[Tutorial] The noobs guide to SQL injections.

[X1M!]

I will teach you how to inject websites to get their mysql information. This is my first tutorial, and excuse my grammar, I havent slept for 23 hours.

Requires:
MySQL Knowledge
Common sense

First, download

You must be registered for see links

file. If you dont trust, dont download. Extract it to a folder and run the executable file, DO NOT MINIMIZE IT WHEN U RUN IT.

You should see

You must be registered for see links

, I have marked sections with ID's, I will be using them thru the tutorial.

Our main target in this tutorial will be a netherland fag's portfolio, you can find it

You must be registered for see links

.
Inspect the website, you will probably see a gallery. Now, this guy uses MySQL to store the pictures location and a small comment. He sorts them by their id. Add a

You must be registered for see links

at the end of the URL, see what happend? He hasnt secured his sql queries and it returns a SQL error, we are gonna exploit that.

Open the program you previously downloaded and write in the URL without a single quote in the end. Note that 1B will start scrolling text, it shouldnt take long until it says "Please get database", if it doesnt, then the site cant be injected.

When you get the message "get database" in 1B, press 1C, it will load in the MySQL Database into 3A. When that is finished, pick a database in 3A and press 2A, the MySQL tables will load. When they are loaded, pick a table in 3B and press 2B, it will load the MySQL columns. When that is loaded, hold CTRL and press the desired columns inside 3B, then press 4A, it will extract the data from MySQL Database.

You are done.

Happy injecting.

/X

[MOD] Wrong Section - Moved To Tutorials [/MOD]​

 

[Ceejay]

Nice tut, maybe add a few pics.

9/10

 

[Dayron1234]

I get a trojan? wtf

 

[X1M!]

Ceejay, one pic is all that is needed, everything else bases on common sense.

obrienray1, I doubt it since I have scanned the file online and with my virus program. Maybe your virus program responds badly towards the methods used by the program.

 

[Dayron1234]

I use mcAfee but anyways I can't extract it?

 

[X1M!]

mcAfee.. LOL
Try temporarily disabling it while extracting?

 

[Dayron1234]

Thanks I will in a few hours or so cba atm LOL

 

[X1M!]

O.. kay... LOL

 

[Kryptos]

I just want to point out how easy it is to patch this, he uses GET to get the id of the photo or whatever, the patch is:

if(!is_numeric($_GET['id'])) {
echo "The ID isn't numeric.";
}

Sure this will be helpful to people who are curious on how to SQL Inject. Thanks for sharing.

 

[X1M!]

Yeah, it is easy to fix, but some people (*cough*danish*cough*) doesnt do that, and I love to steal their data AND THEN email them and tell them how to fix.

 

[Bowl]

it works wow i tryd it out i am so impressed good job mate,.