as here) any ideas !!??

[Kulverstukas]

well if you're good at coding, why not make a testlab yourself? just a thought...

[Stackprotector]

euhh i'm a very bigenner in hacking lol, but i'm good at coding, so my problem is that i can't find tergets (i mean website where i can apply what you just teach as here) any ideas !!??

Do you know PHP ?, learn how to create before destruction. And also, we do not say you have to practice it on other person's sites because that is illegal.